{ config, lib, pkgs, ... }: with lib; let cfg = config.services.miniflux; defaultAddress = "localhost:8080"; pgbin = "${config.services.postgresql.package}/bin"; preStart = pkgs.writeScript "miniflux-pre-start" '' #!${pkgs.runtimeShell} ${pgbin}/psql "miniflux" -c "CREATE EXTENSION IF NOT EXISTS hstore" ''; in { options = { services.miniflux = { enable = mkEnableOption "miniflux"; package = mkPackageOption pkgs "miniflux" { }; createDatabaseLocally = lib.mkOption { type = lib.types.bool; default = true; description = '' Whether a PostgreSQL database should be automatically created and configured on the local host. If set to `false`, you need provision a database yourself and make sure to create the hstore extension in it. ''; }; config = mkOption { type = with types; attrsOf (oneOf [ str int ]); example = literalExpression '' { CLEANUP_FREQUENCY = 48; LISTEN_ADDR = "localhost:8080"; } ''; description = '' Configuration for Miniflux, refer to for documentation on the supported values. Correct configuration for the database is already provided. By default, listens on ${defaultAddress}. ''; }; adminCredentialsFile = mkOption { type = types.path; description = '' File containing the ADMIN_USERNAME and ADMIN_PASSWORD (length >= 6) in the format of an EnvironmentFile=, as described by systemd.exec(5). ''; example = "/etc/nixos/miniflux-admin-credentials"; }; }; }; config = mkIf cfg.enable { services.miniflux.config = { LISTEN_ADDR = mkDefault defaultAddress; DATABASE_URL = lib.mkIf cfg.createDatabaseLocally "user=miniflux host=/run/postgresql dbname=miniflux"; RUN_MIGRATIONS = 1; CREATE_ADMIN = 1; }; services.postgresql = lib.mkIf cfg.createDatabaseLocally { enable = true; ensureUsers = [ { name = "miniflux"; ensureDBOwnership = true; } ]; ensureDatabases = [ "miniflux" ]; }; systemd.services.miniflux-dbsetup = lib.mkIf cfg.createDatabaseLocally { description = "Miniflux database setup"; requires = [ "postgresql.service" ]; after = [ "network.target" "postgresql.service" ]; serviceConfig = { Type = "oneshot"; User = config.services.postgresql.superUser; ExecStart = preStart; }; }; systemd.services.miniflux = { description = "Miniflux service"; wantedBy = [ "multi-user.target" ]; requires = lib.optional cfg.createDatabaseLocally "miniflux-dbsetup.service"; after = [ "network.target" ] ++ lib.optionals cfg.createDatabaseLocally [ "postgresql.service" "miniflux-dbsetup.service" ]; serviceConfig = { ExecStart = "${cfg.package}/bin/miniflux"; User = "miniflux"; DynamicUser = true; RuntimeDirectory = "miniflux"; RuntimeDirectoryMode = "0750"; EnvironmentFile = cfg.adminCredentialsFile; # Hardening CapabilityBoundingSet = [ "" ]; DeviceAllow = [ "" ]; LockPersonality = true; MemoryDenyWriteExecute = true; PrivateDevices = true; PrivateUsers = true; ProcSubset = "pid"; ProtectClock = true; ProtectControlGroups = true; ProtectHome = true; ProtectHostname = true; ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; ProtectProc = "invisible"; RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service" "~@privileged" ]; UMask = "0077"; }; environment = lib.mapAttrs (_: toString) cfg.config; }; environment.systemPackages = [ cfg.package ]; security.apparmor.policies."bin.miniflux".profile = '' include ${cfg.package}/bin/miniflux { include include include include "${pkgs.apparmorRulesFromClosure { name = "miniflux"; } cfg.package}" r ${cfg.package}/bin/miniflux, r @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size, rw /run/miniflux/**, } ''; }; }