From 002fad13df00ef69bb03cce66dfddfb4f689dff5 Mon Sep 17 00:00:00 2001
From: Nickolaj Jepsen <nickolaj@fireproof.website>
Date: Sun, 11 Jan 2026 21:30:27 +0100
Subject: [PATCH] feat: add freshrss

---
 modules/homelab/default.nix  |  1 +
 modules/homelab/freshrss.nix | 54 ++++++++++++++++++++++++++++++++++++
 modules/homelab/glance.nix   |  6 ++++
 modules/homelab/sso.nix      |  3 +-
 4 files changed, 63 insertions(+), 1 deletion(-)
 create mode 100644 modules/homelab/freshrss.nix

diff --git a/modules/homelab/default.nix b/modules/homelab/default.nix
index 00d5a03..842ce80 100644
--- a/modules/homelab/default.nix
+++ b/modules/homelab/default.nix
@@ -6,6 +6,7 @@
   imports = [
     ./arr.nix
     ./audiobookshelf.nix
+    ./freshrss.nix
     ./glance.nix
     ./home-assistant.nix
     ./jellyfin.nix
diff --git a/modules/homelab/freshrss.nix b/modules/homelab/freshrss.nix
new file mode 100644
index 0000000..df5d9bc
--- /dev/null
+++ b/modules/homelab/freshrss.nix
@@ -0,0 +1,54 @@
+{
+  config,
+  lib,
+  ...
+}:
+lib.mkIf config.fireproof.homelab.enable (let
+  domain = "freshrss.nickolaj.com";
+in {
+  services.freshrss = {
+    enable = true;
+    baseUrl = "https://${domain}";
+    virtualHost = domain;
+    database = {
+      type = "pgsql";
+      host = "/var/run/postgresql/";
+      user = "freshrss";
+      name = "freshrss";
+    };
+    authType = "http_auth";
+    defaultUser = "nickolaj1177@gmail.com";
+  };
+
+  services.postgresql = {
+    ensureDatabases = ["freshrss"];
+    ensureUsers = [
+      {
+        name = "freshrss";
+        ensureDBOwnership = true;
+        ensureClauses.login = true;
+      }
+    ];
+  };
+
+  services.oauth2-proxy.nginx.virtualHosts = {
+    "${domain}" = {
+      allowed_groups = ["default"];
+    };
+  };
+
+  services.nginx.virtualHosts."${domain}" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."~ ^.+?\\.php(/.*)?$" = {
+      extraConfig = lib.mkAfter ''
+        auth_request_set $email  $upstream_http_x_auth_request_email;
+        fastcgi_param REMOTE_USER $email;
+      '';
+    };
+  };
+
+  services.restic.backups.homelab.paths = [
+    "/var/lib/freshrss"
+  ];
+})
diff --git a/modules/homelab/glance.nix b/modules/homelab/glance.nix
index d1100de..2c7e1fa 100644
--- a/modules/homelab/glance.nix
+++ b/modules/homelab/glance.nix
@@ -209,6 +209,12 @@ in {
                       icon = "sh:audiobookshelf";
                       same-tab = true;
                     }
+                    {
+                      title = "FreshRSS";
+                      url = "https://freshrss.nickolaj.com";
+                      icon = "sh:freshrss";
+                      same-tab = true;
+                    }
                     {
                       title = "Sonarr";
                       url = "https://sonarr.nickolaj.com";
diff --git a/modules/homelab/sso.nix b/modules/homelab/sso.nix
index 676013b..f4927f5 100644
--- a/modules/homelab/sso.nix
+++ b/modules/homelab/sso.nix
@@ -46,7 +46,6 @@ in {
         name = "zitadel";
         ensureDBOwnership = true;
         ensureClauses.login = true;
-        ensureClauses.superuser = true;
       }
     ];
   };
@@ -100,6 +99,8 @@ in {
     validateURL = "https://${zitadelDomain}/oauth2/";
     oidcIssuerUrl = "https://${zitadelDomain}:443";
     keyFile = config.age.secrets.oauth2-proxy.path;
+    passBasicAuth = true;
+    setXauthrequest = true;
     nginx.domain = oathproxyDomain;
     email.domains = ["*"];
     extraConfig = {