feat: add freshrss

2026-01-22 08:06:50 +01:00 · 2026-01-11 21:30:27 +01:00 · 2026-01-11 21:30:27 +01:00 · 002fad13df
commit 002fad13df
parent b99299dc45
4 changed files with 63 additions and 1 deletions
--- a/modules/homelab/default.nix
+++ b/modules/homelab/default.nix
@ -6,6 +6,7 @@
  imports = [
    ./arr.nix
    ./audiobookshelf.nix
+    ./freshrss.nix
    ./glance.nix
    ./home-assistant.nix
    ./jellyfin.nix
--- a/modules/homelab/freshrss.nix
+++ b/modules/homelab/freshrss.nix
@ -0,0 +1,54 @@
+{
+  config,
+  lib,
+  ...
+}:
+lib.mkIf config.fireproof.homelab.enable (let
+  domain = "freshrss.nickolaj.com";
+in {
+  services.freshrss = {
+    enable = true;
+    baseUrl = "https://${domain}";
+    virtualHost = domain;
+    database = {
+      type = "pgsql";
+      host = "/var/run/postgresql/";
+      user = "freshrss";
+      name = "freshrss";
+    };
+    authType = "http_auth";
+    defaultUser = "nickolaj1177@gmail.com";
+  };
+
+  services.postgresql = {
+    ensureDatabases = ["freshrss"];
+    ensureUsers = [
+      {
+        name = "freshrss";
+        ensureDBOwnership = true;
+        ensureClauses.login = true;
+      }
+    ];
+  };
+
+  services.oauth2-proxy.nginx.virtualHosts = {
+    "${domain}" = {
+      allowed_groups = ["default"];
+    };
+  };
+
+  services.nginx.virtualHosts."${domain}" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."~ ^.+?\\.php(/.*)?$" = {
+      extraConfig = lib.mkAfter ''
+        auth_request_set $email  $upstream_http_x_auth_request_email;
+        fastcgi_param REMOTE_USER $email;
+      '';
+    };
+  };
+
+  services.restic.backups.homelab.paths = [
+    "/var/lib/freshrss"
+  ];
+})
--- a/modules/homelab/glance.nix
+++ b/modules/homelab/glance.nix
@ -209,6 +209,12 @@ in {
                      icon = "sh:audiobookshelf";
                      same-tab = true;
                    }
+                    {
+                      title = "FreshRSS";
+                      url = "https://freshrss.nickolaj.com";
+                      icon = "sh:freshrss";
+                      same-tab = true;
+                    }
                    {
                      title = "Sonarr";
                      url = "https://sonarr.nickolaj.com";
--- a/modules/homelab/sso.nix
+++ b/modules/homelab/sso.nix
@ -46,7 +46,6 @@ in {
        name = "zitadel";
        ensureDBOwnership = true;
        ensureClauses.login = true;
-        ensureClauses.superuser = true;
      }
    ];
  };
@ -100,6 +99,8 @@ in {
    validateURL = "https://${zitadelDomain}/oauth2/";
    oidcIssuerUrl = "https://${zitadelDomain}:443";
    keyFile = config.age.secrets.oauth2-proxy.path;
+    passBasicAuth = true;
+    setXauthrequest = true;
    nginx.domain = oathproxyDomain;
    email.domains = ["*"];
    extraConfig = {