]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/miniflux.nix
nix: revamp secrets
[sourcephile-nix.git] / hosts / mermet / miniflux.nix
1 { pkgs, lib, config, hostName, ... }:
2 let
3 inherit (config.networking) domain;
4 inherit (config.security) gnupg;
5 inherit (config.services) nginx postgresql;
6 inherit (config.users) users groups;
7 srv = "miniflux";
8 in
9 {
10 systemd.sockets.miniflux = {
11 listenStreams = [ "/run/miniflux.sock" ];
12 wantedBy = [ "sockets.target" ];
13 socketConfig.SocketMode = "600";
14 socketConfig.SocketUser = nginx.user;
15 };
16 services.miniflux = {
17 enable = true;
18 config = {
19 BASE_URL = "https://${srv}.${domain}"; # Base URL to generate HTML links and base path for cookies.
20 BATCH_SIZE = "3"; # Number of feeds to send to the queue for each interval.
21 CLEANUP_ARCHIVE_UNREAD_DAYS = "60";
22 CLEANUP_ARCHIVE_READ_DAYS = "30";
23 #DEBUG = "on";
24 LISTEN_ADDR = "";
25 #METRICS_COLLECTOR = "1";
26 POLLING_FREQUENCY = "180";
27 POLLING_SCHEDULER = "entry_frequency";
28 SCHEDULER_ENTRY_FREQUENCY_MAX_INTERVAL = "10080"; # 7*24*60 = 7d
29 WATCHDOG = "1";
30 WORKER_POOL_SIZE = "2";
31 };
32 adminCredentialsFile = gnupg.secrets."miniflux/credentials".path;
33 };
34 security.gnupg.secrets."miniflux/credentials" = {};
35 systemd.services.miniflux = {
36 after = [ gnupg.secrets."miniflux/credentials".service ];
37 wants = [ gnupg.secrets."miniflux/credentials".service ];
38 partOf = [ "postgresql.service" ];
39 # For the socket-activation
40 wantedBy = lib.mkForce [ ];
41 unitConfig = {
42 RefuseManualStart = true;
43 };
44 serviceConfig = {
45 # For postgres auth
46 User = users."miniflux".name;
47 Group = groups."postgres".name;
48 # For the confinement
49 BindReadOnlyPaths = [
50 "/run/systemd/journal/socket"
51 "/run/postgresql"
52 "/etc/pki/tls/certs/ca-bundle.crt"
53 "/etc/hosts"
54 ];
55 Type = "notify";
56 DynamicUser = lib.mkForce false;
57 UMask = lib.mkForce "0022";
58 # For the hardening
59 NoNewPrivileges = true;
60 PrivateTmp = true;
61 RemoveIPC = true;
62 #ProtectSystem = true;
63 };
64 confinement = {
65 enable = true;
66 binSh = null;
67 mode = "chroot-only";
68 };
69 };
70 services.postgresql.identMap = ''
71 # MAPNAME SYSTEM-USERNAME PG-USERNAME
72 user ${users.miniflux.name} ${users.miniflux.name}
73 '';
74 users.users."miniflux" = {
75 isSystemUser = true;
76 group = groups."postgres".name;
77 };
78 services.nginx.virtualHosts."${srv}.${domain}" = {
79 forceSSL = true;
80 useACMEHost = domain;
81 extraConfig = ''
82 access_log /var/log/nginx/${domain}/${srv}/access.log json buffer=32k;
83 error_log /var/log/nginx/${domain}/${srv}/error.log warn;
84 '';
85 locations."/" = {
86 proxyPass = "http://unix:/run/miniflux.sock:/";
87 };
88 };
89 systemd.services.nginx.serviceConfig.LogsDirectory = lib.mkForce ["nginx/${domain}/${srv}"];
90 }