hosts/mermet/miniflux.nix

   1 { lib, config, inputs, hostName, ... }:
   2 let
   3   inherit (config.networking) domain;
   4   inherit (config.services) nginx postgresql;
   5   inherit (config.users) users groups;
   6   srv = "miniflux";
   7 in
   8 {
   9   systemd.sockets.miniflux = {
  10     listenStreams = [ "/run/miniflux.sock" ];
  11     wantedBy = [ "sockets.target" ];
  12     socketConfig.SocketMode = "600";
  13     socketConfig.SocketUser = nginx.user;
  14   };
  15   services.miniflux = {
  16     enable = true;
  17     config = {
  18       BASE_URL = "https://${srv}.${domain}"; # Base URL to generate HTML links and base path for cookies.
  19       BATCH_SIZE = "3"; # Number of feeds to send to the queue for each interval.
  20       CLEANUP_ARCHIVE_UNREAD_DAYS = "60";
  21       CLEANUP_ARCHIVE_READ_DAYS = "30";
  22       #DEBUG = "on";
  23       LISTEN_ADDR = "";
  24       #METRICS_COLLECTOR = "1";
  25       POLLING_FREQUENCY = "180";
  26       POLLING_SCHEDULER = "entry_frequency";
  27       SCHEDULER_ENTRY_FREQUENCY_MAX_INTERVAL = "10080"; # 7*24*60 = 7d
  28       WATCHDOG = "1";
  29       WORKER_POOL_SIZE = "2";
  30     };
  31     adminCredentialsFile = "/run/credentials/miniflux.service/credentials";
  32   };
  33   systemd.services.miniflux = {
  34     partOf = [ "postgresql.service" ];
  35     # For the socket-activation
  36     wantedBy = lib.mkForce [ ];
  37     unitConfig = {
  38       RefuseManualStart = true;
  39     };
  40     serviceConfig = {
  41       LoadCredentialEncrypted = [
  42         "credentials:${miniflux/credentials.cred}"
  43       ];
  44       # For postgres auth
  45       User = users."miniflux".name;
  46       Group = groups."postgres".name;
  47       # For the confinement
  48       BindReadOnlyPaths = [
  49         "/run/systemd/journal/socket"
  50         "/run/postgresql"
  51         "/etc/pki/tls/certs/ca-bundle.crt"
  52         "/etc/hosts"
  53       ];
  54       Type = "notify";
  55       DynamicUser = lib.mkForce false;
  56       UMask = lib.mkForce "0022";
  57       # For the hardening
  58       NoNewPrivileges = true;
  59       PrivateTmp = true;
  60       RemoveIPC = true;
  61       #ProtectSystem = true;
  62     };
  63     confinement = {
  64       enable = true;
  65       binSh = null;
  66       mode = "chroot-only";
  67     };
  68   };
  69   services.postgresql.identMap = ''
  70     # MAPNAME  SYSTEM-USERNAME         PG-USERNAME
  71     user       ${users.miniflux.name}  ${users.miniflux.name}
  72   '';
  73   users.users."miniflux" = {
  74     isSystemUser = true;
  75     group = groups."postgres".name;
  76   };
  77   services.nginx.virtualHosts."${srv}.${domain}" = {
  78     forceSSL = true;
  79     useACMEHost = domain;
  80     extraConfig = ''
  81       access_log /var/log/nginx/${domain}/${srv}/access.log json buffer=32k;
  82       error_log  /var/log/nginx/${domain}/${srv}/error.log warn;
  83     '';
  84     locations."/" = {
  85       proxyPass = "http://unix:/run/miniflux.sock:/";
  86     };
  87   };
  88   systemd.services.nginx.serviceConfig.LogsDirectory =
  89     lib.mkForce [ "nginx/${domain}/${srv}" ];
  90 }