Initial upload

Signed-off-by: Tommy <contact@tommytran.io>

README.md

@@ -0,0 +1,7 @@
+# Miniflux-Docker-Compose
+Miniflux Docker-Compose
+
+1. Update `docker-compose.yml`
+2. Update the hostname in `swag/nginx/proxy-confs/miniflux.subdomain.conf` approprieately.
+3. Run `docker-compose up` and make sure nothing errors out. You can use `docker-compose up -d` to start it in the background if you want.
+4. (Optional) Apply `style.css` in the `Custom CSS` section in settings. This theme is from [reeseovine/miniflux-midnight](https://github.com/reeseovine/miniflux-midnight), I just removed the google remote google CSS lines as they are not necessary and cause issues with CSP. There is no license file in the repository or its upstream unfortunately.

docker-compose.yml

@@ -0,0 +1,81 @@
+version: "3"
+
+services:
+  miniflux:
+    image: miniflux/miniflux:latest
+    container_name: miniflux
+    restart: unless-stopped
+    depends_on:
+      - postgres
+    environment:
+      - DATABASE_URL=postgres://miniflux:YOUR_POSTGRES_PASSWORD@postgres/miniflux?sslmode=disable
+      - RUN_MIGRATIONS=1
+      - CREATE_ADMIN=1
+      - ADMIN_USERNAME=admin
+      - ADMIN_PASSWORD=changeme
+    networks:
+      - miniflux
+      - postgres
+    user: "65534:65534"
+    read_only: true
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+
+  postgres:
+    image: postgres:15-alpine
+    container_name: postgres
+    restart: unless-stopped
+    environment:
+      - POSTGRES_USER=miniflux
+      - POSTGRES_PASSWORD=YOUR_POSTGRES_PASSWORD
+    volumes:
+      - postgres:/var/lib/postgresql/data
+    networks:
+      - postgres
+    healthcheck:
+      test: ["CMD", "pg_isready", "-U", "miniflux"]
+      interval: 15s
+      timeout: 5s
+    user: "70:70"
+    read_only: true
+    tmpfs:
+      - /var/run/postgresql:size=50M,mode=0770,uid=70,gid=70,noexec,nosuid,nodev
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+
+  swag:
+    image: ghcr.io/linuxserver/swag
+    container_name: swag
+    restart: unless-stopped
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - URL=yourdomain.tld
+      - SUBDOMAINS=rss
+      - VALIDATION=http
+      - EMAIL=contact@tommytran.io
+      - ONLY_SUBDOMAINS=true
+    volumes:
+      - ./swag:/config:Z
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    ports:
+      - 443:443
+      - 80:80
+    networks:
+      - miniflux
+    security_opt:
+      - no-new-privileges:true
+    cap_add:
+      - NET_ADMIN
+
+networks:
+  miniflux:
+  postgres:
+
+volumes:
+  postgres:

swag/proxy-confs/miniflux.subdomain.conf

@@ -0,0 +1,39 @@
+## Version 2022/09/08
+# make sure that your dns has a cname set for miniflux
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+
+    server_name rss.*;
+
+    include /config/nginx/ssl.conf;
+
+    client_max_body_size 0;
+
+    # enable for ldap auth (requires ldap-location.conf in the location block)
+    #include /config/nginx/ldap-server.conf;
+
+    # enable for Authelia (requires authelia-location.conf in the location block)
+    #include /config/nginx/authelia-server.conf;
+
+    location / {
+        # enable the next two lines for http auth
+        #auth_basic "Restricted";
+        #auth_basic_user_file /config/nginx/.htpasswd;
+
+        # enable for ldap auth (requires ldap-server.conf in the server block)
+        #include /config/nginx/ldap-location.conf;
+
+        # enable for Authelia (requires authelia-server.conf in the server block)
+        #include /config/nginx/authelia-location.conf;
+
+        include /config/nginx/proxy.conf;
+        include /config/nginx/resolver.conf;
+        set $upstream_app miniflux;
+        set $upstream_port 8080;
+        set $upstream_proto http;
+        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
+
+    }
+}

swag/ssl.conf

@@ -0,0 +1,41 @@
+ Version 2022/08/20 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/ssl.conf.sample
+
+### Mozilla Recommendations
+# generated 2022-08-05, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
+# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
+
+ssl_certificate /config/keys/cert.crt;
+ssl_certificate_key /config/keys/cert.key;
+ssl_session_timeout 1d;
+ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
+ssl_session_tickets off;
+
+# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
+ssl_dhparam /config/nginx/dhparams.pem;
+
+# intermediate configuration
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256;
+ssl_prefer_server_ciphers on;
+
+# HSTS (ngx_http_headers_module is required) (63072000 seconds)
+#add_header Strict-Transport-Security "max-age=63072000" always;
+
+# OCSP stapling
+ssl_stapling on;
+ssl_stapling_verify on;
+
+# verify chain of trust of OCSP response using Root CA and Intermediate certs
+ssl_trusted_certificate /config/keys/cert.crt;
+
+# Optional additional headers
+add_header Content-Security-Policy "default-src 'none'; frame-src *; img-src *; manifest-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self'; block-all-mixed-content; base-uri 'none'";
+add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()";
+add_header Referrer-Policy "same-origin" always;
+add_header X-Content-Type-Options "nosniff" always;
+#add_header X-UA-Compatible "IE=Edge" always;
+add_header X-XSS-Protection "0" always;
+add_header Cross-Origin-Resource-Policy cross-origin;
+#add_header Cross-Origin-Embedder-Policy require-corp;
+add_header Cross-Origin-Opener-Policy same-origin;
+add_header Expect-CT "enforce, max-age=63072000";