hosts/mermet/miniflux.nix

   1 { pkgs, lib, config, inputs, hostName, ... }:
   2 let
   3   inherit (config.networking) domain;
   4   inherit (config.services) nginx postgresql;
   5   inherit (config.users) users groups;
   6   srv = "miniflux";
   7 in
   8 {
   9   systemd.sockets.miniflux = {
  10     listenStreams = [ "/run/miniflux.sock" ];
  11     wantedBy = [ "sockets.target" ];
  12     socketConfig.SocketMode = "600";
  13     socketConfig.SocketUser = nginx.user;
  14   };
  15   services.miniflux = {
  16     enable = true;
  17     config = {
  18       BASE_URL = "https://${srv}.${domain}"; # Base URL to generate HTML links and base path for cookies.
  19       BATCH_SIZE = "3"; # Number of feeds to send to the queue for each interval.
  20       CLEANUP_ARCHIVE_UNREAD_DAYS = "60";
  21       CLEANUP_ARCHIVE_READ_DAYS = "30";
  22       #DEBUG = "on";
  23       LISTEN_ADDR = "";
  24       #METRICS_COLLECTOR = "1";
  25       POLLING_FREQUENCY = "180";
  26       POLLING_SCHEDULER = "entry_frequency";
  27       SCHEDULER_ENTRY_FREQUENCY_MAX_INTERVAL = "10080"; # 7*24*60 = 7d
  28       WATCHDOG = "1";
  29       WORKER_POOL_SIZE = "2";
  30     };
  31     #adminCredentialsFile = "/run/credentials/miniflux.service/credentials";
  32     adminCredentialsFile = "/dev/null";
  33   };
  34   systemd.services.miniflux = {
  35     partOf = [ "postgresql.service" ];
  36     # For the socket-activation
  37     wantedBy = lib.mkForce [ ];
  38     unitConfig = {
  39       RefuseManualStart = true;
  40     };
  41     serviceConfig = {
  42       ExecStart = lib.mkForce (pkgs.writeShellScript "miniflux" ''
  43         . /run/credentials/miniflux.service/credentials
  44         export ADMIN_USERNAME
  45         export ADMIN_PASSWORD
  46         exec ${pkgs.miniflux}/bin/miniflux
  47       '');
  48       LoadCredentialEncrypted = [
  49         "credentials:${miniflux/credentials.cred}"
  50       ];
  51       # For postgres auth
  52       User = users."miniflux".name;
  53       Group = groups."postgres".name;
  54       # For the confinement
  55       BindReadOnlyPaths = [
  56         "/run/systemd/journal/socket"
  57         "/run/postgresql"
  58         "/etc/pki/tls/certs/ca-bundle.crt"
  59         "/etc/hosts"
  60       ];
  61       Type = "notify";
  62       DynamicUser = lib.mkForce false;
  63       UMask = lib.mkForce "0022";
  64       # For the hardening
  65       NoNewPrivileges = true;
  66       PrivateTmp = true;
  67       RemoveIPC = true;
  68       #ProtectSystem = true;
  69     };
  70     confinement = {
  71       enable = true;
  72       binSh = null;
  73       mode = "chroot-only";
  74     };
  75   };
  76   services.postgresql.identMap = ''
  77     # MAPNAME  SYSTEM-USERNAME         PG-USERNAME
  78     user       ${users.miniflux.name}  ${users.miniflux.name}
  79   '';
  80   users.users."miniflux" = {
  81     isSystemUser = true;
  82     group = groups."postgres".name;
  83   };
  84   services.nginx.virtualHosts."${srv}.${domain}" = {
  85     forceSSL = true;
  86     useACMEHost = domain;
  87     extraConfig = ''
  88       access_log /var/log/nginx/${domain}/${srv}/access.log json buffer=32k;
  89       error_log  /var/log/nginx/${domain}/${srv}/error.log warn;
  90     '';
  91     locations."/" = {
  92       proxyPass = "http://unix:/run/miniflux.sock:/";
  93     };
  94   };
  95   systemd.services.nginx.serviceConfig.LogsDirectory =
  96     lib.mkForce [ "nginx/${domain}/${srv}" ];
  97 }