modules/miniflux: handle oauth2 secret with LoadCredential
This commit is contained in:
parent
9ffc2ad23d
commit
9d44f6eb07
5 changed files with 44 additions and 8 deletions
|
@ -28,9 +28,7 @@
|
||||||
grafana_oauth_secret = {
|
grafana_oauth_secret = {
|
||||||
owner = "grafana";
|
owner = "grafana";
|
||||||
};
|
};
|
||||||
miniflux_oauth_secret = {
|
"miniflux/oauth2_secret" = { };
|
||||||
owner = "miniflux";
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -2,6 +2,7 @@ storage_box_mount: ENC[AES256_GCM,data:9lOAL3tkfB0pN4/cuM4SX0xoMrW0UUEzTN8spw3MQ
|
||||||
gts_env: ENC[AES256_GCM,data:CKFKHXCJvTD0HFkVrBWhabcl/cloCT03qcZIc5JymiIAu+o6wef6gsQlkKP81vxC9S3XMYtLgXQ03D7Jetkfg+7nafF1+ogN,iv:/axRqZIatwYL++/KmBIievPPyKRkHGmVpgRe2Eet+fg=,tag:gwxyuePOYiD1vlSyq3yjXA==,type:str]
|
gts_env: ENC[AES256_GCM,data:CKFKHXCJvTD0HFkVrBWhabcl/cloCT03qcZIc5JymiIAu+o6wef6gsQlkKP81vxC9S3XMYtLgXQ03D7Jetkfg+7nafF1+ogN,iv:/axRqZIatwYL++/KmBIievPPyKRkHGmVpgRe2Eet+fg=,tag:gwxyuePOYiD1vlSyq3yjXA==,type:str]
|
||||||
hedgedoc_env: ENC[AES256_GCM,data:zwAA+zKSJT0tZyYArCaa1lfL0y8DNHDp/thS11DrVxNvjmk38o0ydsKArfZKzFYye+qNBzz1B4sPCdW4cFgQUNgbM+n9AvoMB8CssdmQ+sALKmozA5aEV23q+khZSGlHocP6WA==,iv:SgZruOS1nanK64Ex1dvgoD1HzbGbNa4DFSBuVoaNgEc=,tag:R+I8m1AloDCXs5PdpEpS0w==,type:str]
|
hedgedoc_env: ENC[AES256_GCM,data:zwAA+zKSJT0tZyYArCaa1lfL0y8DNHDp/thS11DrVxNvjmk38o0ydsKArfZKzFYye+qNBzz1B4sPCdW4cFgQUNgbM+n9AvoMB8CssdmQ+sALKmozA5aEV23q+khZSGlHocP6WA==,iv:SgZruOS1nanK64Ex1dvgoD1HzbGbNa4DFSBuVoaNgEc=,tag:R+I8m1AloDCXs5PdpEpS0w==,type:str]
|
||||||
grafana_oauth_secret: ENC[AES256_GCM,data:2dSgxeWXNtlvbrgW9whCVuM6tfzd4lVhynwQTSPbBJndhI8scpJle7LjI1+b14FS9boBsuYO+ym4Pf1I8/jJtKkj6X6I0BmXFBC/SfpCpo+ZGrxacg==,iv:N8iTPqMagKP3hWc7n0bjgYKvaFaw11ITvDn9lUkkAPY=,tag:Cz59fA2Zq3jVvhfxaFuGAA==,type:str]
|
grafana_oauth_secret: ENC[AES256_GCM,data:2dSgxeWXNtlvbrgW9whCVuM6tfzd4lVhynwQTSPbBJndhI8scpJle7LjI1+b14FS9boBsuYO+ym4Pf1I8/jJtKkj6X6I0BmXFBC/SfpCpo+ZGrxacg==,iv:N8iTPqMagKP3hWc7n0bjgYKvaFaw11ITvDn9lUkkAPY=,tag:Cz59fA2Zq3jVvhfxaFuGAA==,type:str]
|
||||||
|
miniflux: ENC[AES256_GCM,data:26/dYh3jrcqIxmo2WSy1tz54BQQAQg==,iv:yv7dS/RcsitYb/7firhr5lcy1TUDMuFRpwk6WaPHOKk=,tag:FdJcvBCL96GqG3uB41i6Ng==,type:str]
|
||||||
sops:
|
sops:
|
||||||
kms: []
|
kms: []
|
||||||
gcp_kms: []
|
gcp_kms: []
|
||||||
|
@ -26,8 +27,8 @@ sops:
|
||||||
dnFBa0lDWWZtS1BHdzBoVzNTaGNkSEEKi/W1n7RT8NpTp00SBMwxsUJAPDhumJ/i
|
dnFBa0lDWWZtS1BHdzBoVzNTaGNkSEEKi/W1n7RT8NpTp00SBMwxsUJAPDhumJ/i
|
||||||
V2VnaSNwouD3SswTcoBzqQpBP9XrqzjIYGke90ZODFQbMY9WDQ+O0g==
|
V2VnaSNwouD3SswTcoBzqQpBP9XrqzjIYGke90ZODFQbMY9WDQ+O0g==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2024-07-31T09:24:12Z"
|
lastmodified: "2024-08-05T02:36:03Z"
|
||||||
mac: ENC[AES256_GCM,data:/TIuK0O0e3Kkb9yjVE4GEPLRRFo1wQEzfcuCcX/hS4eGSgVPu8p52meEzVW7Z9GLiKsmgSW+L5fW4k+kXGcOfKr1BarjfHa0pGcfoW/gb8BV2TFmX9rQk9ioh5m5NT97pv5KgrpPIU+HjUEe5ORebVZh5sW/R3Vh3PCyagINcIs=,iv:mU4P7BUnMjA/hIhX9SUImOuazoccPdnmeNIPGJUXaLw=,tag:EMXAVLgFZk3Mgv2O1rgibg==,type:str]
