From cde35b5766c27922a71751508b549ecc3e3c44dc Mon Sep 17 00:00:00 2001
From: Gerg-L <GregLeyda@proton.me>
Date: Tue, 19 Sep 2023 18:41:35 -0400
Subject: [PATCH] add miniflux service

---
 hosts/gerg-desktop/secrets.yaml            |  7 +-
 hosts/gerg-desktop/services/miniflux.nix   | 83 ++++++++++++++++++++++
 hosts/gerg-desktop/services/nginx.nix      | 13 ++++
 hosts/gerg-desktop/services/postgresql.nix |  6 +-
 4 files changed, 105 insertions(+), 4 deletions(-)
 create mode 100644 hosts/gerg-desktop/services/miniflux.nix

diff --git a/hosts/gerg-desktop/secrets.yaml b/hosts/gerg-desktop/secrets.yaml
index f1814a7..1579ad1 100644
--- a/hosts/gerg-desktop/secrets.yaml
+++ b/hosts/gerg-desktop/secrets.yaml
@@ -1,5 +1,6 @@
 discordenv: ENC[AES256_GCM,data:dzl1FaBUPiiGR8hOmUVDulGnS9wBwX0ddYYV/euilrrHGO8GiktfENSLLIPpqNm1jSoO8zIs10/tTeQLGPtN5yUhF5lYhcjupows20Cd/Nn0OwDuLfXZmO3dAbN4hvsbGnJpnDOEB2EvqRZSQPxH8eLc0Do0hryjnrIYuKpN,iv:uWGY3XAbgFg1ZyI7J1/Q+UOdc5mReYvVq9uLFqfmadw=,tag:+ZlVbJ5ZyahaG1V3H+MVpQ==,type:str]
 searxngenv: ENC[AES256_GCM,data:HtH4KxXWoQEJp88Bgfhfj5Y4Up+inHu8mnVtay64XvCRpVKHF/kceC3XwT9C3IdXpQ==,iv:iXK8hOFoEnM5wFUZhC8IOdHzPhwPDHtTL8MmS5FSlns=,tag:TZHTB7ia5Qq2f2fETJOpEA==,type:str]
+minifluxenv: ENC[AES256_GCM,data:wgz6sxSbbjXrgBAak0Q0TlvG78+JHPpiPtcbqGo9HpSF3qY78edECCDB3qqIaynxdhI4,iv:mbsr+OG8fE5MggmC+TNkLmhhDNGvJo+uelNRo/rMLoo=,tag:xN+FbNHZIVCruQh23aMt5g==,type:str]
 gerg: ENC[AES256_GCM,data:iSwWGIIxQenCPMd/Tith/eagjVINn0mgrO99IG85cP4UXtut6GF2R57XDMeD7SU18vW1ULod/lYuTo0SmmrkmX+wlDWgm4cODw==,iv:fHTcn4ZmjSqLC8jQkuualRbp+RwvgblS1ic6WPb2WEY=,tag:rkDuXhvleKekv3bVpdNNuw==,type:str]
 store_key: ENC[AES256_GCM,data:/1wAHcMZl3loV2IR7mj1z51lwfKmaP24DgEjl2w8qwbrKHBIS09meLXrVTvsvQmFM4AvKig9ADs1aeYoVTTEa4QE9nKJ/LyRI5z8dHe7j7H5Y+UI+Syr0CUKN2I9UuqkOAyWrPM=,iv:5cLxhzNawFMTKn+MT5cHILTvggHmxteycL+2bxUPsoc=,tag:q8voriNRZUL4pYYfOvJT0A==,type:str]
 nextcloud: ENC[AES256_GCM,data:CJqcH+l7EMwV8q7S,iv:uiq+lRMYR8APoVCmliAvUEthBUABdPXxs53y8I1WB+M=,tag:ObRMNYp9xIKR4VPxQr3JfA==,type:str]
@@ -24,8 +25,8 @@ sops:
             dGhDRXRTWE9xSGtxQU80RVpuL1A5MkEKxAxC/wDkq+6hM8eXkWd/RBDNIUtGYnPy
             MvVxB6dkj+S11oRcMpdFqiM9jSzz/gYecB2tfuDgj+UX/VAzSkvPxA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-09-18T23:06:30Z"
-    mac: ENC[AES256_GCM,data:tpG03ndPvbIdNx/YnMLI9nxjhocApV06xqfCo/k1cAeNB6K43chePtEn2pAw49J65xoumIgT3AstRtX7iIEryAGV/wkafRVyU72SzrOXQwl/+FxXxEFqJctzctZ8Ievh1utwXOigSAuZNMVwgaEhXAAmKwPScTELC0JXUMM9HYw=,iv:v6jbcyVioLvAxeuXvtWvPKuwC1/Q0O46TF1DaJR6GYk=,tag:Vp8WwSjqH+KXsw9ANx8Q6w==,type:str]
+    lastmodified: "2023-09-19T22:04:42Z"
+    mac: ENC[AES256_GCM,data:Z9AH0zxbtwamsWP5htqQJmnsZZcZQ2PElqevQZ8E25EO8mM7NktgYs5ad372y/ZxIuQpxe5YSjBhxv14YBvlyqx0+oU6Bxsnvfg15fPVtJgRj8H+vTNQahvESoh6yX7iuae7sqN1daYm7Ye02BymDL9VotjQtmQRQYCs7xA6oK0=,iv:nBm1F6KhKF8QvkKlPnIlt/zIxdtComIMBs1vK1FbykE=,tag:6BrQ2AUtX6lQ7s111mQh1w==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.8.0
diff --git a/hosts/gerg-desktop/services/miniflux.nix b/hosts/gerg-desktop/services/miniflux.nix
new file mode 100644
index 0000000..31d330f
--- /dev/null
+++ b/hosts/gerg-desktop/services/miniflux.nix
@@ -0,0 +1,83 @@
+_: {
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  sops.secrets.minifluxenv = {
+    owner = "miniflux";
+    group = "miniflux";
+  };
+
+  systemd.services = {
+    miniflux = {
+      description = "Miniflux service";
+      wantedBy = ["multi-user.target"];
+      requires = ["miniflux-dbsetup.service"];
+      after = ["network.target" "postgresql.service" "miniflux-dbsetup.service"];
+      script = lib.getExe' pkgs.miniflux "miniflux";
+
+      serviceConfig = {
+        User = "miniflux";
+        RuntimeDirectory = "miniflux";
+        RuntimeDirectoryMode = "0770";
