massicot/miniflux: added with kanidm provision

2024-08-05 09:57:11 +08:00 · 2024-08-05 09:57:11 +08:00 · 9ffc2ad23d
commit 9ffc2ad23d
parent 0743f74527
4 changed files with 55 additions and 22 deletions
--- a/machines/massicot/default.nix
+++ b/machines/massicot/default.nix
@ -7,7 +7,7 @@
    ./networking.nix
    ./services.nix
  ];
-  
+
  sops = {
    defaultSopsFile = ./secrets.yaml;
    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
@ -28,6 +28,9 @@
      grafana_oauth_secret = {
        owner = "grafana";
      };
+      miniflux_oauth_secret = {
+        owner = "miniflux";
+      };
    };
  };

@ -42,7 +45,7 @@
  fileSystems."/mnt/storage" = {
    device = "//u380335-sub1.your-storagebox.de/u380335-sub1";
    fsType = "cifs";
-    options = ["credentials=${config.sops.secrets.storage_box_mount.path}"];
+    options = [ "credentials=${config.sops.secrets.storage_box_mount.path}" ];
  };

  environment.systemPackages = with pkgs; [
@ -51,7 +54,7 @@
  ];

  system.stateVersion = "22.11";
-  
+
  networking = {
    hostName = "massicot";
  };
@ -67,9 +70,9 @@
  };

  security.sudo = {
-      execWheelOnly = true;
-      wheelNeedsPassword = false;
-    };
+    execWheelOnly = true;
+    wheelNeedsPassword = false;
+  };

  services.openssh = {
    enable = true;
@ -83,6 +86,6 @@
  };
  services.fail2ban.enable = true;
  programs.mosh.enable = true;
-  
+
  systemd.services.sshd.wantedBy = pkgs.lib.mkForce [ "multi-user.target" ];
 }
--- a/machines/massicot/kanidm-provision.nix
+++ b/machines/massicot/kanidm-provision.nix
@ -32,13 +32,16 @@
    grafana-users = {
      members = [ "xin" ];
    };
+    miniflux-users = {
+      members = [ "xin" ];
+    };
  };
  persons = {
    xin = {
      displayName = "Xinyang Li";
      mailAddresses = [ "lixinyang411@gmail.com" ];
    };
-    
+
    zhuo = {
      displayName = "Zhuo";
      mailAddresses = [ "13681104320@163.com" ];
@ -92,6 +95,13 @@
        immich-users = [ "openid" "email" "profile" ];
      };
    };
+    miniflux = {
+      displayName = "Miniflux";
+      originUrl = "https://rss.xinyang.life/";
+      scopeMaps = {
+        miniflux-users = [ "openid" "email" "profile" ];
+      };
+    };
    grafana = {
      displayName = "Grafana";
      originUrl = "https://grafana.xinyang.life/";
@ -110,4 +120,4 @@
      };
    };
  };
-}
+}
--- a/machines/massicot/services.nix
+++ b/machines/massicot/services.nix
@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 let
  kanidm_listen_port = 5324;
 in
@ -85,6 +85,21 @@ in
    };
    provision = import ./kanidm-provision.nix;
  };
+
+  services.miniflux = {
+    enable = true;
+    config = {
+      LISTEN_ADDR = "127.0.0.1:58173";
+      OAUTH2_PROVIDER = "oidc";
+      OAUTH2_CLIEND_ID = "miniflux";
+      OAUTH2_REDIRECT_URL = "https://rss.xinyang.life/oauth2/oidc/callback";
+      OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://auth.xinyang.life/oauth2/openid/miniflux";
+      OAUTH2_USER_CREATION = 1;
+      CREATE_ADMIN = lib.mkForce "";
+    };
+    adminCredentialsFile = config.sops.secrets.miniflux_oauth_secret;
+  };
+
  services.matrix-conduit = {
    enable = true;
    # package = inputs.conduit.packages.${pkgs.system}.default;
@ -238,6 +253,11 @@ in
          }
      }
    '';
+
+    virtualHosts."https://rss.xinyang.life".extraConfig = ''
+      reverse_proxy ${config.services.miniflux.config.LISTEN_ADDR}
+    '';
+
    virtualHosts."https://ntfy.xinyang.life".extraConfig = ''
      reverse_proxy unix/${config.services.ntfy-sh.settings.listen-unix}
      @httpget {