add freshrss on genepi

2025-01-31 22:55:37 +01:00
parent 75b0494eaa
commit 7c303fd8f2
5 changed files with 52 additions and 9 deletions
--- a/hosts/genepi/default.nix
+++ b/hosts/genepi/default.nix
@@ -13,6 +13,7 @@
    ./boot.nix
    ./disk.nix
    ./dns.nix
+    ./freshrss.nix
    ./hardware.nix
    ./immich.nix
    ./monitoring.nix
--- a/hosts/genepi/dns.nix
+++ b/hosts/genepi/dns.nix
@@ -1,4 +1,15 @@
-{ config, ... }:
+{ config, lib, ... }:
+let
+  domain = "home.rpqt.fr";
+  genepi = {
+    ip = "100.83.123.79";
+    subdomains = [
+      "grafana"
+      "images"
+      "rss"
+    ];
+  };
+in
 {
  networking.firewall.interfaces."${config.services.tailscale.interfaceName}" = {
    allowedTCPPorts = [ 53 ];
@@ -14,14 +25,8 @@
        interface = [ "${config.services.tailscale.interfaceName}" ];
        access-control = [ "100.0.0.0/8 allow" ];

-        local-zone = [
-          ''"grafana.home.rpqt.fr." redirect''
-          ''"images.home.rpqt.fr" redirect''
-        ];
-        local-data = [
-          ''"grafana.home.rpqt.fr. IN A 100.83.123.79"''
-          ''"images.home.rpqt.fr. IN A 100.83.123.79"''
-        ];
+        local-zone = lib.map (subdomain: ''"${subdomain}.${domain}." redirect'') genepi.subdomains;
+        local-data = lib.map (subdomain: ''"${subdomain}.${domain}. IN A ${genepi.ip}"'') genepi.subdomains;
      };
    };
  };
--- a/hosts/genepi/freshrss.nix
+++ b/hosts/genepi/freshrss.nix
@@ -0,0 +1,26 @@
+{ config, ... }:
+let
+  domain = "home.rpqt.fr";
+  subdomain = "rss.${domain}";
+in
+{
+  age.secrets.freshrss = {
+    file = ../../secrets/freshrss.age;
+    mode = "700";
+    owner = config.services.freshrss.user;
+  };
+
+  services.freshrss = {
+    enable = true;
+    baseUrl = "https://${subdomain}";
+    virtualHost = "${subdomain}";
+
+    defaultUser = "rpqt";
+    passwordFile = config.age.secrets.freshrss.path;
+  };
+
+  services.nginx.virtualHosts.${config.services.freshrss.virtualHost} = {
+    forceSSL = true;
+    useACMEHost = "${domain}";
+  };
+}
--- a/secrets/freshrss.age
+++ b/secrets/freshrss.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 ELMcHw e1XlBpnFTEjcVaiz2ogDRQlrkvEK98pJb2iDaP3fAF8
+W9li/7spMyPzwaCSFkOdPOL9ZNuaGCnJxm0uB/vLyS8
+-> ssh-ed25519 8TpKTA 3HeKYAD1Y9UGfCmTWdgfVRMXy/q+R2fH/rrDdCnmBgc
+S2pjlFKodLcx06HqrkghUUQB8QgyxkhPean6EV7GsXM
+--- g6mHVMs7rkgyIus4NGuw8h+Hai3ME0FbuIpvA2KOOYQ
+<EFBFBD>=<3D>2#<23><>޸<+<2B><>
+v<EFBFBD><EFBFBD><EFBFBD><EFBFBD>L<>3<>@Z<>,܅M9,C$<24>a<EFBFBD>r
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -14,4 +14,7 @@ in

  # Restic repository key
  "restic-genepi-storagebox-key.age".publicKeys = keysForGenepi;
+
+  # Password of the default user
+  "freshrss.age".publicKeys = keysForGenepi;
 }