chore: move miniflux oidc to rauthy

0xlua · 0xlua · commit 1ad1ad53952f · 2025-02-27T10:57:52.000+01:00
diff --git a/podman/miniflux.container.nix b/podman/miniflux.container.nix
@@ -1,4 +1,7 @@
 {config, ...}: {
+  sops.secrets."miniflux/oidcSecret" = {
+    mode = "0444";
+  };
   sops.secrets."miniflux/db" = {};
   sops.secrets."miniflux/password" = {};
   sops.secrets."miniflux/user" = {};
@@ -19,13 +22,17 @@
       ];
       environment = {
         OAUTH2_CLIENT_ID = "miniflux";
-        OAUTH2_OIDC_DISCOVERY_ENDPOINT = "http://mail.lua.one";
+        OAUTH2_CLIENT_SECRET_FILE = "/run/secrets/oidc";
+        OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://auth.lua.one/auth/v1";
         OAUTH2_PROVIDER = "oidc";
         OAUTH2_REDIRECT_URL = "https://rss.lua.one/oauth2/oidc/callback";
         OAUTH2_USER_CREATION = "1";
         DISABLE_LOCAL_AUTH = "true";
         RUN_MIGRATIONS = "1";
       };
+      volumes = [
+        "${config.sops.secrets."miniflux/oidcSecret".path}:/run/secrets/oidc"
+      ];
     };
     miniflux-db = {
       image = "docker.io/postgres:17-alpine";
diff --git a/secrets.yaml b/secrets.yaml
@@ -17,6 +17,7 @@ miniflux:
     db: ENC[AES256_GCM,data:6SNEbkyghUc=,iv:/hTHYbZbvlUhfhF264HJc1GiY5ujT9gOtXmX0mJe3IY=,tag:h5P+dv5PffO1I6GoUDV8Jw==,type:str]
     user: ENC[AES256_GCM,data:6sPVz68x188=,iv:/SeV5zijlZjaM7uBd8YQpS6MbMN1OGmszUDT5FRrkGU=,tag:PhqL0ZKiLsi36CLrIIKNzA==,type:str]
     password: ENC[AES256_GCM,data:a+xkNsNC,iv:kKGKs/Jk8DgKVk6iPRLlVHlR9pOoPsI/GRRYfBJD6Hg=,tag:WyML0LRLwNerF9UAhL8Z0Q==,type:str]
+    oidcSecret: ENC[AES256_GCM,data:eE2/D0vy0TVY9c8Kf9LWgk0zIStb1l5jy+PjUK9khvIe5H2Iv7z8PnS+5T+0vwwud7+WsZpgt01evl9FzSMXKA==,iv:b2o7meYRW/px30C0pXTJ4YQvs5PJ1o9t3qCO1fkG/bs=,tag:0KT/0k46sVIbTu3q/jp8tA==,type:str]
 atuin:
     db: ENC[AES256_GCM,data:qj/S2Mc=,iv:eixbOyNWtpFLlSzr/rSLuNDcjkr+12FFOqDHONhBCbA=,tag:dQ44MuPHEvvuGoFrJD14VQ==,type:str]
     user: ENC[AES256_GCM,data:HD7bu0I=,iv:N7OJEUuMYoVjFc19aqNHp4FK1PRHYITjCq8b5nrnNsc=,tag:K+GIasyTuRmde1wgBHhrSg==,type:str]
@@ -50,8 +51,8 @@ sops:
             ZS9IQjA1dEtvVlFmZnEvaDRtdFhhUTgKXUwrNelmv3fIQYoKwgbPe33Bfg4KnFpU
             lHC1u7Dfhg18wEcmVWhWxl1Z5lqud4pmKLZy6VBXJMigiMjEWOcEVg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-02-26T15:29:43Z"
-    mac: ENC[AES256_GCM,data:3FnoBhBB9dswBeWHm4LZz+BBVqCAe9WDgd1T7r6kE9b6JgxM2RpLHItEEJ+rxrp04/yTXfA3Ct/RoVlPMGBRT7BoLbsCQ09YdfSKFe7G645iQvuh6Ar6Qi/G9VvFKh267Xu6ssFa5IrH8u7f1bc+7O2SxZLmthA9W9TYWuFjpI8=,iv:7w8FjFpEQ+WAsxjGo3eHw6CTVmTX1l8QBdjJPaKqdaU=,tag:bJetDzA1/C+sY5KVVd2pxQ==,type:str]
+    lastmodified: "2025-02-26T15:44:12Z"
+    mac: ENC[AES256_GCM,data:5t1YpaIdnPekhXzb3gxdtXxIbiegFvx8oVaf1gw/sUTLmCAC6KoWOvHx3HzD4Hq790PVavfvaTKtBduYGRt9MeABONxOCtQ1XUDVIc+hMer/43fhHM3hmjS5RcomYdUAxGaD1/zP3upTwKJZ2AKsJPFdklwqyh9OQMJiN9JbDpA=,iv:SKzLzi+c+MEe68fvxWI7+vxoE02t0PmeffYU4KS2G+M=,tag:C96z9gNbgpvQvkrxNn2QmQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.4
