Add FreshRSS Docker container

Author: inverted-tree

hosts/itxserver/configuration.nix

@@ -1,13 +1,6 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}@args:
-let
-  inherit (args) inputs;
-in
-{
+{ config, lib, pkgs, ... }@args:
+let inherit (args) inputs;
+in {
   imports = [
     # The hardware-dependent options
     ./hardware-configuration.nix
@@ -18,6 +11,7 @@ in
     ../../modules/containers/stump.nix
     ../../modules/containers/homeassistant.nix
     ../../modules/containers/plex.nix
+    ../../modules/containers/freshrss.nix
     # Any other modules
     inputs.sops-nix.nixosModules.sops
   ];
@@ -35,10 +29,7 @@ in
     };
   };
 
-  nix.settings.experimental-features = [
-    "nix-command"
-    "flakes"
-  ];
+  nix.settings.experimental-features = [ "nix-command" "flakes" ];
 
   time.timeZone = "Europe/Berlin";
 
@@ -48,12 +39,10 @@ in
       zfsSupport = true;
       efiSupport = true;
       efiInstallAsRemovable = true;
-      mirroredBoots = [
-        {
-          devices = [ "nodev" ];
-          path = "/boot";
-        }
-      ];
+      mirroredBoots = [{
+        devices = [ "nodev" ];
+        path = "/boot";
+      }];
     };
     zfs.extraPools = [ "zpool" ];
   };
@@ -67,22 +56,16 @@ in
     };
     useDHCP = false;
     interfaces = {
-      eno1.ipv4.addresses = [
-        {
-          address = "10.0.0.10";
-          prefixLength = 24;
-        }
-      ];
+      eno1.ipv4.addresses = [{
+        address = "10.0.0.10";
+        prefixLength = 24;
+      }];
     };
     defaultGateway = {
       address = "10.0.0.1";
       interface = "eno1";
     };
-    nameservers = [
-      "1.1.1.1"
-      "1.0.0.1"
-      "100.100.100.100"
-    ];
+    nameservers = [ "1.1.1.1" "1.0.0.1" "100.100.100.100" ];
     firewall = {
       allowedTCPPorts = [
         8123
@@ -135,9 +118,7 @@ in
         AllowUsers = [ "lukas" ];
       };
     };
-    fail2ban = {
-      enable = true;
-    };
+    fail2ban = { enable = true; };
     envfs.enable = true;
     tailscale.enable = true;
     syncthing = {
@@ -156,7 +137,8 @@ in
         };
         devices = {
           "MacBook-Pro" = {
-            id = "GZAKPGB-BBVIY5T-2D3EY22-YYMGT5L-R3MNHGX-GYWNRWR-TG4BUMW-BQMBBAU";
+            id =
+              "GZAKPGB-BBVIY5T-2D3EY22-YYMGT5L-R3MNHGX-GYWNRWR-TG4BUMW-BQMBBAU";
           };
         };
         folders = {

