Skip to content

Miniflux

Miniflux is a minimalist, self-hosted RSS/Atom feed reader available at miniflux.hdhomelab.com. All state lives in PostgreSQL — there are no persistent volumes to manage.

Deployment

Miniflux runs in Kubernetes (media namespace) as a single-replica Deployment. It authenticates users via Authentik OIDC and stores all data in an external PostgreSQL database.

graph LR
    User -->|HTTPS| Gateway[Cilium Gateway]
    Gateway --> Miniflux[Miniflux Deployment]
    Miniflux -->|DATABASE_URL| PostgreSQL[(PostgreSQL NAS)]
    Miniflux -->|OIDC| Authentik[Authentik SSO]
    Vault -->|ExternalSecret| K8sSecret[K8s Secret]
    K8sSecret -->|env vars| Miniflux
Hold "Alt" / "Option" to enable pan & zoom

  • URL

    miniflux.hdhomelab.com

  • Namespace

    media

  • Database

    PostgreSQL on NAS — role miniflux, db miniflux

  • Auth

    Authentik OIDC

  • Image

    ghcr.io/miniflux/miniflux

  • Config

    flux/apps/noah/media/miniflux/

Secrets

Secrets are pulled from Vault and assembled by the ExternalSecrets operator. The DATABASE_URL is constructed via a template — only atomic credentials are stored in Vault.

Vault path Key Used as
psql/miniflux username Interpolated into DATABASE_URL
psql/miniflux password Interpolated into DATABASE_URL
miniflux/oidc client-id OAUTH2_CLIENT_ID
miniflux/oidc client-secret OAUTH2_CLIENT_SECRET

The ExternalSecret template constructs the connection string at sync time:

externalsecret.yaml (template)
template:
  data:
    database-url: "postgres://{{ .db_username }}:{{ .db_password }}@nas:5432/miniflux?sslmode=disable"

No manual secret required

After running tofu apply for the psql module, the credentials are stored in Vault automatically. The ExternalSecret handles constructing the full DATABASE_URL — no manual secret writing needed.

OIDC Configuration

Miniflux authenticates users via Authentik using OpenID Connect.

Setting Value
OAUTH2_PROVIDER oidc
OAUTH2_OIDC_PROVIDER_NAME Authentik
OAUTH2_REDIRECT_URL https://miniflux.hdhomelab.com/oauth2/oidc/callback
OAUTH2_OIDC_DISCOVERY_ENDPOINT https://auth.hdhomelab.com/application/o/miniflux/.well-known/openid-configuration

The OIDC application and provider are managed via OpenTofu. The entry in tofu/tf-deploy/authentik/locals.tf:

locals.tf
miniflux = {
  name = "Miniflux"
  type = "oidc"
  groups = {
    miniflux_user = {
      user_names = distinct(concat(local.admin_users, local.power_users, local.family_power_users))
      bind_order = 10
    }
  }
  redirect_uris = [{
    matching_mode = "strict"
    url           = "https://miniflux.hdhomelab.com/oauth2/oidc/callback"
  }]
}

Client credentials are written to Vault at apps/miniflux/oidc automatically after apply.

PostgreSQL Setup

The miniflux role and database are provisioned via the psql module. See PostgreSQL Provisioning for the full pattern.

The entry in tofu/tf-deploy/psql/locals.tf:

locals.tf
miniflux = {
  create_password = true
  databases = {
    miniflux = {}
  }
}
Apply PostgreSQL changes
cd tofu/tf-deploy/psql
tofu init -backend-config=backend.pg.tfbackend
tofu plan -out plan.out
tofu apply plan.out

Tip

After applying, credentials are stored in Vault at apps/psql/miniflux. The ExternalSecret picks them up automatically on the next sync cycle.

Key Environment Variables

Variable Value
DATABASE_URL Constructed by ExternalSecret template
BASE_URL https://miniflux.hdhomelab.com
RUN_MIGRATIONS 1 — auto-run DB migrations on startup
OAUTH2_PROVIDER oidc
OAUTH2_CLIENT_ID From Vault via ExternalSecret
OAUTH2_CLIENT_SECRET From Vault via ExternalSecret
OAUTH2_REDIRECT_URL https://miniflux.hdhomelab.com/oauth2/oidc/callback
OAUTH2_OIDC_DISCOVERY_ENDPOINT Authentik discovery URL
OAUTH2_OIDC_PROVIDER_NAME Authentik