modules/miniflux: handle oauth2 secret with LoadCredential

machines/massicot/default.nix

@@ -28,9 +28,7 @@
       grafana_oauth_secret = {
         owner = "grafana";
       };
-      miniflux_oauth_secret = {
-        owner = "miniflux";
-      };
+      "miniflux/oauth2_secret" = { };
     };
   };
 

machines/massicot/secrets.yaml

@@ -2,6 +2,7 @@ storage_box_mount: ENC[AES256_GCM,data:9lOAL3tkfB0pN4/cuM4SX0xoMrW0UUEzTN8spw3MQ
 gts_env: ENC[AES256_GCM,data:CKFKHXCJvTD0HFkVrBWhabcl/cloCT03qcZIc5JymiIAu+o6wef6gsQlkKP81vxC9S3XMYtLgXQ03D7Jetkfg+7nafF1+ogN,iv:/axRqZIatwYL++/KmBIievPPyKRkHGmVpgRe2Eet+fg=,tag:gwxyuePOYiD1vlSyq3yjXA==,type:str]
 hedgedoc_env: ENC[AES256_GCM,data:zwAA+zKSJT0tZyYArCaa1lfL0y8DNHDp/thS11DrVxNvjmk38o0ydsKArfZKzFYye+qNBzz1B4sPCdW4cFgQUNgbM+n9AvoMB8CssdmQ+sALKmozA5aEV23q+khZSGlHocP6WA==,iv:SgZruOS1nanK64Ex1dvgoD1HzbGbNa4DFSBuVoaNgEc=,tag:R+I8m1AloDCXs5PdpEpS0w==,type:str]
 grafana_oauth_secret: ENC[AES256_GCM,data:2dSgxeWXNtlvbrgW9whCVuM6tfzd4lVhynwQTSPbBJndhI8scpJle7LjI1+b14FS9boBsuYO+ym4Pf1I8/jJtKkj6X6I0BmXFBC/SfpCpo+ZGrxacg==,iv:N8iTPqMagKP3hWc7n0bjgYKvaFaw11ITvDn9lUkkAPY=,tag:Cz59fA2Zq3jVvhfxaFuGAA==,type:str]
+miniflux: ENC[AES256_GCM,data:26/dYh3jrcqIxmo2WSy1tz54BQQAQg==,iv:yv7dS/RcsitYb/7firhr5lcy1TUDMuFRpwk6WaPHOKk=,tag:FdJcvBCL96GqG3uB41i6Ng==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -26,8 +27,8 @@ sops:
             dnFBa0lDWWZtS1BHdzBoVzNTaGNkSEEKi/W1n7RT8NpTp00SBMwxsUJAPDhumJ/i
             V2VnaSNwouD3SswTcoBzqQpBP9XrqzjIYGke90ZODFQbMY9WDQ+O0g==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-31T09:24:12Z"
-    mac: ENC[AES256_GCM,data:/TIuK0O0e3Kkb9yjVE4GEPLRRFo1wQEzfcuCcX/hS4eGSgVPu8p52meEzVW7Z9GLiKsmgSW+L5fW4k+kXGcOfKr1BarjfHa0pGcfoW/gb8BV2TFmX9rQk9ioh5m5NT97pv5KgrpPIU+HjUEe5ORebVZh5sW/R3Vh3PCyagINcIs=,iv:mU4P7BUnMjA/hIhX9SUImOuazoccPdnmeNIPGJUXaLw=,tag:EMXAVLgFZk3Mgv2O1rgibg==,type:str]
+    lastmodified: "2024-08-05T02:36:03Z"
+    mac: ENC[AES256_GCM,data:VD2tlgzwUujeuvO1SX4TBvJPyAQUKroZZ6KjJHwWvx/nOS/MfZQshuccP3QofHMKdBfSal22WVuxTzmzVCWv870/EOVKr3Tw1vAEpidDOLwmKHp6GrJXh5ReKg00j2yHgClsjetSMCQfaWmrO11Wa2UjS9+XDRMCQZ2sw2qbUtI=,iv:5kMwdTEeR7Dx0jfI4afeR88L1Sgij3S18KXGc77qzBU=,tag:4nKzV7vSX3T1b/HoAnCX8A==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.0

machines/massicot/services.nix

@@ -86,9 +86,9 @@ in
     provision = import ./kanidm-provision.nix;
   };
 
-  services.miniflux = {
+  custom.miniflux = {
     enable = true;
-    config = {
+    environment = {
       LISTEN_ADDR = "127.0.0.1:58173";
       OAUTH2_PROVIDER = "oidc";
       OAUTH2_CLIEND_ID = "miniflux";
@@ -97,7 +97,7 @@ in
       OAUTH2_USER_CREATION = 1;
       CREATE_ADMIN = lib.mkForce "";
     };
-    adminCredentialsFile = config.sops.secrets.miniflux_oauth_secret;
+    oauth2SecretFile = config.sops.secrets."miniflux/oauth2_secret".path;
   };
 
   services.matrix-conduit = {

modules/nixos/default.nix

@@ -12,5 +12,6 @@
     ./ssh-tpm-agent.nix # FIXME: Waiting for upstream merge
     ./forgejo-actions-runner.nix
     ./oidc-agent.nix
+    ./miniflux.nix
   ];
 }

modules/nixos/miniflux.nix

@@ -0,0 +1,36 @@
+{ config, pkgs, lib, ... }:
+let
+  inherit (lib) mkEnableOption mkOption types;
+  cfg = config.custom.miniflux;
+in
+{
+  options = {
+    custom.miniflux = {
+      enable = mkEnableOption "miniflux";
+      oauth2SecretFile = mkOption {
+        type = types.path;
+      };
+      environmentFile = mkOption {
+        type = types.path;
+        default = "/dev/null";
+      };
+      environment = mkOption {
+        type = with types; attrsOf (oneOf [ int str ]);
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.miniflux = {
+      enable = true;
+      adminCredentialsFile = cfg.environmentFile;
+    };
+    systemd.services.miniflux = {
+      serviceConfig = {
+        LoadCredential = [ "oauth2_secret:${cfg.oauth2SecretFile}" ];
+        EnvironmentFile = [ "%d/oauth2_secret" ];
+      };
+      environment = lib.mapAttrs (_: lib.mkForce) (lib.mapAttrs (_: toString) cfg.environment);
+    };
+  };
+}