modules/containers/freshrss.nix

@@ -0,0 +1,85 @@
+# Auto-generated using compose2nix v0.3.1. Edited.
+{ pkgs, lib, config, ... }@args:
+let inherit (args) inputs;
+in {
+  imports = [ inputs.sops-nix.nixosModules.sops ];
+
+  # Secrets are managed via sops
+  sops = {
+    defaultSopsFile = ../../secrets/freshrss.env.enc;
+    defaultSopsFormat = "dotenv";
+    age.keyFile = "/home/lukas/.config/sops/age/keys.txt";
+    secrets.freshrss-env = { };
+  };
+
+  # Create persistent directory for container data
+  systemd.tmpfiles.rules = [
+    "d /srv/freshrss/database 0750 docker docker -"
+    "d /srv/freshrss/config 0750 docker docker -"
+  ];
+
+  # Runtime
+  virtualisation.docker = {
+    enable = true;
+    autoPrune.enable = true;
+  };
+  virtualisation.oci-containers.backend = "docker";
+
+  # Containers
+  virtualisation.oci-containers.containers."freshrss" = {
+    image = "freshrss/freshrss:latest";
+    environment = {
+      "CRON_MIN" = "3,33";
+      "TZ" = "Europe/Berlin";
+    };
+    environmentFiles = [ config.sops.secrets.freshrss-env.path ];
+    volumes = [
+      "/srv/freshrss/data:/var/www/FreshRSS/data:rw"
+      "/srv/freshrss/extensions:/var/www/FreshRSS/extensions:rw"
+    ];
+    ports = [ "8008:80/tcp" ];
+    extraOptions = [
+      "--hostname=freshrss"
+      #      "--log-opt=max-size=10m"
+      "--network-alias=freshrss"
+      "--network=freshrss_default"
+    ];
+  };
+  systemd.services."docker-freshrss" = {
+    serviceConfig = {
+      Restart = lib.mkOverride 90 "always";
+      RestartMaxDelaySec = lib.mkOverride 90 "1m";
+      RestartSec = lib.mkOverride 90 "100ms";
+      RestartSteps = lib.mkOverride 90 9;
+    };
+    after = [ "docker-network-freshrss_default.service" ];
+    requires = [ "docker-network-freshrss_default.service" ];
+    partOf = [ "docker-compose-freshrss-root.target" ];
+    wantedBy = [ "docker-compose-freshrss-root.target" ];
+  };
+
+  # Networks
+  systemd.services."docker-network-freshrss_default" = {
+    path = [ pkgs.docker ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      ExecStop = "docker network rm -f freshrss_default";
+    };
+    script = ''
+      docker network inspect freshrss_default || docker network create freshrss_default
+    '';
+    partOf = [ "docker-compose-freshrss-root.target" ];
+    wantedBy = [ "docker-compose-freshrss-root.target" ];
+  };
+
+  networking.firewall.allowedTCPPorts = [ 8008 ];
+
+  # Root service
+  # When started, this will automatically create all resources and start
+  # the containers. When stopped, this will teardown all resources.
+  systemd.targets."docker-compose-freshrss-root" = {
+    unitConfig = { Description = "Root target generated by compose2nix."; };
+    wantedBy = [ "multi-user.target" ];
+  };
+}

secrets/freshrss.env.enc

@@ -0,0 +1,10 @@
+ADMIN_EMAIL=ENC[AES256_GCM,data:57NFB12OftHg87jKLLPSxUUF,iv:PWkKFATXz5bSu3kETQqlhcMZvPq0vS1y9YoNnkCMcDU=,tag:5Jfcev5TYpoyiExriSiZAw==,type:str]
+ADMIN_PASSWORD=ENC[AES256_GCM,data:PpsAsra1dDDYHZuX2nR/vsneofUuoUbhyfUWow24nMY=,iv:Y+kVRjBvzDfc5MoyI5aA4otmATEG2DEvxJcKvUQB18g=,tag:2t4R3ubeeGl57ARffrWIQA==,type:str]
+ADMIN_API_PASSWORD=ENC[AES256_GCM,data:B8eD5Fd4qYVGkHmmJQLGDK5F3O3B7k6NHOWjVVmIPoM=,iv:WW6i8VgxSeyZhN7rWPR1mYcq1zM5ZwHf4jMvwqUhI+Q=,tag:QmFudgC9GlefiabV+XXmXA==,type:str]
+PUBLISHED_PORT=ENC[AES256_GCM,data:MRNmfQ==,iv:4N78sBmWu6b466aBQzOjT0Lgarf0ODirn6u2xkewPKs=,tag:rjDOATShhxM7C9WZD/azrg==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzajk2QTVaZHBiUlJYcys4\nUjA3Y0NKMEJJVDBlT1VOUXQ3Z01WRFB4MVZNCklxd3BuaXhlSkYyZ1dJZENmVHYr\nZklYcTRGaFN4TnJydnFvYXBlTGhjd1UKLS0tIHl5UmYxYmFHNWhhVkZ5dEk0b0FP\nZjBtZW1lZjYwVFc1MG9zV29MM25tTFkKoYWmsylzXRYfSotYpWkyWxbEdq+KMsy9\n9RruLA8StpNIYPe5f087+G7Ak1OF4JmBbuHyc/M4ONqFs0JwOLdHcA==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age1njkfdv4ayqlqak76az6ezhse8hn3gmgt9ntur2edyz3watx2xdqq3jklqm
+sops_lastmodified=2025-07-23T12:55:31Z
+sops_mac=ENC[AES256_GCM,data:8065sALFyGOPBtRBfS19OKVRInTaweF1qgTfQlO+gV9p8F4V/vQSUwv7/iJe/QZoJPXJ2AHpOQ6hWBHLAqrOOgfcy2u75lUdCxMYiidlI1H6XU/jAxVWlrlE8NIf29kvbitJpQ4HYS+ia5MzMOztdbucUxfsWQTwH3EX7ruKEik=,iv:gqqvlefzG7t8dWqFSt3XOGfdxHBEi6KFErhEyDf1I9o=,tag:lHhVyfWYdNw1PI+Onv9N/g==,type:str]
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.10.2