4 files changed, 81 insertions, 0 deletions
diff --git a/nix/hosts/corrino/configuration.nix b/nix/hosts/corrino/configuration.nix
index 52e9ecf..4628ea5 100644
--- a/nix/hosts/corrino/configuration.nix
+++ b/nix/hosts/corrino/configuration.nix
@@ -46,6 +46,7 @@ in
 
     ./www/tickets.emile.space.nix
     # ./www/talks.emile.space.nix
+    ./www/miniflux.emile.space.nix
     # ./www/stream.emile.space.nix
     ./www/md.emile.space.nix
     ./www/social.emile.space.nix
diff --git a/nix/hosts/corrino/secrets/miniflux_admin_file.age b/nix/hosts/corrino/secrets/miniflux_admin_file.age
new file mode 100644
index 0000000..3e00b9b
--- /dev/null
+++ b/nix/hosts/corrino/secrets/miniflux_admin_file.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 gvwQ2Q OGds4NLmRiMmVjPTORP3jLe3iEkqrDyTqW4V7ceFfRk
+FFdZcsT9ZruNhpY5cb674qpQpK0qzHNwRPCfHvYaKcE
+-> ssh-ed25519 m8VklA 84XSPja8dzJEUVR5olwNONVzNn5QrsX+R+WeBHqxXDo
+5CVpnTDcO0EG3NsHdFsSABWNBIe3Xe16me13JIOlfos
+--- rlIUU/0gYwxIXmpRI5/3mmZXJ+JrG/tE/3IBtpo4uT4
+²Ý-9J¬N™ÌVŸëªG.l‚.eÈ?Á©&¾§rõ;V˜#®ahSJWjh‰ôèv˜Ñ³t;3è¸ÉÂ‚Ï«k Ž(^QU	‹ö*ºcz·ßF°bwPZ¼uqãšÄ‰Û
\ No newline at end of file
diff --git a/nix/hosts/corrino/secrets/miniflux_oidc_secret.age b/nix/hosts/corrino/secrets/miniflux_oidc_secret.age
new file mode 100644
index 0000000..c16754e
--- /dev/null
+++ b/nix/hosts/corrino/secrets/miniflux_oidc_secret.age
Binary files differdiff --git a/nix/hosts/corrino/www/miniflux.emile.space.nix b/nix/hosts/corrino/www/miniflux.emile.space.nix
new file mode 100644
index 0000000..f5b9817
--- /dev/null
+++ b/nix/hosts/corrino/www/miniflux.emile.space.nix
@@ -0,0 +1,73 @@
+{ config, pkgs, ... }:
+
+{
+	services.nginx.virtualHosts."miniflux.emile.space" = {
+		forceSSL = true;
+		enableACME = true;
+		locations = {
+			"/" = {
+				proxyPass = "http://${config.services.miniflux.config.LISTEN_ADDR}";
+			};
+		};
+	};
+
+  # auth via authelia
+  services.authelia.instances.main.settings.identity_providers.oidc.clients = [
+    {
+      id = "miniflux";
+
+      # ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
+      secret = "$pbkdf2-sha512$310000$rlOuqUDGc/kl3bw7JgcSpg$4COyNudsu/7L8qhnxfcQld5Fy.ru/JUp7RCI7dCHZMtzxRnhckW8A7uz3Xeuc7.BjCIwc4GdWusPt6.TiH6Kpw";
+      public = false;
+      authorization_policy = "two_factor";
+      redirect_uris = [ "https://miniflux.emile.space/oauth2/oidc/callback" ];
+      scopes = [
+        "openid"
+        "email"
+        "profile"
+      ];
+      grant_types = [
+        "refresh_token"
+        "authorization_code"
+      ];
+      response_types = [ "code" ];
+      response_modes = [
+        "form_post"
+        "query"
+        "fragment"
+      ];
+      token_endpoint_auth_method = "client_secret_post";
+    }
+  ];
+
+	services.miniflux = {
+		enable = true;
+		package = pkgs.miniflux;
+		config = {
+			BASE_URL = "https://miniflux.emile.space";
+
+			# Cleanup job frequency to remove old sessions and archive entries.
+		  CLEANUP_FREQUENCY = 48;
+
+			# Set to 1 to enable maintenance mode. Maintenance mode disables the web ui and show a text message to the users.
+			# MAINTENANCE_MODE = 1;
+			# MAINTENANCE_MESSAGE = "updating foo";
+			
+			OAUTH2_CLIENT_ID = "miniflux";
+			OAUTH2_CLIENT_SECRET_FILE = config.age.secrets.miniflux_oidc_secret.path;
+			OAUTH2_OIDC_DISCOVERY_ENDPOINT = "sso.emile.space";
+			OAUTH2_OIDC_PROVIDER_NAME = "authelia";
+			OAUTH2_PROVIDER = "oidc";
+			OAUTH2_REDIRECT_URL = "https://miniflux.emile.space/oauth2/oidc/callback";
+			
+		  LISTEN_ADDR = "[::1]:${toString config.emile.ports.miniflux}";
+		};
+		createDatabaseLocally = true;
+
+		# File containing the ADMIN_USERNAME and ADMIN_PASSWORD (length >= 6) in the format of an EnvironmentFile=, as described by systemd.exec(5).
+		adminCredentialsFile = config.age.secrets.miniflux_admin_file.path;
+	};
+	
+
+
+}