pazpi/nix
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

actual-budget #26

Merged
pazpi merged 3 commits from actual-budget into master 2026-03-30 09:21:37 +02:00
Conversation 0 Commits 3 Files changed 33 +132
9 changed files with 132 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit 9d623b94e1 - Show all commits

42
hosts/actual/default.nix Normal file
View file

@ -0,0 +1,42 @@
{
config,
pkgs,
...
}:
let
p = import ../parameters.nix;
in
{
age.secrets = {
actual-openid-client-secret = {
file = ../../secrets/actual-openid-client-secret.age;
};
};
my = {
utils = {
commons.enable = true;
lxc-standard.enable = true;
};
services.actual = {
enable = true;
settings = {
openId = {
discoveryURL = "https://auth.${p.domains.public}/application/o/actual/.well-known/openid-configuration";
client_id = "PVOPLIfXxUiXT5ydn9QR7ht6XAoSJVMhwR5Kbt0I";
client_secret._secret = config.age.secrets.actual-openid-client-secret.path;
server_hostname = "https://actual.${p.domains.public}";
authMethod = "openid";
};
};
};
virtualisation.proxmox.enable = true;
};
environment.systemPackages = with pkgs; [ ];
system.stateVersion = "25.11";
}

6
hosts/caddy/default.nix
View file

@ -98,6 +98,12 @@ in
host = p.hosts.paperless; host = p.hosts.paperless;
}; };
actual.proxy = {
enable = true;
domain = p.domains.public;
host = p.hosts.actual;
};
searx = { searx = {
enable = true; enable = true;
secretFile = config.age.secrets.searx-secret.path; secretFile = config.age.secrets.searx-secret.path;

10
hosts/hosts.nix
View file

@ -1,6 +1,15 @@
# Single source of truth for all host definitions # Single source of truth for all host definitions
# Each host specifies its module path, deployment tags, and optional flags # Each host specifies its module path, deployment tags, and optional flags
{ {
actual = {
module = ./actual;
tags = [
"lxc"
"bacco"
"actual"
];
};
arr = { arr = {
module = ./arr; module = ./arr;
tags = [ tags = [
@ -34,6 +43,7 @@
"immich" "immich"
"firefly-iii" "firefly-iii"
"paperless" "paperless"
"actual"
]; ];
}; };

1
hosts/parameters.nix
View file

@ -35,6 +35,7 @@ in
ilpost-podcast = "ilpost-podcast.${private-domain}"; ilpost-podcast = "ilpost-podcast.${private-domain}";
librenms = "librenms.${private-domain}"; librenms = "librenms.${private-domain}";
collabora = "collabora.${private-domain}"; collabora = "collabora.${private-domain}";
actual = "actual-budget.${private-domain}";
}; };
personal = { personal = {
username = "pazpi"; username = "pazpi";

70
modules/services/actual.nix Normal file
View file

@ -0,0 +1,70 @@
{
lib,
config,
...
}:
let
cfg = config.my.services.actual;
in
{
options.my.services.actual = {
enable = lib.mkEnableOption "Actual Budget server (services.actual)";
settings = lib.mkOption {
default = { };
description = ''
Merged into services.actual.settings. Use `._secret` for file-backed
values per upstream Actual / NixOS module docs.
'';
};
proxy = {
enable = lib.mkEnableOption "Set the Caddy reverse proxy entry for this service";
domain = lib.mkOption {
default = "example.com";
type = lib.types.str;
description = ''
The domain where Caddy is reachable
'';
};
subdomain = lib.mkOption {
default = "budget";
type = lib.types.str;
description = ''
Subdomain for Actual Budget
'';
};
host = lib.mkOption {
default = "localhost";
type = lib.types.str;
description = ''
Hostname where Actual is listening
'';
};
};
};
config = lib.mkMerge [
(lib.mkIf cfg.enable {
services.actual = {
enable = true;
openFirewall = true;
settings = cfg.settings;
};
})
(lib.mkIf cfg.proxy.enable {
services.caddy = with cfg.proxy; {
virtualHosts."${subdomain}.${domain}".extraConfig = ''
reverse_proxy http://${host}:${toString config.services.actual.settings.port}
import cloudflare_${domain}
'';
};
})
];
}

1
modules/services/default.nix
View file

@ -1,5 +1,6 @@
{ {
imports = [ imports = [
./actual.nix
./authentik.nix ./authentik.nix
./dashy.nix ./dashy.nix
./firefly-iii.nix ./firefly-iii.nix

1
secrets.nix
View file

@ -24,6 +24,7 @@ let
firefly-iii-app-key = [ machines.firefly-iii ]; firefly-iii-app-key = [ machines.firefly-iii ];
paperless-admin = [ machines.paperless ]; paperless-admin = [ machines.paperless ];
paperless-oauth2-client-secret = [ machines.paperless ]; paperless-oauth2-client-secret = [ machines.paperless ];
actual-openid-client-secret = [ machines.actual-budget ];
zigbee2mqtt-password = [ machines.zigbee2mqtt ]; zigbee2mqtt-password = [ machines.zigbee2mqtt ];
mqtt-password = [ machines.zigbee2mqtt ]; mqtt-password = [ machines.zigbee2mqtt ];
scaleway-password = [ scaleway-password = [

BIN
secrets/actual-openid-client-secret.age Normal file
View file

Binary file not shown.

1
ssh-keys.nix
View file

@ -29,6 +29,7 @@ rec {
ilpost-podcast = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHo3tGrspZlSVbC1X/MHFFwDGj8G8+ZrZihU28DkbJEh"; ilpost-podcast = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHo3tGrspZlSVbC1X/MHFFwDGj8G8+ZrZihU28DkbJEh";
colmena = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOOVg0/MhkyTsZBITT0nZvH0hWskPJ7lyC5Mw70duczq"; colmena = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOOVg0/MhkyTsZBITT0nZvH0hWskPJ7lyC5Mw70duczq";
collabora = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICSaXqZ+gqkbRJxsHRvCXw9U2Zip8YlPjbEIgPEzevO3"; collabora = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICSaXqZ+gqkbRJxsHRvCXw9U2Zip8YlPjbEIgPEzevO3";
actual-budget = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICsvkaeZeTXtowXFcKmtx3ElzNXU4cW4Ti6pR2BBfPFk";
}; };
# Machines able to provisioning other machines # Machines able to provisioning other machines