From 9ad00da92a0b26823d9ea7537d90d22806d60f64 Mon Sep 17 00:00:00 2001
From: pazpi <davide@pasetto.me>
Date: Tue, 14 Apr 2026 16:23:58 +0200
Subject: [PATCH] fix agenix secrets for actual budget

---
 modules/services/actual.nix | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/modules/services/actual.nix b/modules/services/actual.nix
index 6396397..610e5ff 100644
--- a/modules/services/actual.nix
+++ b/modules/services/actual.nix
@@ -51,6 +51,15 @@ in
 
   config = lib.mkMerge [
     (lib.mkIf cfg.enable {
+      # Upstream services.actual uses DynamicUser; without a static passwd entry,
+      # activation-time chown (e.g. agenix) for owner "actual" fails.
+      users.groups.actual = { };
+      users.users.actual = {
+        isSystemUser = true;
+        group = "actual";
+        description = "Actual Budget server";
+      };
+
       services.actual = {
         enable = true;
         openFirewall = true;