3 files changed, 65 insertions, 2 deletions

diff --git a/modules/nixos/mixins/default.nix b/modules/nixos/mixins/default.nix
index e9930bf..2bad18c 100644
--- a/modules/nixos/mixins/default.nix
+++ b/modules/nixos/mixins/default.nix
@@ -13,6 +13,7 @@
     ./journal-upload.nix
     ./kanidm.nix
     ./lanzaboote.nix
+    ./miniflux.nix
     ./nginx.nix
     ./niri.nix
     ./node-exporter.nix
diff --git a/modules/nixos/mixins/grafana.nix b/modules/nixos/mixins/grafana.nix
index 6d6a942..03f2c6a 100644
--- a/modules/nixos/mixins/grafana.nix
+++ b/modules/nixos/mixins/grafana.nix
@@ -5,6 +5,10 @@
   ...
 }:
 
+let
+  grafanaCfg = config.services.grafana;
+in
+
 {
   config = lib.mkMerge [
     {
@@ -21,12 +25,23 @@
             domain = lib.mkDefault ("grafana." + config.networking.domain);
             enable_gzip = true;
             enforce_domain = true;
-            root_url = "https://" + config.services.grafana.settings.server.domain + "/";
+            root_url = "https://" + grafanaCfg.settings.server.domain + "/";
           };
         };
       };
     }
 
+    (lib.mkIf grafanaCfg.enable {
+      services = {
+        nginx.virtualHosts.${grafanaCfg.settings.server.domain} = {
+          locations."/" = {
+            proxyPass = "http://${grafanaCfg.settings.server.http_addr}:${toString grafanaCfg.settings.server.http_port}";
+            proxyWebsockets = true;
+          };
+        };
+      };
+    })
+
     (lib.mkIf config.services.kanidm.enableServer {
       services.grafana = {
         settings = {
@@ -56,7 +71,7 @@
       };
     })
 
-    (lib.mkIf (config.services.grafana.enable && config.services.kanidm.enableServer) {
+    (lib.mkIf (grafanaCfg.enable && config.services.kanidm.enableServer) {
       age.secrets.grafanaKanidm = {
         file = secretsDir + "/grafanaKanidmSecret.age";
         owner = config.users.users.grafana.name;
diff --git a/modules/nixos/mixins/miniflux.nix b/modules/nixos/mixins/miniflux.nix
new file mode 100644
index 0000000..187ddc0
--- /dev/null
+++ b/modules/nixos/mixins/miniflux.nix
@@ -0,0 +1,47 @@
+{
+  config,
+  lib,
+  secretsDir,
+  ...
+}:
+
+{
+  config = lib.mkMerge [
+    {
+      services.miniflux = {
+        adminCredentialsFile = config.age.secrets.miniflux.path;
+        config = {
+          BASE_URL = "https://miniflux.${config.networking.domain}";
+          LISTEN_ADDR = "localhost:7000";
+        };
+      };
+    }
+
+    (lib.mkIf config.services.miniflux.enable {
+      age.secrets.miniflux.file = secretsDir + "/miniflux.age";
+
+      services = {
+        nginx.virtualHosts.${lib.removePrefix "https://" config.services.miniflux.config.BASE_URL} = {
+          locations."/" = {
+            proxyPass = "http://${config.services.miniflux.config.LISTEN_ADDR}";
+          };
+        };
+      };
+
+      /*
+        # Create the socket manually to ensure NGINX has permission for the socket's parent directory
+        # ...since for some reason Miniflux will not give it the same `0777` permission as the socket itself
+        systemd = {
+          services.miniflux = {
+            requires = [ "miniflux.socket" ];
+          };
+
+          sockets.miniflux = {
+            wantedBy = [ "sockets.target" ];
+            listenStreams = [ "/run/miniflux.sock" ];
+          };
+        };
+      */
+    })
+  ];
+}