+42 -1

nixos/profiles/server.nix

··· 79 79 vaultwarden-port = 3011; 80 80 vaultwarden-hostname = "vault.wiro.world"; 81 81 82 82 + miniflux-port = 3012; 83 83 + miniflux-hostname = "news.wiro.world"; 84 84 + 82 85 prometheus-port = 9001; 83 86 prometheus-node-exporter-port = 9002; 84 87 headscale-metrics-port = 9003; ··· 254 257 255 258 virtualHosts.${vaultwarden-hostname}.extraConfig = '' 256 259 reverse_proxy http://localhost:${toString vaultwarden-port} 260 260 + ''; 261 261 + 262 262 + virtualHosts.${miniflux-hostname}.extraConfig = '' 263 263 + reverse_proxy http://localhost:${toString miniflux-port} 257 264 ''; 258 265 }; 259 266 ··· 465 472 ]; 466 473 }; 467 474 468 468 - 469 475 identity_providers.oidc = { 470 476 enforce_pkce = "always"; 471 477 clients = [ ··· 490 496 491 497 redirect_uris = [ "https://login.tailscale.com/a/oauth_response" ]; 492 498 } 499 499 + { 500 500 + client_name = "Miniflux"; 501 501 + client_id = "miniflux"; 502 502 + client_secret = "$pbkdf2-sha256$310000$uPqbWfCOBXDY6nV1vsx3uA$HOWG2hL.c/bs9Dwaee3b9DxjH7KFO.SaZMbasXV9Vdw"; 503 503 + 504 504 + redirect_uris = [ "https://${miniflux-hostname}/oauth2/oidc/callback" ]; 505 505 + } 493 506 ]; 494 507 }; 495 508 ··· 553 566 # SMTP_PASSWORD = ...; # Via secret env 554 567 SMTP_FROM = "bitwarden@wiro.world"; 555 568 SMTP_FROM_NAME = "Bitwarden wiro.world"; 569 569 + }; 570 570 + }; 571 571 + 572 572 + users.users.miniflux = { isSystemUser = true; group = "miniflux"; }; 573 573 + users.groups.miniflux = { }; 574 574 + age.secrets.miniflux-oidc-secret = { file = ../../secrets/miniflux-oidc-secret.age; owner = "miniflux"; }; 575 575 + services.miniflux = { 576 576 + enable = true; 577 577 + 578 578 + createDatabaseLocally = true; 579 579 + adminCredentialsFile = config.age.secrets.miniflux-oidc-secret.path; 580 580 + config = { 581 581 + BASE_URL = "https://${miniflux-hostname}/"; 582 582 + LISTEN_ADDR = "127.0.0.1:${toString miniflux-port}"; 583 583 + 584 584 + # TODO: scrape metrics endpoint with prometheus 585 585 + 586 586 + OAUTH2_PROVIDER = "oidc"; 587 587 + OAUTH2_OIDC_PROVIDER_NAME = "wiro.world SSO"; 588 588 + OAUTH2_CLIENT_ID = "miniflux"; 589 589 + OAUTH2_CLIENT_SECRET_FILE = config.age.secrets.miniflux-oidc-secret.path; 590 590 + OAUTH2_REDIRECT_URL = "https://${miniflux-hostname}/oauth2/oidc/callback"; 591 591 + OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://auth.wiro.world"; 592 592 + OAUTH2_USER_CREATION = 1; 593 593 + DISABLE_LOCAL_AUTH = 1; 594 594 + 595 595 + # NetNewsWire is a very good iOS oss client that integrates well 596 596 + # https://b.j4.lc/2025/05/05/setting-up-netnewswire-with-miniflux/ 556 597 }; 557 598 }; 558 599 };

+9

secrets/miniflux-oidc-secret.age

··· 1 1 + age-encryption.org/v1 2 2 + -> ssh-ed25519 sMF1bg E4UVPOuq5ZUSxGvIvr0Tod9PQRqDdqHu2Byv4fKi2io 3 3 + FcdCyfLmRCmK5rmoLQ/m1KOJe9Etu9N/GHCM5lWCIPE 4 4 + -> ssh-ed25519 SmMcWg wrKv3V6uSLnWQqIp65Rgi0qv7lQtyOXaxnahMo+s3EU 5 5 + mXsJ1CbS3pzstf3xaWWF150+aXxW2kY2J5kAZWqtl+A 6 6 + -> ssh-ed25519 Q8rMFA 91npFfTkw9Ur6aZp/pLzLUOIwwPJ9OA1peaZyTlROBU 7 7 + 12sib8HLjvgN06X6H0/AN4wMewQ8xup813DauZKQ+QY 8 8 + --- /AGwAMAsPvvuRH6PPNrizBCsJedclYzdj6Kq4V3mx0o 9 9 + zN��0�=�YP������rլ�!U�n;���n���/��}mCo�F��������ž!z���r������)u��o�3�>��>Z�f�񡤙1Ň ����

+1

secrets/secrets.nix

··· 31 31 "tuwunel-registration-tokens.age".publicKeys = deploy; 32 32 # Defines `SMTP_PASSWORD` 33 33 "vaultwarden-env.age".publicKeys = deploy; 34 34 + "miniflux-oidc-secret.age".publicKeys = deploy; 34 35 35 36 # Not used in config but useful 36 37 "pgp-ca5e.age".publicKeys = users;