]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/miniflux.nix
initrd: add comments
[sourcephile-nix.git] / hosts / mermet / miniflux.nix
1 { pkgs, lib, config, inputs, hostName, ... }:
2 let
3 inherit (config.networking) domain;
4 inherit (config.services) nginx postgresql;
5 inherit (config.users) users groups;
6 srv = "miniflux";
7 in
8 {
9 systemd.sockets.miniflux = {
10 listenStreams = [ "/run/miniflux.sock" ];
11 wantedBy = [ "sockets.target" ];
12 socketConfig.SocketMode = "600";
13 socketConfig.SocketUser = nginx.user;
14 };
15 services.miniflux = {
16 enable = true;
17 config = {
18 BASE_URL = "https://${srv}.${domain}"; # Base URL to generate HTML links and base path for cookies.
19 BATCH_SIZE = 3; # Number of feeds to send to the queue for each interval.
20 CLEANUP_ARCHIVE_UNREAD_DAYS = 60;
21 CLEANUP_ARCHIVE_READ_DAYS = 30;
22 #DEBUG = true;
23 LISTEN_ADDR = "";
24 #METRICS_COLLECTOR = 1;
25 POLLING_FREQUENCY = 180;
26 POLLING_SCHEDULER = "entry_frequency";
27 SCHEDULER_ENTRY_FREQUENCY_MAX_INTERVAL = 10080; # 7*24*60 = 7d
28 WATCHDOG = 1;
29 WORKER_POOL_SIZE = 2;
30 };
31 #adminCredentialsFile = "/run/credentials/miniflux.service/credentials";
32 adminCredentialsFile = "/dev/null";
33 };
34 systemd.services.miniflux = {
35 partOf = [ "postgresql.service" ];
36 # For the socket-activation
37 wantedBy = lib.mkForce [ ];
38 unitConfig = {
39 RefuseManualStart = true;
40 };
41
42 serviceConfig = {
43 ExecStart = lib.mkForce (pkgs.writeShellScript "miniflux" ''
44 . /run/credentials/miniflux.service/credentials
45 export ADMIN_USERNAME
46 export ADMIN_PASSWORD
47 exec ${pkgs.miniflux}/bin/miniflux
48 '');
49 LoadCredentialEncrypted = [
50 "credentials:${miniflux/credentials.cred}"
51 ];
52 # For postgres auth
53 #User = users."miniflux".name;
54 Group = groups."postgres".name;
55 # For the confinement
56 BindReadOnlyPaths = [
57 "/run/systemd/journal/socket"
58 "/run/postgresql"
59 "/etc/pki/tls/certs/ca-bundle.crt"
60 "/etc/static/pki/tls/certs/ca-bundle.crt"
61 "/etc/ssl/certs/ca-certificates.crt"
62 "/etc/static/ssl/certs/ca-certificates.crt"
63 "/etc/hosts"
64 ];
65 RuntimeDirectory = lib.mkForce [
66 "miniflux"
67 "confinement/miniflux"
68 ];
69 Type = "notify";
70 #DynamicUser = lib.mkForce false;
71 UMask = lib.mkForce "0022";
72 # For the hardening
73 NoNewPrivileges = true;
74 PrivateTmp = true;
75 RemoveIPC = true;
76 #ProtectSystem = true;
77 };
78 confinement = {
79 enable = true;
80 #binSh = null;
81 binSh = "${pkgs.bash}/bin/bash";
82 mode = "chroot-only";
83 packages = [
84 pkgs.cacert
85 ];
86 };
87 };
88 services.postgresql.identMap = ''
89 # MAPNAME SYSTEM-USERNAME PG-USERNAME
90 user ${users.miniflux.name} ${users.miniflux.name}
91 '';
92 users.users."miniflux" = {
93 isSystemUser = true;
94 group = groups."postgres".name;
95 };
96 services.nginx.virtualHosts."${srv}.${domain}" = {
97 forceSSL = true;
98 useACMEHost = domain;
99 extraConfig = ''
100 access_log /var/log/nginx/${domain}/${srv}/access.log json buffer=32k;
101 error_log /var/log/nginx/${domain}/${srv}/error.log warn;
102 '';
103 locations."/" = {
104 proxyPass = "http://unix:/run/miniflux.sock:/";
105 };
106 };
107 systemd.services.nginx.serviceConfig.LogsDirectory =
108 lib.mkForce [ "nginx/${domain}/${srv}" ];
109 }