nix-home/nki-personal-do/miniflux.nix

88 lines
2.4 KiB
Nix

{ pkgs, config, lib, ... }:
with lib;
let
user = "miniflux";
host = "rss.dtth.ch";
port = 10020;
secrets = config.sops.secrets;
configEnv = builtins.mapAttrs (name: value: toString value) {
DEBUG = "on";
DATABASE_URL = "user=${user} dbname=${user} sslmode=disable host=/run/postgresql";
RUN_MIGRATIONS = 1;
LISTEN_ADDR = "127.0.0.1:${toString port}";
BASE_URL = "https://${host}";
HTTPS = true;
OAUTH2_PROVIDER = "oidc";
OAUTH2_CLIENT_ID = "oYF8Y815kQNuuYYdACJmm3kD1hzniMe6fJIDRUfs";
OAUTH2_REDIRECT_URL = "https://${host}/oauth2/oidc/callback";
OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://auth.dtth.ch/application/o/rss/";
OAUTH2_USER_CREATION = 1;
LOG_DATE_TIME = true;
FETCH_YOUTUBE_WATCH_TIME = true;
};
package = pkgs.miniflux;
in
{
sops.secrets."miniflux/oidc-client-secret" = { };
sops.secrets."miniflux/pocket-consumer-key" = { };
sops.secrets."miniflux/admin-creds" = { };
cloud.postgresql.databases = [ user ];
cloud.traefik.hosts.miniflux = {
inherit port host;
};
systemd.services.miniflux = {
description = "Miniflux service";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
requires = [ "postgresql.service" ];
serviceConfig = {
ExecStart = "${package}/bin/miniflux";
User = user;
DynamicUser = true;
RuntimeDirectory = "miniflux";
RuntimeDirectoryMode = "0700";
EnvironmentFile = [
secrets."miniflux/admin-creds".path
secrets."miniflux/oidc-client-secret".path
secrets."miniflux/pocket-consumer-key".path
];
# Hardening
CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ];
LockPersonality = true;
MemoryDenyWriteExecute = true;
PrivateDevices = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service" "~@privileged" ];
UMask = "0077";
};
environment = configEnv;
};
}