+        EnvironmentFile = config.sops.secrets.minifluxenv.path;
+        # Hardening
+        CapabilityBoundingSet = [""];
+        DeviceAllow = [""];
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        PrivateDevices = true;
+        PrivateUsers = true;
+        ProcSubset = "pid";
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        RestrictAddressFamilies = ["AF_INET" "AF_INET6" "AF_UNIX"];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = ["@system-service" "~@privileged"];
+        UMask = "0077";
+      };
+
+      environment = {
+        LISTEN_ADDR = "/run/miniflux/miniflux.sock";
+        DATABASE_URL = "user=miniflux host=/run/postgresql dbname=miniflux";
+        RUN_MIGRATIONS = "1";
+        CREATE_ADMIN = "1";
+      };
+    };
+    miniflux-dbsetup = {
+      description = "Miniflux database setup";
+      requires = ["postgresql.service"];
+      after = ["network.target" "postgresql.service"];
+      script = ''
+        ${lib.getExe' config.services.postgresql.package "psql"} "miniflux" -c "CREATE EXTENSION IF NOT EXISTS hstore"
+      '';
+      serviceConfig = {
+        Type = "oneshot";
+        User = config.services.postgresql.superUser;
+      };
+    };
+  };
+  users = {
+    groups.miniflux = {
+      gid = 377;
+    };
+    users = {
+      miniflux = {
+        group = "miniflux";
+        isSystemUser = true;
+        uid = 377;
+      };
+      ${config.services.nginx.user}.extraGroups = ["miniflux"];
+    };
+  };
+}
diff --git a/hosts/gerg-desktop/services/nginx.nix b/hosts/gerg-desktop/services/nginx.nix
index b693230..fdfecc1 100644
--- a/hosts/gerg-desktop/services/nginx.nix
+++ b/hosts/gerg-desktop/services/nginx.nix
@@ -22,6 +22,13 @@ _: {
     recommendedProxySettings = true;
     recommendedTlsSettings = true;
     virtualHosts = {
+      "_" = {
+        default = true;
+        forceSSL = true;
+        sslCertificate = config.sops.secrets.gerg_ssl_cert.path;
+        sslCertificateKey = config.sops.secrets.gerg_ssl_key.path;
+        locations."/".return = "404";
+      };
       "nix-fu.com" = {
         forceSSL = true;
         sslCertificate = config.sops.secrets.nixfu_ssl_cert.path;
@@ -47,6 +54,12 @@ _: {
         sslCertificate = config.sops.secrets.gerg_ssl_cert.path;
         sslCertificateKey = config.sops.secrets.gerg_ssl_key.path;
       };
+      "flux.gerg-L.com" = {
+        forceSSL = true;
+        sslCertificate = config.sops.secrets.gerg_ssl_cert.path;
+        sslCertificateKey = config.sops.secrets.gerg_ssl_key.path;
+        locations."/".proxyPass = "http://unix:${config.systemd.services.miniflux.environment.LISTEN_ADDR}";
+      };
     };
   };
   networking.firewall.allowedTCPPorts = [80 443];
diff --git a/hosts/gerg-desktop/services/postgresql.nix b/hosts/gerg-desktop/services/postgresql.nix
index 46f9427..223db49 100644
--- a/hosts/gerg-desktop/services/postgresql.nix
+++ b/hosts/gerg-desktop/services/postgresql.nix
@@ -8,17 +8,21 @@ _: {
     package = pkgs.postgresql_13;
     dataDir = "/persist/services/postgresql";
     ensureDatabases = [
+      "miniflux"
       config.services.nextcloud.config.dbname
       config.services.gitea.database.user
     ];
     ensureUsers = [
+      {
+        name = "miniflux";
+        ensurePermissions."DATABASE miniflux" = "ALL PRIVILEGES";
+      }
       {
         name = config.services.nextcloud.config.dbuser;
         ensurePermissions."DATABASE ${config.services.nextcloud.config.dbname}" = "ALL PRIVILEGES";
       }
       {
         name = config.services.gitea.database.user;
-
         ensurePermissions."DATABASE ${config.services.gitea.database.name}" = "ALL PRIVILEGES";
       }
     ];