From ca37da39dc71295beda370e6dc9b071addc9d3fd Mon Sep 17 00:00:00 2001
From: "Dominique Martinet @ jormungand" <asmadeus@codewreck.org>
Date: Thu, 1 Oct 2020 14:51:42 +0200
Subject: jormungand: add miniflux

---
 machines/jormungand/configuration.nix |  1 +
 machines/jormungand/nginx.nix         | 10 +++++++++-
 profiles/miniflux.nix                 | 35 +++++++++++++++++++++++++++++++++++
 3 files changed, 45 insertions(+), 1 deletion(-)
 create mode 100644 profiles/miniflux.nix

diff --git a/machines/jormungand/configuration.nix b/machines/jormungand/configuration.nix
index 0794d96..6fb1e2f 100644
--- a/machines/jormungand/configuration.nix
+++ b/machines/jormungand/configuration.nix
@@ -7,6 +7,7 @@
       ./network.nix
       ../../profiles/ashuffle.nix
       ../../profiles/common.nix
+      ../../profiles/miniflux.nix
       ../../profiles/users.nix
       ../../profiles/vaderetro.nix
       ../../profiles/zramswap.nix
diff --git a/machines/jormungand/nginx.nix b/machines/jormungand/nginx.nix
index bdec053..87cd154 100644
--- a/machines/jormungand/nginx.nix
+++ b/machines/jormungand/nginx.nix
@@ -205,7 +205,7 @@ in {
       forceSSL = true;
       enableACME = true;
       locations."/mpd/" = {
-        proxyPass = "http://127.0.0.1:8080";
+        proxyPass = "http://127.0.0.1:8080/";
         # /var/spool/nginx/mpd.htpasswd has been populated manually
         # until proper secrets get managed...
         extraConfig = ''
@@ -223,6 +223,14 @@ in {
       };
     };
 
+    "miniflux.codewreck.org" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:8081/";
+      };
+    };
+
     "matrix.codewreck.org" = {
       forceSSL = true;
       enableACME = true;
diff --git a/profiles/miniflux.nix b/profiles/miniflux.nix
new file mode 100644
index 0000000..49d567c
--- /dev/null
+++ b/profiles/miniflux.nix
@@ -0,0 +1,35 @@
+{ config, pkgs, lib, ...}:
+
+{
+  imports = [ ./postgresql.nix ];
+
+  services.miniflux = {
+    enable = true;
+    config = {
+      POLLING_SCHEDULER = "entry_frequency";
+      CLEANUP_ARCHIVE_READ_DAYS = "30";
+      LISTEN_ADDR = "localhost:8081";
+    };
+    adminCredentialsFile = "/etc/nixos/secrets/miniflux";
+  };
+
+  # confinement
+  users.users.miniflux.isSystemUser = true;
+  systemd.services.miniflux = {
+    serviceConfig = {
+      BindReadOnlyPaths = [
+        "/run/systemd/journal/socket"
+        "/etc/pki/tls/certs/ca-bundle.crt"
+        "/etc/hosts"
+      ];
+      DynamicUser = lib.mkForce false;
+      # prestart inits the db, only needed the first time and conflicts with confinement
+      ExecStartPre = lib.mkForce "";
+    };
+    confinement = {
+      enable = true;
+      binSh = null;
+      mode = "chroot-only";
+    };
+  };
+}
-- 
cgit v1.2.1-2-g3f67