diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
index 4824e01cd8ac..4acdcd7d60f9 100644
--- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
@@ -444,6 +444,13 @@
support due to python2 deprecation in nixpkgs
+
+
+ services.miniflux.adminCredentialFiles is
+ now required, instead of defaulting to
+ admin and password.
+
+
The autorestic package has been upgraded
diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md
index 78240a4f50e2..e81bdd884d06 100644
--- a/nixos/doc/manual/release-notes/rl-2205.section.md
+++ b/nixos/doc/manual/release-notes/rl-2205.section.md
@@ -147,6 +147,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- opensmtpd-extras is no longer build with python2 scripting support due to python2 deprecation in nixpkgs
+- `services.miniflux.adminCredentialFiles` is now required, instead of defaulting to `admin` and `password`.
+
- The `autorestic` package has been upgraded from 1.3.0 to 1.5.0 which introduces breaking changes in config file, check [their migration guide](https://autorestic.vercel.app/migration/1.4_1.5) for more details.
- For `pkgs.python3.pkgs.ipython`, its direct dependency `pkgs.python3.pkgs.matplotlib-inline`
diff --git a/nixos/modules/services/web-apps/miniflux.nix b/nixos/modules/services/web-apps/miniflux.nix
index 14cbfb395402..641c9be85d8c 100644
--- a/nixos/modules/services/web-apps/miniflux.nix
+++ b/nixos/modules/services/web-apps/miniflux.nix
@@ -7,26 +7,12 @@ let
defaultAddress = "localhost:8080";
dbUser = "miniflux";
- dbPassword = "miniflux";
- dbHost = "localhost";
dbName = "miniflux";
- defaultCredentials = pkgs.writeText "miniflux-admin-credentials" ''
- ADMIN_USERNAME=admin
- ADMIN_PASSWORD=password
- '';
-
pgbin = "${config.services.postgresql.package}/bin";
preStart = pkgs.writeScript "miniflux-pre-start" ''
#!${pkgs.runtimeShell}
- db_exists() {
- [ "$(${pgbin}/psql -Atc "select 1 from pg_database where datname='$1'")" == "1" ]
- }
- if ! db_exists "${dbName}"; then
- ${pgbin}/psql postgres -c "CREATE ROLE ${dbUser} WITH LOGIN NOCREATEDB NOCREATEROLE ENCRYPTED PASSWORD '${dbPassword}'"
- ${pgbin}/createdb --owner "${dbUser}" "${dbName}"
- ${pgbin}/psql "${dbName}" -c "CREATE EXTENSION IF NOT EXISTS hstore"
- fi
+ ${pgbin}/psql "${dbName}" -c "CREATE EXTENSION IF NOT EXISTS hstore"
'';
in
@@ -54,11 +40,10 @@ in
};
adminCredentialsFile = mkOption {
- type = types.nullOr types.path;
- default = null;
+ type = types.path;
description = ''
- File containing the ADMIN_USERNAME, default is "admin", and
- ADMIN_PASSWORD (length >= 6), default is "password"; in the format of
+ File containing the ADMIN_USERNAME and
+ ADMIN_PASSWORD (length >= 6) in the format of
an EnvironmentFile=, as described by systemd.exec(5).
'';
example = "/etc/nixos/miniflux-admin-credentials";
@@ -70,16 +55,24 @@ in
services.miniflux.config = {
LISTEN_ADDR = mkDefault defaultAddress;
- DATABASE_URL = "postgresql://${dbUser}:${dbPassword}@${dbHost}/${dbName}?sslmode=disable";
+ DATABASE_URL = "user=${dbUser} host=/run/postgresql dbname=${dbName}";
RUN_MIGRATIONS = "1";
CREATE_ADMIN = "1";
};
- services.postgresql.enable = true;
+ services.postgresql = {
+ enable = true;
+ ensureUsers = [ {
+ name = dbUser;
+ ensurePermissions = {
+ "DATABASE ${dbName}" = "ALL PRIVILEGES";
+ };
+ } ];
+ ensureDatabases = [ dbName ];
+ };
systemd.services.miniflux-dbsetup = {
description = "Miniflux database setup";
- wantedBy = [ "multi-user.target" ];
requires = [ "postgresql.service" ];
after = [ "network.target" "postgresql.service" ];
serviceConfig = {
@@ -92,17 +85,16 @@ in
systemd.services.miniflux = {
description = "Miniflux service";
wantedBy = [ "multi-user.target" ];
- requires = [ "postgresql.service" ];
+ requires = [ "miniflux-dbsetup.service" ];
after = [ "network.target" "postgresql.service" "miniflux-dbsetup.service" ];
serviceConfig = {
ExecStart = "${pkgs.miniflux}/bin/miniflux";
+ User = dbUser;
DynamicUser = true;
RuntimeDirectory = "miniflux";
RuntimeDirectoryMode = "0700";
- EnvironmentFile = if cfg.adminCredentialsFile == null
- then defaultCredentials
- else cfg.adminCredentialsFile;
+ EnvironmentFile = cfg.adminCredentialsFile;
# Hardening
CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ];
@@ -119,7 +111,7 @@ in
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
- RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+ RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
diff --git a/nixos/tests/miniflux.nix b/nixos/tests/miniflux.nix
index 1015550fa8c7..d905aea048a3 100644
--- a/nixos/tests/miniflux.nix
+++ b/nixos/tests/miniflux.nix
@@ -7,6 +7,15 @@ let
defaultPort = 8080;
defaultUsername = "admin";
defaultPassword = "password";
+ adminCredentialsFile = pkgs.writeText "admin-credentials" ''
+ ADMIN_USERNAME=${defaultUsername}
+ ADMIN_PASSWORD=${defaultPassword}
+ '';
+ customAdminCredentialsFile = pkgs.writeText "admin-credentials" ''
+ ADMIN_USERNAME=${username}
+ ADMIN_PASSWORD=${password}
+ '';
+
in
with lib;
{
@@ -17,13 +26,19 @@ with lib;
default =
{ ... }:
{
- services.miniflux.enable = true;
+ services.miniflux = {
+ enable = true;
+ inherit adminCredentialsFile;
+ };
};
withoutSudo =
{ ... }:
{
- services.miniflux.enable = true;
+ services.miniflux = {
+ enable = true;
+ inherit adminCredentialsFile;
+ };
security.sudo.enable = false;
};
@@ -36,10 +51,7 @@ with lib;
CLEANUP_FREQUENCY = "48";
LISTEN_ADDR = "localhost:${toString port}";
};
- adminCredentialsFile = pkgs.writeText "admin-credentials" ''
- ADMIN_USERNAME=${username}
- ADMIN_PASSWORD=${password}
- '';
+ adminCredentialsFile = customAdminCredentialsFile;
};
};
};