diff options
| -rw-r--r-- | machines/jormungand/configuration.nix | 1 | ||||
| -rw-r--r-- | machines/jormungand/nginx.nix | 10 | ||||
| -rw-r--r-- | profiles/miniflux.nix | 35 |
3 files changed, 45 insertions, 1 deletions
diff --git a/machines/jormungand/configuration.nix b/machines/jormungand/configuration.nix index 0794d96..6fb1e2f 100644 --- a/machines/jormungand/configuration.nix +++ b/machines/jormungand/configuration.nix @@ -7,6 +7,7 @@ ./network.nix ../../profiles/ashuffle.nix ../../profiles/common.nix + ../../profiles/miniflux.nix ../../profiles/users.nix ../../profiles/vaderetro.nix ../../profiles/zramswap.nix diff --git a/machines/jormungand/nginx.nix b/machines/jormungand/nginx.nix index bdec053..87cd154 100644 --- a/machines/jormungand/nginx.nix +++ b/machines/jormungand/nginx.nix @@ -205,7 +205,7 @@ in { forceSSL = true; enableACME = true; locations."/mpd/" = { - proxyPass = "http://127.0.0.1:8080"; + proxyPass = "http://127.0.0.1:8080/"; # /var/spool/nginx/mpd.htpasswd has been populated manually # until proper secrets get managed... extraConfig = '' @@ -223,6 +223,14 @@ in { }; }; + "miniflux.codewreck.org" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8081/"; + }; + }; + "matrix.codewreck.org" = { forceSSL = true; enableACME = true; diff --git a/profiles/miniflux.nix b/profiles/miniflux.nix new file mode 100644 index 0000000..49d567c --- /dev/null +++ b/profiles/miniflux.nix @@ -0,0 +1,35 @@ +{ config, pkgs, lib, ...}: + +{ + imports = [ ./postgresql.nix ]; + + services.miniflux = { + enable = true; + config = { + POLLING_SCHEDULER = "entry_frequency"; + CLEANUP_ARCHIVE_READ_DAYS = "30"; + LISTEN_ADDR = "localhost:8081"; + }; + adminCredentialsFile = "/etc/nixos/secrets/miniflux"; + }; + + # confinement + users.users.miniflux.isSystemUser = true; + systemd.services.miniflux = { + serviceConfig = { + BindReadOnlyPaths = [ + "/run/systemd/journal/socket" + "/etc/pki/tls/certs/ca-bundle.crt" + "/etc/hosts" + ]; + DynamicUser = lib.mkForce false; + # prestart inits the db, only needed the first time and conflicts with confinement + ExecStartPre = lib.mkForce ""; + }; + confinement = { + enable = true; + binSh = null; + mode = "chroot-only"; + }; + }; +} |