Miniflux
A minimalist, self-hosted RSS feed reader.
Miniflux is a fast, opinionated, and minimalist RSS/Atom feed reader built in Go. It focuses on simplicity and speed, offering keyboard navigation, a clean reading interface, and a comprehensive API. Self-hosting avoids subscription fees and keeps your reading habits private.
Alternatives considered
Cloud Hosted
| Tool | Open Source | Free Tier | Monthly Cost |
|---|---|---|---|
| Feedly | No | Limited | From $5/mo |
| Inoreader | No | Limited | From $7.50/mo |
Self Hosted
| Tool | Open Source | Full Features | Notes |
|---|---|---|---|
| FreshRSS | Yes | Yes | More UI options, heavier than Miniflux |
Installation
Architecture
- Deployment: Single
minifluxdeployment in theminifluxnamespace - Image:
miniflux/miniflux:2.2.19-distroless(digest-pinned) - Database: CNPG PostgreSQL cluster (two Longhorn-encrypted PVCs for HA)
- Networking: HTTPRoute via internal gateway
Security
- Runs as
runAsUser: 1000,runAsNonRoot: true,allowPrivilegeEscalation: false, capabilities dropped - Distroless image minimizes attack surface
- CNPG PVCs encrypted at rest
Updates
Managed by Renovate. Image is digest-pinned.
Data Management
- Database: CNPG PostgreSQL cluster (Longhorn-encrypted PVCs, HA with two replicas)
- Backups: k8up
Schedulebacks up CNPG Longhorn PVCs to Hetzner S3.PreBackupPoduses the PostgreSQL image to runpg_dumpbefore the backup for consistency.
User Management
OIDC configured via OAUTH2_PROVIDER, OAUTH2_CLIENT_ID, OAUTH2_CLIENT_SECRET, OAUTH2_OIDC_DISCOVERY_ENDPOINT, OAUTH2_OIDC_PROVIDER_NAME, and OAUTH2_REDIRECT_URL — all from SOPS-encrypted secret. OAUTH2_USER_CREATION enabled for automatic account provisioning on first SSO login.
Configuration Management
- OIDC credentials, database URL from SOPS-encrypted secret
- Database credentials injected from CNPG-generated secret
Administration
Usage
Add RSS/Atom feed URLs via the web UI or API. Use keyboard shortcuts (j/k for navigation, m for mark read, v to open in browser) for efficient reading. The Fever and Google Reader compatible APIs allow connecting third-party mobile apps like Reeder or NetNewsWire.
Cluster-specific deviations from the above live in the per-cluster README — see k8s/apps/talos/miniflux/README.md.
Cluster Deployment
Miniflux — Talos cluster
Cluster-specific notes only. General product info, "why we use it", and alternatives live in docusaurus/docs/apps/miniflux.mdx.
Deviations from defaults
Defaults live in docusaurus/docs/apps/miniflux.mdx — document anything this cluster does differently here, with a one-line reason.
- Image:
miniflux/miniflux:2.3.1-distroless@sha256:6361b075e6189c10f3ac7d18733e467bd3bbf965de2ad5a64a0fb9809456989e
Rendered manifests (kustomize build)
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
kustomize.toolkit.fluxcd.io/force: enabled
labels:
app.kubernetes.io/instance: miniflux
app.kubernetes.io/name: miniflux
name: miniflux
namespace: miniflux
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/instance: miniflux
app.kubernetes.io/name: miniflux
ingress: public
template:
metadata:
labels:
app.kubernetes.io/instance: miniflux
app.kubernetes.io/name: miniflux
ingress: public
spec:
containers:
- env:
- name: DATABASE_URL
valueFrom:
secretKeyRef:
key: uri
name: cnpg-app
envFrom:
- secretRef:
name: miniflux
image: miniflux/miniflux:2.3.1-distroless@sha256:6361b075e6189c10f3ac7d18733e467bd3bbf965de2ad5a64a0fb9809456989e
name: miniflux
ports:
- containerPort: 8080
name: web
protocol: TCP
readinessProbe:
failureThreshold: 1
httpGet:
path: /
port: 8080
initialDelaySeconds: 5
periodSeconds: 3
successThreshold: 1
timeoutSeconds: 2
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
securityContext:
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault