Deploying TT-RSS on NixOS
Deploying a vanilla Tiny Tiny RSS server on NixOS via NixOps is fairly straight forward.
My preferred method is to craft a tt-rss.nix file describes the configuration
of the TT-RSS server.
{ config, pkgs, lib, ... }:
{
services.tt-rss = {
enable = true; # Enable TT-RSS
database = { # Configure the database
type = "pgsql"; # Database type
passwordFile = "/run/keys/tt-rss-dbpass"; # Where to find the password
};
email = {
fromAddress = "news@mydomain"; # Address for outgoing email
fromName = "News at mydomain"; # Display name for outgoing email
};
selfUrlPath = "https://news.mydomain/"; # Root web URL
virtualHost = "news.mydomain"; # Setup a virtualhost
};
services.postgresql = {
enable = true; # Ensure postgresql is enabled
authentication = ''
local tt_rss all ident map=tt_rss-users
'';
identMap = # Map the tt-rss user to postgresql
''
tt_rss-users tt_rss tt_rss
'';
};
services.nginx = {
enable = true; # Enable Nginx
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts."news.mydomain" = { # TT-RSS hostname
enableACME = true; # Use ACME certs
forceSSL = true; # Force SSL
};
};
security.acme.certs = {
"news.mydomain".email = "email@mydomain";
};
}
This line from the above file should stand out:
passwordFile = "/run/keys/tt-rss-dbpass"; # Where to find the password
The passwordFile option requires that you use a secrets file with NixOps.
Where does that file come from? It's pulled from a secrets.nix file
(example)
that for this example, could look like this:
{ config, pkgs, ... }:
{
deployment.keys = {
# Database key for TT-RSS
tt-rss-dbpass = {
text = "vaetohH{u9Veegh3caechish"; # Password, generated using pwgen -yB 24
user = "tt_rss"; # User to own the key file
group = "wheel"; # Group to own the key file
permissions = "0640"; # Key file permissions
};
};
}
The file's path /run/keys/tt-rss-dbpass is determined by the elements. So
deployment.keys determines the initial path of /run/keys and the next
element tt-rss-dbpass is a descriptive name provided by the stanza's author to
describe the key's use and also provide the final file name.
Now that we have described the TT-RSS service in tt-rss_for_NixOps.nix and the required credentials in secrets.nix we need to pull it all together for deployment. We achieve that in this case by importing both these files into our existing host definition:
myhost.nix:
{
myhost =
{ config, pkgs, lib, ... }:
{
imports =
[
./secrets.nix # Import our secrets
./servers/tt-rss_for_NixOps.nix # Import TT-RSS description
];
deployment.targetHost = "192.168.132.123"; # Target's IP address
networking.hostName = "myhost"; # Target's hostname.
};
}
To deploy TT-RSS to your NixOps managed host, you merely run the deploy command for your already configured host and deployment, which would look like this:
$ nixops deploy -d MyDeployment --include myhost
You should now have a running TT-RSS server and be able to login with the default admin user (admin: password).
In my nixos-examples repo I have a servers directory with some example files and a README with information and instructions. You can use two of the files to generate a TT-RSS VM to take a quick poke around. There is also an example of how you can deploy TT-RSS in production using NixOps, as per this post.
If you wish to dig a little deeper, I have my production deployment over at mio-ops.