{
config,
lib,
globals,
...
}: {
options.freshrss.enable = lib.mkEnableOption "freshrss";
config = lib.mkIf config.freshrss.enable {
kubernetes.resources = {
secrets.server.stringData.adminPassword = "ref+sops://secrets.yml#/freshrss/password";
deployments.server.spec = {
selector.matchLabels.app = "freshrss";
strategy = {
type = "RollingUpdate";
rollingUpdate = {
maxSurge = 0;
maxUnavailable = 1;
};
};
template = {
metadata.labels.app = "freshrss";
spec = {
containers.freshrss = {
image = globals.images.freshrss;
imagePullPolicy = "IfNotPresent";
ports.web.containerPort = 80;
env = {
TZ.value = "Europe/Amsterdam";
CRON_MIN.value = "2,32";
ADMIN_EMAIL.value = "pim@kunis.nl";
PUBLISHED_PORT.value = "443";
OIDC_ENABLED.value = "1";
OIDC_PROVIDER_METADATA_URL.value = "https://authentik.kun.is/application/o/freshrss/.well-known/openid-configuration";
OIDC_CLIENT_ID.value = "5J2L7Ufq4KMayQ8qrqxHCslxHWL2SXNMKJmsbbiQ";
OIDC_CLIENT_SECRET.value = "ref+sops://secrets.yml#/authentik/oauth2/freshrss/client_secret";
OIDC_CLIENT_CRYPTO_KEY.value = "ref+sops://secrets.yml#/freshrss/oidc_crypto_key";
OIDC_SCOPES.value = "openid email profile";
OIDC_X_FORWARDED_HEADERS.value = "X-Forwarded-Port X-Forwarded-Proto X-Forwarded-Host";
ADMIN_PASSWORD.valueFrom.secretKeyRef = {
name = "server";
key = "adminPassword";
};
ADMIN_API_PASSWORD.valueFrom.secretKeyRef = {
name = "server";
key = "adminPassword";
};
};
volumeMounts = [
{
name = "data";
mountPath = "/var/www/FreshRSS/data";
}
];
};
volumes.data.persistentVolumeClaim.claimName = "data";
securityContext = {
fsGroup = 33;
fsGroupChangePolicy = "OnRootMismatch";
};
};
};
};
services.server.spec = {
type = "LoadBalancer";
loadBalancerIP = globals.freshrssIPv4;
selector.app = "freshrss";
ports.web = {
port = 80;
targetPort = "web";
};
};
};
lab = {
tailscaleIngresses.tailscale = {
host = "freshrss";
service.name = "server";
};
longhorn.persistentVolumeClaim.data = {
volumeName = "freshrss";
storage = "1Gi";
};
};
};
}