wiro.world / dotfiles
yep, more dotfiles
fork atom

server: add miniflux rss server

wiro.world 127d231f bc7a2747

verified
options
unified split
Changed files
+52 -1
nixos
profiles
server.nix
secrets
miniflux-oidc-secret.age
secrets.nix
+42 -1
nixos/profiles/server.nix 
···

       
79

       
79

       
 

       
  vaultwarden-port = 3011;


     

       
80

       
80

       
 

       
  vaultwarden-hostname = "vault.wiro.world";


     

       
81

       
81

       
 

       



     

       

       
82

       
+

       
  miniflux-port = 3012;


     

       

       
83

       
+

       
  miniflux-hostname = "news.wiro.world";


     

       

       
84

       
+

       



     

       
82

       
85

       
 

       
  prometheus-port = 9001;


     

       
83

       
86

       
 

       
  prometheus-node-exporter-port = 9002;


     

       
84

       
87

       
 

       
  headscale-metrics-port = 9003;


     
···

       
254

       
257

       
 

       



     

       
255

       
258

       
 

       
      virtualHosts.${vaultwarden-hostname}.extraConfig = ''


     

       
256

       
259

       
 

       
        reverse_proxy http://localhost:${toString vaultwarden-port}


     

       

       
260

       
+

       
      '';


     

       

       
261

       
+

       



     

       

       
262

       
+

       
      virtualHosts.${miniflux-hostname}.extraConfig = ''


     

       

       
263

       
+

       
        reverse_proxy http://localhost:${toString miniflux-port}


     

       
257

       
264

       
 

       
      '';


     

       
258

       
265

       
 

       
    };


     

       
259

       
266

       
 

       



     
···

       
465

       
472

       
 

       
          ];


     

       
466

       
473

       
 

       
        };


     

       
467

       
474

       
 

       



     

       
468

       

       
-

       



     

       
469

       
475

       
 

       
        identity_providers.oidc = {


     

       
470

       
476

       
 

       
          enforce_pkce = "always";


     

       
471

       
477

       
 

       
          clients = [


     
···

       
490

       
496

       
 

       



     

       
491

       
497

       
 

       
              redirect_uris = [ "https://login.tailscale.com/a/oauth_response" ];


     

       
492

       
498

       
 

       
            }


     

       

       
499

       
+

       
            {


     

       

       
500

       
+

       
              client_name = "Miniflux";


     

       

       
501

       
+

       
              client_id = "miniflux";


     

       

       
502

       
+

       
              client_secret = "$pbkdf2-sha256$310000$uPqbWfCOBXDY6nV1vsx3uA$HOWG2hL.c/bs9Dwaee3b9DxjH7KFO.SaZMbasXV9Vdw";


     

       

       
503

       
+

       



     

       

       
504

       
+

       
              redirect_uris = [ "https://${miniflux-hostname}/oauth2/oidc/callback" ];


     

       

       
505

       
+

       
            }


     

       
493

       
506

       
 

       
          ];


     

       
494

       
507

       
 

       
        };


     

       
495

       
508

       
 

       



     
···

       
553

       
566

       
 

       
        # SMTP_PASSWORD = ...; # Via secret env


     

       
554

       
567

       
 

       
        SMTP_FROM = "bitwarden@wiro.world";


     

       
555

       
568

       
 

       
        SMTP_FROM_NAME = "Bitwarden wiro.world";


     

       

       
569

       
+

       
      };


     

       

       
570

       
+

       
    };


     

       

       
571

       
+

       



     

       

       
572

       
+

       
    users.users.miniflux = { isSystemUser = true; group = "miniflux"; };


     

       

       
573

       
+

       
    users.groups.miniflux = { };


     

       

       
574

       
+

       
    age.secrets.miniflux-oidc-secret = { file = ../../secrets/miniflux-oidc-secret.age; owner = "miniflux"; };


     

       

       
575

       
+

       
    services.miniflux = {


     

       

       
576

       
+

       
      enable = true;


     

       

