Add service ActualBudget

2026-03-26 22:41:11 +01:00 · 2026-03-26 22:41:11 +01:00 · 9d623b94e1
commit 9d623b94e1
parent 888d0e1271
9 changed files with 132 additions and 0 deletions
--- a/hosts/actual/default.nix
+++ b/hosts/actual/default.nix
@ -0,0 +1,42 @@
+{
+  config,
+  pkgs,
+  ...
+}:
+let
+  p = import ../parameters.nix;
+in
+{
+
+  age.secrets = {
+    actual-openid-client-secret = {
+      file = ../../secrets/actual-openid-client-secret.age;
+    };
+  };
+
+  my = {
+    utils = {
+      commons.enable = true;
+      lxc-standard.enable = true;
+    };
+
+    services.actual = {
+      enable = true;
+      settings = {
+        openId = {
+          discoveryURL = "https://auth.${p.domains.public}/application/o/actual/.well-known/openid-configuration";
+          client_id = "PVOPLIfXxUiXT5ydn9QR7ht6XAoSJVMhwR5Kbt0I";
+          client_secret._secret = config.age.secrets.actual-openid-client-secret.path;
+          server_hostname = "https://actual.${p.domains.public}";
+          authMethod = "openid";
+        };
+      };
+    };
+
+    virtualisation.proxmox.enable = true;
+  };
+
+  environment.systemPackages = with pkgs; [ ];
+
+  system.stateVersion = "25.11";
+}
--- a/hosts/caddy/default.nix
+++ b/hosts/caddy/default.nix
@ -98,6 +98,12 @@ in
        host = p.hosts.paperless;
      };

+      actual.proxy = {
+        enable = true;
+        domain = p.domains.public;
+        host = p.hosts.actual;
+      };
+
      searx = {
        enable = true;
        secretFile = config.age.secrets.searx-secret.path;
--- a/hosts/hosts.nix
+++ b/hosts/hosts.nix
@ -1,6 +1,15 @@
 # Single source of truth for all host definitions
 # Each host specifies its module path, deployment tags, and optional flags
 {
+  actual = {
+    module = ./actual;
+    tags = [
+      "lxc"
+      "bacco"
+      "actual"
+    ];
+  };
+
  arr = {
    module = ./arr;
    tags = [
@ -34,6 +43,7 @@
      "immich"
      "firefly-iii"
      "paperless"
+      "actual"
    ];
  };

--- a/hosts/parameters.nix
+++ b/hosts/parameters.nix
@ -35,6 +35,7 @@ in
    ilpost-podcast = "ilpost-podcast.${private-domain}";
    librenms = "librenms.${private-domain}";
    collabora = "collabora.${private-domain}";
+    actual = "actual-budget.${private-domain}";
  };
  personal = {
    username = "pazpi";
--- a/modules/services/actual.nix
+++ b/modules/services/actual.nix
@ -0,0 +1,70 @@
+{
+  lib,
+  config,
+  ...
+}:
+let
+  cfg = config.my.services.actual;
+in
+{
+
+  options.my.services.actual = {
+    enable = lib.mkEnableOption "Actual Budget server (services.actual)";
+
+    settings = lib.mkOption {
+      default = { };
+      description = ''
+        Merged into services.actual.settings. Use `._secret` for file-backed
+        values per upstream Actual / NixOS module docs.
+      '';
+    };
+
+    proxy = {
+      enable = lib.mkEnableOption "Set the Caddy reverse proxy entry for this service";
+
+      domain = lib.mkOption {
+        default = "example.com";
+        type = lib.types.str;
+        description = ''
+          The domain where Caddy is reachable
+        '';
+      };
+
+      subdomain = lib.mkOption {
+        default = "budget";
+        type = lib.types.str;
+        description = ''
+          Subdomain for Actual Budget
+        '';
+      };
+
+      host = lib.mkOption {
+        default = "localhost";
+        type = lib.types.str;
+        description = ''
+          Hostname where Actual is listening
+        '';
+      };
+
+    };
+  };
+
+  config = lib.mkMerge [
+    (lib.mkIf cfg.enable {
+      services.actual = {
+        enable = true;
+        openFirewall = true;
+        settings = cfg.settings;
+      };
+    })
+
+    (lib.mkIf cfg.proxy.enable {
+      services.caddy = with cfg.proxy; {
+        virtualHosts."${subdomain}.${domain}".extraConfig = ''
+          reverse_proxy http://${host}:${toString config.services.actual.settings.port}
+          import cloudflare_${domain}
+        '';
+      };
+    })
+  ];
+}
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@ -1,5 +1,6 @@
 {
  imports = [
+    ./actual.nix
    ./authentik.nix
    ./dashy.nix
    ./firefly-iii.nix
--- a/secrets.nix
+++ b/secrets.nix
@ -24,6 +24,7 @@ let
    firefly-iii-app-key = [ machines.firefly-iii ];
    paperless-admin = [ machines.paperless ];
    paperless-oauth2-client-secret = [ machines.paperless ];
+    actual-openid-client-secret = [ machines.actual-budget ];
    zigbee2mqtt-password = [ machines.zigbee2mqtt ];
    mqtt-password = [ machines.zigbee2mqtt ];
    scaleway-password = [
--- a/secrets/actual-openid-client-secret.age
+++ b/secrets/actual-openid-client-secret.age
--- a/ssh-keys.nix
+++ b/ssh-keys.nix
@ -29,6 +29,7 @@ rec {
    ilpost-podcast = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHo3tGrspZlSVbC1X/MHFFwDGj8G8+ZrZihU28DkbJEh";
    colmena = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOOVg0/MhkyTsZBITT0nZvH0hWskPJ7lyC5Mw70duczq";
    collabora = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICSaXqZ+gqkbRJxsHRvCXw9U2Zip8YlPjbEIgPEzevO3";
+    actual-budget = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICsvkaeZeTXtowXFcKmtx3ElzNXU4cW4Ti6pR2BBfPFk";
  };

  # Machines able to provisioning other machines