diff --git a/nixos/boxes/vpsfree1/rss.nix b/nixos/boxes/vpsfree1/rss.nix index 7b773cf9..747524e6 100644 --- a/nixos/boxes/vpsfree1/rss.nix +++ b/nixos/boxes/vpsfree1/rss.nix @@ -5,73 +5,24 @@ lib, ... }: let - port = 8080; domain = "news.cyplo.dev"; - postgresPort = 5435; in { imports = [../nginx.nix]; - services.nginx = { - virtualHosts = { - "${domain}" = { - forceSSL = true; - enableACME = true; - locations."/" = {proxyPass = "http://127.0.0.1:" + toString port;}; - }; - }; + services.nginx.virtualHosts."${domain}" = { + forceSSL = true; + enableACME = true; }; - - containers.rss = { - autoStart = true; - forwardPorts = [ - { - containerPort = port; - hostPort = port; - } - ]; - config = { - config, - pkgs, - ... - }: let - inherit (config.services.tt-rss) pool; - inherit (config.services.tt-rss) root; - in { - system.stateVersion = "23.05"; - services.postgresql.port = postgresPort; - services.tt-rss = { - enable = true; - selfUrlPath = "https://${domain}"; - virtualHost = null; - registration.enable = false; - simpleUpdateMode = true; - database.port = postgresPort; - }; - services.nginx = { - enable = true; - virtualHosts = { - "${domain}" = { - listen = [ - { - inherit port; - addr = "0.0.0.0"; - } - ]; - root = "${root}/www"; - locations."/" = {index = "index.php";}; - locations."^~ /feed-icons" = {root = "${root}";}; - locations."~ \\.php$" = { - extraConfig = '' - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass unix:${ - config.services.phpfpm.pools.${pool}.socket - }; - fastcgi_index index.php; - ''; - }; - }; - }; - }; - }; + sops.secrets."freshrss-password" = { + sopsFile = ./rss.sops.yaml; + owner = "freshrss"; + }; + services.freshrss = { + enable = true; + virtualHost = domain; + baseUrl = "https://${domain}"; + database.type = "sqlite"; + defaultUser = "cyryl"; + passwordFile = config.sops.secrets.freshrss-password.path; }; } diff --git a/nixos/boxes/vpsfree1/rss.sops.yaml b/nixos/boxes/vpsfree1/rss.sops.yaml new file mode 100644 index 00000000..a98722c0 --- /dev/null +++ b/nixos/boxes/vpsfree1/rss.sops.yaml @@ -0,0 +1,102 @@ +freshrss-password: ENC[AES256_GCM,data:DRo33SMRV89iUoQtdWaTVHcFBA7Y,iv:I4zbnJb4O4S7fTBqHl3kxGh33sndBrHNJPPZL8v41i8=,tag:C1NgSANYMQiOWNYBBnYAQg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1qpxvqf2254vynw7aah2pyd8tm0lqtfqr9maguewdj3uqjp8smqvssjp43n + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBweElpTmRLY3A1dHVsekYy + ODJZUzdUUDVheWZBcGNkTTUzdk1ZVXRJU25vCmcwazNvc21IaExiQXdZcnZZNDdu + VkxOU3NZdnZsNENyd2k1cktaNUVNNGsKLS0tIGhnZEM5WjlIQ1BHOWt0QnhaTlBW + T3h6MU5wSWZHZ1doNFpKQjVFdHRxUUEKcsxSwvfyd41VOsZcCOpmPtS5v+sGhzGe + am6Om06uCyZGy/uViUaQYwHnTElsdrHs8GP1+xijEtImIz0bYaKB2g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1s3z2rfske90kt93a3z7twp6kew6mqd08sgunupym0gpmuh8ezqqscdrv7m + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGY092UUZxQUc1RVRabi9Z + L0pFWUgvdkxMdyswWXBSSytBMnBmdTg2MGk4ClVrdlM4ZDNUVXhCNnJ5aEU4RDRU + VWlwelFFdVY4YkdvNzNua092YlZ0MmcKLS0tIHErcGdjVWNlZnl1RVpYcU03SDQ1 + aG53Q3c5ZmV2N3lsZlQxTU1aS1IvdjgKs4tbRx7VnGagRCFAxoKF2AA1g4laC6bE + H59SOA8UzoF2QDeBzcvtmUW7KPJAtivszod8bNkghq6/EieGzMV49g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1p76577kkfttxxj8ckwwkhyhhz7qq2d7qf2lenyaa0g3v2gd3eecqhhf9jn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBbnd4WWppNm5uTlhUVlZK + d3lSdGxFRWlsbE1WTVBkVHJpemd2Q08wMTJzCngxUUo0bFZ5bkFSZkZ3RUF5NlRp + OFRrZzRkTkJBK0V1djFuNHhRMVZTcHcKLS0tIFF6RGRiSXNXTlBESjRWWGYvTzFo + a25vVTdmUnE3dHBvTWs4WVljYWZYOHcKHXT2Ua4uEi5pIZ0JQKcKsFUIEcYdhIkp + RxzaugZA0bjEgKxY/eHF2sK743MuAkA5XjLPcVbreYcUJqUD2o/wVQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1mpgtj57e256q9nqz8jt0jt9ntxrldu0p7aunxx3y5vnerfz04vqqdst2gt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtN3dIbWphL0xKY3gybmVu + YU9XUWNVbUZwRS9nOFBKUlFhTS9NQ1dlOGlRCmFvNHVadVdBQnJJaHRHWEdNMDRH + aWE4WkV4QzNFR0tjTXMza1paSkZqeGMKLS0tIFI3MzZrT3ZTc2lmZlBtR2R1dWpD + dEJiR1VSWWZqZWhmdEVuK2NZS1pBZ3MKKivgEIU92cX8EWrgFBuduCdWlvnsZBwa + l7p+VtWRKNHLH95Tr4Rq3scysAPtkRerJHKIExozyUeDw+n21eL9Hg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1msgz4lzqj3wd4yu3mfgxyl5gz0y94al59njv8fqu7s0dvwt9yuvsctlhvu + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwaUNPa0E4NzZUellCTUFY + bzVNYmNnZTFGcjduTC9GU21TRmNqVXdWWndBClV2Rnd4ZTlWR3RDYnpLV294dUxS + SzhIUG91V0RHRmJNVjlpWDNuU0hzTGMKLS0tIG5rZnk2L3hMN3hnWnU1aXhqSUNv + OHRkN3dTbzdNSzBnbFpaM050dUowUU0KBcBr5Tw8fmGx5HEQ3OlpnKJQzsad5bUq + oDashn3vucbOcG/reUx2FXGhPL5hj3KbD4tk6909Sf1gHWtO5s5EIQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age10f7djsyu5fwew2l2x89a4st4qw4xdkyr3z7qd8frs54yqz7cayvqruttla + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSejFXbTFKVFVMSmxGK3Mx + c2ljQ0s3Z2xhYytwMWpKMzUwUUtaaTJJZXlrCmNqa2UzTXNNdXBxRDVxektBcHBt + T2I3S0N5YmNHbGgzOWlRQkhNV1p2K1UKLS0tIDFDSW9KLzBmWjFJb1BSNkJGNkxC + Q1VKTml1UUJ4a2xjKzFIcGtIVVhsN00KVzQYLGla9LVEmzA2YvsDMxp5vjVNHDZV + eo09QDcXwrQYziE8FdC0vuK6SLOpJPw5CvXB33u2ciCci+Jxe2cYwQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age10f7djsyu5fwew2l2x89a4st4qw4xdkyr3z7qd8frs54yqz7cayvqruttla + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUMmFobHE3bGIwN0tQR2Za + VHkyYVZ0RDArSVhOWWczcC9MNEdhbXk1Q1VBCmVreW15Nk9VOUprR3I2T3pnRjU3 + NHMvU2xCcW9JVW9QNEd0d0FLdkRIcFkKLS0tIHozdTE2NTZWMFFpZGVFRjRkbkNw + VXF2ay95U2RxRHREYW84SUVTUnR2MU0KvFB1m8EMvshIP48pEeHmQxs/AIthxezw + Rv1R1SzxP96/B1tW9kbSx7J0CNzhDAsu2Rq7TMe3dHXN/iHi6O1D2w== + -----END AGE ENCRYPTED FILE----- + - recipient: age18vg9wvmj2jc8tdcyc202v46lvfndqfe3dse2hewx0snalpvk43fqc22n6y + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPbks4alZjYm9OT3JtSEw3 + OTJTOTNRWnJSR3dmaVM0S2pURE9QU3ZvVG5VCjdadmhHZDlTSW94Um5ORmJUa2Y1 + SmJBcmNoTEtndW5mcm1UR3ZPZ2cxS1kKLS0tIE95alptR3VHcEp5L05JM1Nha3du + dGdESTZuSnIwVW1YQlZJZGI0cmtlNkEKwPJnFHcHbGqQC9GOfZtVFPpHicgy4pz9 + a14lL3aaWFnEtIAKlRo8hD4vD289PtVcI6WCDbtCAbQxrhWTrQZ3qg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1n09swn3qekcuw23vksp7hv4hpg0krlag3c5qcjjaf08m99c3ysqs6sxeyk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByendCQk9QcldYYVh3YVdQ + SmI1ZXVDSEVBc2h5SkZJcW0zbjg5cExBc2lZCmxEVFJyejcwN2JyK25HRmtQZVFW + QlY4YkNmamFzaTdvNHBhYUxkd0YxY28KLS0tIGRHTzdHcFdQWEM1a3BPM2xYSkx2 + ZjBFVXdjeVlPeWtpQ1NOcml6WTFkUXcKjHx7MA916qsi88uBmuN3mw0mwXuhUzhm + IkLkboQIFr2lJDdr8L74+OoDq43UcA+M0uG0UH8BROPQkaLOkwI4Vw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1tt4c8t72fha2fj7xlm0dew5avmkdxujmgplte4qm7sxlcucggedq0eyk7t + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1Tm9sajZwVHc3TnlzTWN5 + NEVnU3NZbnd6d2JHZWx4cFdNaTZ0eWxWd1VZCkd3UFVHaUQ4VTJlMFg3SHFaNWlM + cDJxU0ZsSE9SVzhmMXZJZEdXRlBGazgKLS0tIDdmVXdteUhSR21hTkYyOS9yMVBW + WmUwcDV2YlpGbXJydlgzKzRNSVFwSlEK0Atv2OnAaJGFi0lk+xt9K4Yf4TBsIOsJ + rIUW2UCpEW+XtvMTXt24X0RqNpgZ9cNHz+O5VX/DBgoaB+ncHHynWA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-11-11T23:18:32Z" + mac: ENC[AES256_GCM,data:mD03I8vLrkOhlYKetnsx5bs1GiqkzA2owfXg/02jE3t5Ujm5iSJY+WGJQYiv+dNdE8Ys99Wq5YMs8+WISrtJInSTJ1U5SMDOx8OmuEiU9+HIBdwkLceTp9s+cVDUVkQej19hBtBV5XTs6/LAHVqgOn8w15VfAwnztodBjZCdLxQ=,iv:VI7Qdim0vs96gc36Tf2rppzyh2PeFNtxsgEovZqr+34=,tag:l3mwCjvAWfn4MVmSLjKxlQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3