From 9d623b94e1f808e6efbbf972e0bf5f0992f54839 Mon Sep 17 00:00:00 2001
From: pazpi <davide@pasetto.me>
Date: Thu, 26 Mar 2026 22:41:11 +0100
Subject: [PATCH] Add service ActualBudget

---
 hosts/actual/default.nix                |  42 ++++++++++++++
 hosts/caddy/default.nix                 |   6 ++
 hosts/hosts.nix                         |  10 ++++
 hosts/parameters.nix                    |   1 +
 modules/services/actual.nix             |  70 ++++++++++++++++++++++++
 modules/services/default.nix            |   1 +
 secrets.nix                             |   1 +
 secrets/actual-openid-client-secret.age | Bin 0 -> 561 bytes
 ssh-keys.nix                            |   1 +
 9 files changed, 132 insertions(+)
 create mode 100644 hosts/actual/default.nix
 create mode 100644 modules/services/actual.nix
 create mode 100644 secrets/actual-openid-client-secret.age

diff --git a/hosts/actual/default.nix b/hosts/actual/default.nix
new file mode 100644
index 0000000..3b0a2e5
--- /dev/null
+++ b/hosts/actual/default.nix
@@ -0,0 +1,42 @@
+{
+  config,
+  pkgs,
+  ...
+}:
+let
+  p = import ../parameters.nix;
+in
+{
+
+  age.secrets = {
+    actual-openid-client-secret = {
+      file = ../../secrets/actual-openid-client-secret.age;
+    };
+  };
+
+  my = {
+    utils = {
+      commons.enable = true;
+      lxc-standard.enable = true;
+    };
+
+    services.actual = {
+      enable = true;
+      settings = {
+        openId = {
+          discoveryURL = "https://auth.${p.domains.public}/application/o/actual/.well-known/openid-configuration";
+          client_id = "PVOPLIfXxUiXT5ydn9QR7ht6XAoSJVMhwR5Kbt0I";
+          client_secret._secret = config.age.secrets.actual-openid-client-secret.path;
+          server_hostname = "https://actual.${p.domains.public}";
+          authMethod = "openid";
+        };
+      };
+    };
+
+    virtualisation.proxmox.enable = true;
+  };
+
+  environment.systemPackages = with pkgs; [ ];
+
+  system.stateVersion = "25.11";
+}
diff --git a/hosts/caddy/default.nix b/hosts/caddy/default.nix
index 1fe826d..bb831ff 100644
--- a/hosts/caddy/default.nix
+++ b/hosts/caddy/default.nix
@@ -98,6 +98,12 @@ in
         host = p.hosts.paperless;
       };
 
+      actual.proxy = {
+        enable = true;
+        domain = p.domains.public;
+        host = p.hosts.actual;
+      };
+
       searx = {
         enable = true;
         secretFile = config.age.secrets.searx-secret.path;
diff --git a/hosts/hosts.nix b/hosts/hosts.nix
index 98e776b..9d21097 100644
--- a/hosts/hosts.nix
+++ b/hosts/hosts.nix
@@ -1,6 +1,15 @@
 # Single source of truth for all host definitions
 # Each host specifies its module path, deployment tags, and optional flags
 {
+  actual = {
+    module = ./actual;
+    tags = [
+      "lxc"
+      "bacco"
+      "actual"
+    ];
+  };
+
   arr = {
     module = ./arr;
     tags = [
@@ -34,6 +43,7 @@
       "immich"
       "firefly-iii"
       "paperless"
+      "actual"
     ];
   };
 
