1
0
mirror of https://github.com/tommytran732/Miniflux-Docker-Compose synced 2024-11-12 17:31:33 -05:00

Initial upload

Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
Tommy 2022-12-04 17:19:24 -05:00
parent 6021f14f92
commit 87d9f16e87
No known key found for this signature in database
GPG Key ID: 060B29EB996BD9F2
5 changed files with 169 additions and 0 deletions

7
README.md Normal file
View File

@ -0,0 +1,7 @@
# Miniflux-Docker-Compose
Miniflux Docker-Compose
1. Update `docker-compose.yml`
2. Update the hostname in `swag/nginx/proxy-confs/miniflux.subdomain.conf` approprieately.
3. Run `docker-compose up` and make sure nothing errors out. You can use `docker-compose up -d` to start it in the background if you want.
4. (Optional) Apply `style.css` in the `Custom CSS` section in settings. This theme is from [reeseovine/miniflux-midnight](https://github.com/reeseovine/miniflux-midnight), I just removed the google remote google CSS lines as they are not necessary and cause issues with CSP. There is no license file in the repository or its upstream unfortunately.

81
docker-compose.yml Normal file
View File

@ -0,0 +1,81 @@
version: "3"
services:
miniflux:
image: miniflux/miniflux:latest
container_name: miniflux
restart: unless-stopped
depends_on:
- postgres
environment:
- DATABASE_URL=postgres://miniflux:YOUR_POSTGRES_PASSWORD@postgres/miniflux?sslmode=disable
- RUN_MIGRATIONS=1
- CREATE_ADMIN=1
- ADMIN_USERNAME=admin
- ADMIN_PASSWORD=changeme
networks:
- miniflux
- postgres
user: "65534:65534"
read_only: true
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
postgres:
image: postgres:15-alpine
container_name: postgres
restart: unless-stopped
environment:
- POSTGRES_USER=miniflux
- POSTGRES_PASSWORD=YOUR_POSTGRES_PASSWORD
volumes:
- postgres:/var/lib/postgresql/data
networks:
- postgres
healthcheck:
test: ["CMD", "pg_isready", "-U", "miniflux"]
interval: 15s
timeout: 5s
user: "70:70"
read_only: true
tmpfs:
- /var/run/postgresql:size=50M,mode=0770,uid=70,gid=70,noexec,nosuid,nodev
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
swag:
image: ghcr.io/linuxserver/swag
container_name: swag
restart: unless-stopped
environment:
- PUID=1000
- PGID=1000
- URL=yourdomain.tld
- SUBDOMAINS=rss
- VALIDATION=http
- EMAIL=contact@tommytran.io
- ONLY_SUBDOMAINS=true
volumes:
- ./swag:/config:Z
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
ports:
- 443:443
- 80:80
networks:
- miniflux
security_opt:
- no-new-privileges:true
cap_add:
- NET_ADMIN
networks:
miniflux:
postgres:
volumes:
postgres:

1
style.css Normal file

File diff suppressed because one or more lines are too long

View File

@ -0,0 +1,39 @@
## Version 2022/09/08
# make sure that your dns has a cname set for miniflux
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name rss.*;
include /config/nginx/ssl.conf;
client_max_body_size 0;
# enable for ldap auth (requires ldap-location.conf in the location block)
#include /config/nginx/ldap-server.conf;
# enable for Authelia (requires authelia-location.conf in the location block)
#include /config/nginx/authelia-server.conf;
location / {
# enable the next two lines for http auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable for ldap auth (requires ldap-server.conf in the server block)
#include /config/nginx/ldap-location.conf;
# enable for Authelia (requires authelia-server.conf in the server block)
#include /config/nginx/authelia-location.conf;
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_app miniflux;
set $upstream_port 8080;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
}

41
swag/ssl.conf Normal file
View File

@ -0,0 +1,41 @@
Version 2022/08/20 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/ssl.conf.sample
### Mozilla Recommendations
# generated 2022-08-05, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
ssl_certificate /config/keys/cert.crt;
ssl_certificate_key /config/keys/cert.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
ssl_dhparam /config/nginx/dhparams.pem;
# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
#add_header Strict-Transport-Security "max-age=63072000" always;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /config/keys/cert.crt;
# Optional additional headers
add_header Content-Security-Policy "default-src 'none'; frame-src *; img-src *; manifest-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self'; block-all-mixed-content; base-uri 'none'";
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()";
add_header Referrer-Policy "same-origin" always;
add_header X-Content-Type-Options "nosniff" always;
#add_header X-UA-Compatible "IE=Edge" always;
add_header X-XSS-Protection "0" always;
add_header Cross-Origin-Resource-Policy cross-origin;
#add_header Cross-Origin-Embedder-Policy require-corp;
add_header Cross-Origin-Opener-Policy same-origin;
add_header Expect-CT "enforce, max-age=63072000";