config/roles/freshrss.nix

{
  name = "FreshRSS";
  description = ''
    RSS reader and sync server
  '';

  traefikRoutes =
    {
      host,
      ...
    }:
    let
      hostname = host.hostname;
      config = host.config.freshrss;
    in
    [
      {
        name = "${hostname}-freshrss";
        rule = "Host(`${config.domain}`)";
        target = "http://${host.ip}:1342";
      }
    ];

  nixosModule =
    {
      lib,
      config,
      pkgs,
      dockerImages,
      ...
    }:
    {
      options.freshrss = {
        domain = lib.mkOption {
          type = lib.types.str;
        };
        adminUser = lib.mkOption {
          type = lib.types.str;
        };
      };

      config =
        let
          appDir = "/cephfs/appdata/freshrss";
          dataDir = "${appDir}/data";
        in
        {
          networking.firewall.allowedTCPPorts = [
            1342 # Freshrss
          ];

          sops.secrets = {
            "freshrss/client_id" = {
              owner = "freshrss";
            };
            "freshrss/client_secret" = {
              owner = "freshrss";
            };
          };

          sops.templates."freshrss-secret.env" = {
            owner = "freshrss";
            content = ''
              OIDC_CLIENT_ID=${config.sops.placeholder."freshrss/client_id"}
              OIDC_CLIENT_SECRET=${config.sops.placeholder."freshrss/client_secret"}
            '';
          };

          # Set up user to run freshrss
          users.users."freshrss" = {
            isSystemUser = true;
            group = "freshrss";
          };
          users.groups."freshrss" = { };
          systemd.tmpfiles.rules = [
            "d '${appDir}' 0750 freshrss freshrss - -"
            "d '${dataDir}' 0750 freshrss freshrss - -"
            "d '${appDir}/extensions' 0750 freshrss freshrss - -"
          ];

          # Create the database
          postgres.databases = [ "freshrss" ];

          podman.containers = {
            "freshrss" = {
              imageMetadata = dockerImages.freshrss;
              autoStart = true;
              environment = {
                TZ = "Europe/Amsterdam";
                CRON_MIN = "3,33";
                OIDC_ENABLED = "1";
                OIDC_PROVIDER_METADATA_URL = "https://auth.kallestruik.nl/application/o/freshrss/.well-known/openid-configuration";
                OIDC_X_FORWARDED_HEADERS = "X-Forwarded-Port X-Forwarded-Proto X-Forwarded-Host";
                OIDC_SCOPES = "openid email profile";
              };
              environmentFiles = [
                config.sops.templates."freshrss-secret.env".path
              ];
              volumes = [
                "${dataDir}:/var/www/FreshRSS/data"
                "${appDir}/extensions:/var/www/FreshRSS/extensions"
              ];
              ports = [
                "1342:80"
              ];
            };
          };
        };
    };
}