@ -7,26 +7,12 @@ let
defaultAddress = " l o c a l h o s t : 8 0 8 0 " ;
dbUser = " m i n i f l u x " ;
dbPassword = " m i n i f l u x " ;
dbHost = " l o c a l h o s t " ;
dbName = " m i n i f l u x " ;
defaultCredentials = pkgs . writeText " m i n i f l u x - a d m i n - c r e d e n t i a l s " ''
ADMIN_USERNAME = admin
ADMIN_PASSWORD = password
'' ;
pgbin = " ${ config . services . postgresql . package } / b i n " ;
preStart = pkgs . writeScript " m i n i f l u x - p r e - s t a r t " ''
#!${pkgs.runtimeShell}
db_exists ( ) {
[ " $ ( ${ pgbin } / p s q l - A t c " select 1 from pg_database where datname = ' $ 1 ' " ) " == " 1 " ]
}
if ! db_exists " ${ dbName } " ; then
$ { pgbin } /psql postgres - c " C R E A T E R O L E ${ dbUser } W I T H L O G I N N O C R E A T E D B N O C R E A T E R O L E E N C R Y P T E D P A S S W O R D ' ${ dbPassword } ' "
$ { pgbin } /createdb - - owner " ${ dbUser } " " ${ dbName } "
$ { pgbin } /psql " ${ dbName } " - c " C R E A T E E X T E N S I O N I F N O T E X I S T S h s t o r e "
fi
$ { pgbin } /psql " ${ dbName } " - c " C R E A T E E X T E N S I O N I F N O T E X I S T S h s t o r e "
'' ;
in
@ -54,11 +40,10 @@ in
} ;
adminCredentialsFile = mkOption {
type = types . nullOr types . path ;
default = null ;
type = types . path ;
description = ''
File containing the ADMIN_USERNAME , default is " a d m i n " , and
ADMIN_PASSWORD ( length >= 6 ) , default is " p a s s w o r d " ; in the format of
File containing the ADMIN_USERNAME and
ADMIN_PASSWORD ( length >= 6 ) in the format of
an EnvironmentFile = , as described by systemd . exec ( 5 ) .
'' ;
example = " / e t c / n i x o s / m i n i f l u x - a d m i n - c r e d e n t i a l s " ;
@ -70,16 +55,24 @@ in
services . miniflux . config = {
LISTEN_ADDR = mkDefault defaultAddress ;
DATABASE_URL = " p o s t g r e s q l : / / ${ dbUser } : ${ dbPassword } @ ${ dbHost } / ${ dbName } ? s s l m o d e = d i s a b l e " ;
DATABASE_URL = " u s e r = ${ dbUser } h o s t = / r u n / p o s t g r e s q l d b n a m e = ${ dbName } " ;
RUN_MIGRATIONS = " 1 " ;
CREATE_ADMIN = " 1 " ;
} ;
services . postgresql . enable = true ;
services . postgresql = {
enable = true ;
ensureUsers = [ {
name = dbUser ;
ensurePermissions = {
" D A T A B A S E ${ dbName } " = " A L L P R I V I L E G E S " ;
} ;
} ] ;
ensureDatabases = [ dbName ] ;
} ;
systemd . services . miniflux-dbsetup = {
description = " M i n i f l u x d a t a b a s e s e t u p " ;
wantedBy = [ " m u l t i - u s e r . t a r g e t " ] ;
requires = [ " p o s t g r e s q l . s e r v i c e " ] ;
after = [ " n e t w o r k . t a r g e t " " p o s t g r e s q l . s e r v i c e " ] ;
serviceConfig = {
@ -92,17 +85,16 @@ in
systemd . services . miniflux = {
description = " M i n i f l u x s e r v i c e " ;
wantedBy = [ " m u l t i - u s e r . t a r g e t " ] ;
requires = [ " p o s t g r e s q l . s e r v i c e " ] ;
requires = [ " m i n i f l u x - d b s e t u p . s e r v i c e " ] ;
after = [ " n e t w o r k . t a r g e t " " p o s t g r e s q l . s e r v i c e " " m i n i f l u x - d b s e t u p . s e r v i c e " ] ;
serviceConfig = {
ExecStart = " ${ pkgs . miniflux } / b i n / m i n i f l u x " ;
User = dbUser ;
DynamicUser = true ;
RuntimeDirectory = " m i n i f l u x " ;
RuntimeDirectoryMode = " 0 7 0 0 " ;
EnvironmentFile = if cfg . adminCredentialsFile == null
then defaultCredentials
else cfg . adminCredentialsFile ;
EnvironmentFile = cfg . adminCredentialsFile ;
# Hardening
CapabilityBoundingSet = [ " " ] ;
DeviceAllow = [ " " ] ;
@ -119,7 +111,7 @@ in
ProtectKernelModules = true ;
ProtectKernelTunables = true ;
ProtectProc = " i n v i s i b l e " ;
RestrictAddressFamilies = [ " A F _ I N E T " " A F _ I N E T 6 " ] ;
RestrictAddressFamilies = [ " A F _ I N E T " " A F _ I N E T 6 " " A F _ U N I X " ] ;
RestrictNamespaces = true ;
RestrictRealtime = true ;
RestrictSUIDSGID = true ;