millironx/nix-dotfiles
1
0
Fork 0
Code Issues Pull requests Releases Packages Activity Actions

Compare commits

base: millironx:0571d801edfe6009b430207bed9ba06682de736a
Branches Tags
millironx:master
millironx:feat/nixos-25.11
millironx:feat/mcentire-crowdsec
..
compare: millironx:ed495148c14c4490e3cee9eaa0cb02c36b1bf946
Branches Tags
millironx:master
millironx:feat/nixos-25.11
millironx:feat/mcentire-crowdsec

2 commits
0571d801ed ... ed495148c1

Author SHA1 Message Date
Thomas A. Christensen II
ed495148c1
service (freshrss): Add freshrss service 2025-12-08 14:44:22 -06:00
Thomas A. Christensen II
a0175f565b
secrets! (pihole): Remove pihole secrets 2025-12-08 08:11:43 -06:00
4 changed files with 138 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

3
secrets.nix
View file

@ -34,7 +34,8 @@ in {
++ [ mcentire-host ]; ++ [ mcentire-host ];
"secrets/darwin-policies-json.age".publicKeys = system-administrators "secrets/darwin-policies-json.age".publicKeys = system-administrators
++ [ corianne-host ]; ++ [ corianne-host ];
"secrets/freshrss.toml.age".publicKeys = system-administrators
++ [ mcentire-host ];
"secrets/network-information.age".publicKeys = system-administrators "secrets/network-information.age".publicKeys = system-administrators
++ [ bosephus-host ]; ++ [ bosephus-host ];
"secrets/pihole.age".publicKeys = system-administrators ++ [ bosephus-host ];
} }

BIN
secrets/freshrss.toml.age Normal file
View file

Binary file not shown.

BIN
secrets/pihole.age
View file

Binary file not shown.

136
services/freshrss.nix Normal file
View file

@ -0,0 +1,136 @@
{ config, pkgs, home-manager-quadlet-nix, ... }:
let
user = "freshrss";
port = "37374";
stateDirectory = "/var/lib/freshrss";
serviceContainer = "freshrss";
stateSubDir = subDir: "${stateDirectory}/${subDir}";
createTmpfilesRule = subDir: "d ${stateSubDir subDir} 1755 ${user} ${user}";
volumeMount = subDir: bindDir: "${stateDirectory}/${subDir}:${bindDir}:U";
dbDirectories = [ "database" ];
serviceDirectories = [ ];
in {
age.secrets = {
"freshrss.toml" = {
file = ./../secrets/freshrss.toml.age;
owner = "${user}";
};
};
millironx.podman-secrets.freshrss = {
user = "${user}";
secrets-files = [ config.age.secrets."freshrss.toml".path ];
};
services.caddy.virtualHosts."feeds.millironx.com".extraConfig = ''
reverse_proxy http://127.0.0.1:${port}
'';
systemd.tmpfiles.rules = builtins.map createTmpfilesRule
([ stateDirectory ] ++ dbDirectories ++ serviceDirectories);
services.borgmatic.configurations."${config.networking.hostName}" = {
source_directories = builtins.map stateSubDir dbDirectories;
name = serviceContainer;
psql_command =
"/run/wrappers/bin/sudo -iu ${user} ${pkgs.podman}/bin/podman exec ${serviceContainer}-db psql --username=${user}";
pg_dump_command =
"/run/wrappers/bin/sudo -iu ${user} ${pkgs.podman}/bin/podman exec ${serviceContainer}-db pg_dump --username=${user}";
pg_restore_command =
"/run/wrappers/bin/sudo -iu ${user} ${pkgs.podman}/bin/podman exec ${serviceContainer}-db pg_restore --username=${user}";
};
users.users."${user}" = {
group = "${user}";
isNormalUser = true;
home = "${stateDirectory}";
createHome = true;
linger = true;
autoSubUidGidRange = true;
};
users.groups."${user}" = { };
home-manager.users."${user}" = { config, osConfig, ... }: {
imports = [ home-manager-quadlet-nix ];
home.stateVersion = "25.05";
virtualisation.quadlet = let
inherit (config.virtualisation.quadlet) containers;
inherit (config.virtualisation.quadlet) networks;
secrets = osConfig.millironx.podman-secrets.freshrss;
in {
containers = {
"${serviceContainer}-db" = {
autoStart = true;
containerConfig = {
image = "docker.io/library/postgres:16";
environments = {
POSTGRES_DB = "${user}";
POSTGRES_USER = "${user}";
};
secrets = [
"POSTGRES_PASSWORD,type=env"
"POSTGRES_PASSWORD,type=env,target=PGPASSWORD"
];
healthCmd = "pg_isready -d $\${POSTGRES_DB} -U $\${POSTGRES_USER}";
healthInterval = "30s";
healthRetries = 5;
healthStartPeriod = "20s";
volumes = pkgs.lib.imap0 (i: sub:
volumeMount sub
(builtins.elemAt [ "/var/lib/postgresql/data" ] i)) dbDirectories;
networks = [ networks."${serviceContainer}".ref ];
};
unitConfig.Requires = [ secrets.ref ];
unitConfig.After = [ secrets.ref ];
};
"${serviceContainer}" = {
autoStart = true;
containerConfig = {
image = "docker.io/freshrss/freshrss:1";
environments = {
TZ = osConfig.time.timeZone;
CRON_MIN = "2,32";
LISTEN = "0.0.0.0:${port}";
OIDC_ENABLED = "1";
FRESHRSS_INSTALL = ''
--api-enabled
--base-url
--db-base $''${DB_BASE}
--db-host $''${DB_HOST}
--db-password $''${DB_PASSWORD}
--db-type pgsql
--db-user $''${DB_USER}
--default-user admin
--language en
'';
};
secrets = [
"FRESHRSS_INSTALL,type=env"
"FRESHRSS_USER,type=env"
];
healthCmd = "cli/health.php";
healthTimeout = "10s";
healthStartPeriod = "60s";
healthStartupInterval = "11s";
healthInterval = "75s";
healthRetries = 3;
networks = [networks."${serviceContainer}".ref];
};
unitConfig.Requires = [ containers."${serviceContainer}-db".ref ];
unitConfig.After = [ containers."${serviceContainer}-db".ref ];
};
};
networks."${serviceContainer}" = {};
autoUpdate.enable = true;
};
};
}