diff --git a/hosts/parameters.nix b/hosts/parameters.nix
index d55fccf..4c73a86 100644
--- a/hosts/parameters.nix
+++ b/hosts/parameters.nix
@@ -35,6 +35,7 @@ in
     ilpost-podcast = "ilpost-podcast.${private-domain}";
     librenms = "librenms.${private-domain}";
     collabora = "collabora.${private-domain}";
+    actual = "actual-budget.${private-domain}";
   };
   personal = {
     username = "pazpi";
diff --git a/modules/services/actual.nix b/modules/services/actual.nix
new file mode 100644
index 0000000..6396397
--- /dev/null
+++ b/modules/services/actual.nix
@@ -0,0 +1,70 @@
+{
+  lib,
+  config,
+  ...
+}:
+let
+  cfg = config.my.services.actual;
+in
+{
+
+  options.my.services.actual = {
+    enable = lib.mkEnableOption "Actual Budget server (services.actual)";
+
+    settings = lib.mkOption {
+      default = { };
+      description = ''
+        Merged into services.actual.settings. Use `._secret` for file-backed
+        values per upstream Actual / NixOS module docs.
+      '';
+    };
+
+    proxy = {
+      enable = lib.mkEnableOption "Set the Caddy reverse proxy entry for this service";
+
+      domain = lib.mkOption {
+        default = "example.com";
+        type = lib.types.str;
+        description = ''
+          The domain where Caddy is reachable
+        '';
+      };
+
+      subdomain = lib.mkOption {
+        default = "budget";
+        type = lib.types.str;
+        description = ''
+          Subdomain for Actual Budget
+        '';
+      };
+
+      host = lib.mkOption {
+        default = "localhost";
+        type = lib.types.str;
+        description = ''
+          Hostname where Actual is listening
+        '';
+      };
+
+    };
+  };
+
+  config = lib.mkMerge [
+    (lib.mkIf cfg.enable {
+      services.actual = {
+        enable = true;
+        openFirewall = true;
+        settings = cfg.settings;
+      };
+    })
+
+    (lib.mkIf cfg.proxy.enable {
+      services.caddy = with cfg.proxy; {
+        virtualHosts."${subdomain}.${domain}".extraConfig = ''
+          reverse_proxy http://${host}:${toString config.services.actual.settings.port}
+          import cloudflare_${domain}
+        '';
+      };
+    })
+  ];
+}
diff --git a/modules/services/default.nix b/modules/services/default.nix
index 53984e0..4bab929 100644
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -1,5 +1,6 @@
 {
   imports = [
+    ./actual.nix
     ./authentik.nix
     ./dashy.nix
     ./firefly-iii.nix
diff --git a/secrets.nix b/secrets.nix
index 4a01d50..1868a3e 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -24,6 +24,7 @@ let
     firefly-iii-app-key = [ machines.firefly-iii ];
     paperless-admin = [ machines.paperless ];
     paperless-oauth2-client-secret = [ machines.paperless ];
+    actual-openid-client-secret = [ machines.actual-budget ];
     zigbee2mqtt-password = [ machines.zigbee2mqtt ];
     mqtt-password = [ machines.zigbee2mqtt ];
     scaleway-password = [
diff --git a/secrets/actual-openid-client-secret.age b/secrets/actual-openid-client-secret.age
new file mode 100644
index 0000000000000000000000000000000000000000..04eb2d50dfe31bbb31ba72255857966cc0af879e
GIT binary patch
literal 561
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCTS(5@<UbW|ucsxnJ9
z3r>kjDot@Ub9FW;skC%7b@EL%O|3Lfa`O(&3-`}WOE&U}DCf#eGYWStGEA&8%Zc(U
zDk-z@$;$|Fb~g_853Wou_AKzJtc*(W%}C33Oh>n^v@qQ$t6ag^w<=TH#j`lIGBYS8
z#igPwGAy;QveeKyF(@;_pvtW{&@t3G%hTD|$(1X#z{J4ZBgi=0E6pn+GqNNiEH%?I
zC(%$pMLVRxxX`&cur#eQv9KUAzyjU2L<5fu-*N>vpW-5a|1hu8oNTZBNOOan(h~C&
zqr7m_;*1Il59i1blgLu%jMTh{h-|LN(kh?gLTB$XUz0*F!@!6vOJ^s?fDBJ}%OLY8
z-^9X#Jn!Ptv{0YmjASldU0nt5a+gf6L_fcRlFCGVXG@nf|IqN1DzEY~zqBxCM-$)T
z;;e%3(kyNF3InbM`BHDHmPdvy-EWrjH+4hpi#>d%Reu?lZP)Fadhoko{C#dGGs%ly
zvw3pA`xPp;)c;?}A0WW9aaX+fhIf~$yL8JI#9jWiV8Y#;>-+nc+!N2fAr!Km?S1S)
z(GT~otvzh}D3twY2Sdx#%O?+;@gJ+~kC063FUcxU?PxDxnkATIU-Mk+7`NrlqHTrE
c&x*1?+6#V(YW9nN@;NA}c)_okZ$hGa0D0`xjQ{`u

literal 0
HcmV?d00001

diff --git a/ssh-keys.nix b/ssh-keys.nix
index 79570df..9663480 100644
--- a/ssh-keys.nix
+++ b/ssh-keys.nix
@@ -29,6 +29,7 @@ rec {
     ilpost-podcast = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHo3tGrspZlSVbC1X/MHFFwDGj8G8+ZrZihU28DkbJEh";
     colmena = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOOVg0/MhkyTsZBITT0nZvH0hWskPJ7lyC5Mw70duczq";
     collabora = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICSaXqZ+gqkbRJxsHRvCXw9U2Zip8YlPjbEIgPEzevO3";
+    actual-budget = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICsvkaeZeTXtowXFcKmtx3ElzNXU4cW4Ti6pR2BBfPFk";
   };
 
   # Machines able to provisioning other machines