       
577

       
+

       



     

       

       
578

       
+

       
      createDatabaseLocally = true;


     

       

       
579

       
+

       
      adminCredentialsFile = config.age.secrets.miniflux-oidc-secret.path;


     

       

       
580

       
+

       
      config = {


     

       

       
581

       
+

       
        BASE_URL = "https://${miniflux-hostname}/";


     

       

       
582

       
+

       
        LISTEN_ADDR = "127.0.0.1:${toString miniflux-port}";


     

       

       
583

       
+

       



     

       

       
584

       
+

       
        # TODO: scrape metrics endpoint with prometheus


     

       

       
585

       
+

       



     

       

       
586

       
+

       
        OAUTH2_PROVIDER = "oidc";


     

       

       
587

       
+

       
        OAUTH2_OIDC_PROVIDER_NAME = "wiro.world SSO";


     

       

       
588

       
+

       
        OAUTH2_CLIENT_ID = "miniflux";


     

       

       
589

       
+

       
        OAUTH2_CLIENT_SECRET_FILE = config.age.secrets.miniflux-oidc-secret.path;


     

       

       
590

       
+

       
        OAUTH2_REDIRECT_URL = "https://${miniflux-hostname}/oauth2/oidc/callback";


     

       

       
591

       
+

       
        OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://auth.wiro.world";


     

       

       
592

       
+

       
        OAUTH2_USER_CREATION = 1;


     

       

       
593

       
+

       
        DISABLE_LOCAL_AUTH = 1;


     

       

       
594

       
+

       



     

       

       
595

       
+

       
        # NetNewsWire is a very good iOS oss client that integrates well


     

       

       
596

       
+

       
        # https://b.j4.lc/2025/05/05/setting-up-netnewswire-with-miniflux/


     

       
556

       
597

       
 

       
      };


     

       
557

       
598

       
 

       
    };


     

       
558

       
599

       
 

       
  };
+9
secrets/miniflux-oidc-secret.age 
···

       

       
1

       
+

       
age-encryption.org/v1


     

       

       
2

       
+

       
-> ssh-ed25519 sMF1bg E4UVPOuq5ZUSxGvIvr0Tod9PQRqDdqHu2Byv4fKi2io


     

       

       
3

       
+

       
FcdCyfLmRCmK5rmoLQ/m1KOJe9Etu9N/GHCM5lWCIPE


     

       

       
4

       
+

       
-> ssh-ed25519 SmMcWg wrKv3V6uSLnWQqIp65Rgi0qv7lQtyOXaxnahMo+s3EU


     

       

       
5

       
+

       
mXsJ1CbS3pzstf3xaWWF150+aXxW2kY2J5kAZWqtl+A


     

       

       
6

       
+

       
-> ssh-ed25519 Q8rMFA 91npFfTkw9Ur6aZp/pLzLUOIwwPJ9OA1peaZyTlROBU


     

       

       
7

       
+

       
12sib8HLjvgN06X6H0/AN4wMewQ8xup813DauZKQ+QY


     

       

       
8

       
+

       
--- /AGwAMAsPvvuRH6PPNrizBCsJedclYzdj6Kq4V3mx0o


     

       

       
9

       
+

       
zN��0�=�YP������rլ�!U�n;���n���/��}mCo�F��������ž!z���r������)u��o�3�>��>Z�f�񡤙1Ň
����
+1
secrets/secrets.nix 
···

       
31

       
31

       
 

       
  "tuwunel-registration-tokens.age".publicKeys = deploy;


     

       
32

       
32

       
 

       
  # Defines `SMTP_PASSWORD`


     

       
33

       
33

       
 

       
  "vaultwarden-env.age".publicKeys = deploy;


     

       

       
34

       
+

       
  "miniflux-oidc-secret.age".publicKeys = deploy;


     

       
34

       
35

       
 

       



     

       
35

       
36

       
 

       
  # Not used in config but useful


     

       
36

       
37

       
 

       
  "pgp-ca5e.age".publicKeys = users;