|
mac: ENC[AES256_GCM,data:VD2tlgzwUujeuvO1SX4TBvJPyAQUKroZZ6KjJHwWvx/nOS/MfZQshuccP3QofHMKdBfSal22WVuxTzmzVCWv870/EOVKr3Tw1vAEpidDOLwmKHp6GrJXh5ReKg00j2yHgClsjetSMCQfaWmrO11Wa2UjS9+XDRMCQZ2sw2qbUtI=,iv:5kMwdTEeR7Dx0jfI4afeR88L1Sgij3S18KXGc77qzBU=,tag:4nKzV7vSX3T1b/HoAnCX8A==,type:str]
|
||||||
pgp: []
|
pgp: []
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.9.0
|
version: 3.9.0
|
||||||
|
|
|
@ -86,9 +86,9 @@ in
|
||||||
provision = import ./kanidm-provision.nix;
|
provision = import ./kanidm-provision.nix;
|
||||||
};
|
};
|
||||||
|
|
||||||
services.miniflux = {
|
custom.miniflux = {
|
||||||
enable = true;
|
enable = true;
|
||||||
config = {
|
environment = {
|
||||||
LISTEN_ADDR = "127.0.0.1:58173";
|
LISTEN_ADDR = "127.0.0.1:58173";
|
||||||
OAUTH2_PROVIDER = "oidc";
|
OAUTH2_PROVIDER = "oidc";
|
||||||
OAUTH2_CLIEND_ID = "miniflux";
|
OAUTH2_CLIEND_ID = "miniflux";
|
||||||
|
@ -97,7 +97,7 @@ in
|
||||||
OAUTH2_USER_CREATION = 1;
|
OAUTH2_USER_CREATION = 1;
|
||||||
CREATE_ADMIN = lib.mkForce "";
|
CREATE_ADMIN = lib.mkForce "";
|
||||||
};
|
};
|
||||||
adminCredentialsFile = config.sops.secrets.miniflux_oauth_secret;
|
oauth2SecretFile = config.sops.secrets."miniflux/oauth2_secret".path;
|
||||||
};
|
};
|
||||||
|
|
||||||
services.matrix-conduit = {
|
services.matrix-conduit = {
|
||||||
|
|
|
@ -12,5 +12,6 @@
|
||||||
./ssh-tpm-agent.nix # FIXME: Waiting for upstream merge
|
./ssh-tpm-agent.nix # FIXME: Waiting for upstream merge
|
||||||
./forgejo-actions-runner.nix
|
./forgejo-actions-runner.nix
|
||||||
./oidc-agent.nix
|
./oidc-agent.nix
|
||||||
|
./miniflux.nix
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
36
modules/nixos/miniflux.nix
Normal file
36
modules/nixos/miniflux.nix
Normal file
|
@ -0,0 +1,36 @@
|
||||||
|
{ config, pkgs, lib, ... }:
|
||||||
|
let
|
||||||
|
inherit (lib) mkEnableOption mkOption types;
|
||||||
|
cfg = config.custom.miniflux;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options = {
|
||||||
|
custom.miniflux = {
|
||||||
|
enable = mkEnableOption "miniflux";
|
||||||
|
oauth2SecretFile = mkOption {
|
||||||
|
type = types.path;
|
||||||
|
};
|
||||||
|
environmentFile = mkOption {
|
||||||
|
type = types.path;
|
||||||
|
default = "/dev/null";
|
||||||
|
};
|
||||||
|
environment = mkOption {
|
||||||
|
type = with types; attrsOf (oneOf [ int str ]);
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = lib.mkIf cfg.enable {
|
||||||
|
services.miniflux = {
|
||||||
|
enable = true;
|
||||||
|
adminCredentialsFile = cfg.environmentFile;
|
||||||
|
};
|
||||||
|
systemd.services.miniflux = {
|
||||||
|
serviceConfig = {
|
||||||
|
LoadCredential = [ "oauth2_secret:${cfg.oauth2SecretFile}" ];
|
||||||
|
EnvironmentFile = [ "%d/oauth2_secret" ];
|
||||||
|
};
|
||||||
|
environment = lib.mapAttrs (_: lib.mkForce) (lib.mapAttrs (_: toString) cfg.environment);
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
Loading…
Reference in a new issue