feat: actual module

hosts/elisabeth/guests.nix

@@ -22,6 +22,7 @@
       kanidm = "auth";
       oauth2-proxy = "oauth2";
       netbird = "netbird";
+      actual = "actual";
     };
   in "${domains.${hostName}}.${config.secrets.secrets.global.domains.web}";
   # TODO hard coded elisabeth nicht so schön
@@ -57,7 +58,7 @@ in {
           + virtualHostExtraConfig;
       };
     };
-    proxyProtect = hostName: cfg:
+    proxyProtect = hostName: cfg: allowedGroup:
       lib.mkMerge [
         (blockOf hostName cfg)
         {
@@ -86,7 +87,7 @@ in {
             };
 
             locations."= /oauth2/auth" = {
-              proxyPass = "http://oauth2-proxy/oauth2/auth?allowed_groups=${hostName}_access";
+              proxyPass = "http://oauth2-proxy/oauth2/auth" + lib.optionalString allowedGroup "?allowed_groups=${hostName}_access";
               extraConfig = ''
                 internal;
 
@@ -151,12 +152,13 @@ in {
         };
       }
       (blockOf "vaultwarden" {maxBodySize = "1G";})
+      (blockOf "actual" {})
       (blockOf "forgejo" {maxBodySize = "1G";})
       (blockOf "immich" {maxBodySize = "5G";})
-      (proxyProtect "adguardhome" {})
+      (proxyProtect "adguardhome" {} true)
-      (proxyProtect "oauth2-proxy" {})
+      (proxyProtect "oauth2-proxy" {} false)
       (blockOf "paperless" {maxBodySize = "5G";})
-      (proxyProtect "ttrss" {port = 80;})
+      (proxyProtect "ttrss" {port = 80;} true)
       (blockOf "yourspotify" {port = 80;})
       (blockOf "apispotify" {
         port = 3000;
@@ -268,6 +270,7 @@ in {
     // mkContainer "ttrss" {}
     // mkContainer "yourspotify" {}
     // mkContainer "netbird" {}
+    // mkContainer "actual" {}
     // mkContainer "kanidm" {}
     // mkContainer "nextcloud" {
       enablePanzer = true;

hosts/elisabeth/secrets/actual/host.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINOcPKlxhRrF8gfAqI2yj8THuT8OTG4Yt5Rj8mHXR/vq

hosts/elisabeth/secrets/murmur/host.pub

@@ -1 +1 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDfJQBQg5BlE03TZw3MLGGPK/YjYqR59OpYOEsvJX3u3
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMGzGvzKvKZAODPCH5qsV6USwnbeEMWfDGIXFMRr+HsU

modules/actual.nix

@@ -1,2 +1,83 @@
 {
+  lib,
+  pkgs,
+  config,
+  ...
+}: let
+  inherit
+    (lib)
+    types
+    mkEnableOption
+    mkPackageOption
+    mkOption
+    ;
+
+  cfg = config.services.actual;
+  configFile = formatType.generate "config.json" cfg.settings;
+
+  formatType = pkgs.formats.json {};
+in {
+  options.services.actual = {
+    enable = mkEnableOption "actual, a privacy focused app for managing your finances";
+    package = mkPackageOption pkgs "actual" {};
+    settings = mkOption {
+      default = {};
+      type = types.submodule {
+        freeformType = formatType.type;
+        config = {
+          serverFiles = "/var/lib/actual/server-files";
+          userFiles = "/var/lib/actual/user-files";
+          dataDir = "/var/lib/actual";
+        };
+      };
+    };
+  };
+  config.systemd.services.actual = {
+    after = ["network.target"];
+    environment.ACTUAL_CONFIG_PATH = configFile;
+    serviceConfig = {
+      ExecStartPre = "${pkgs.coreutils}/bin/ln -sf ${cfg.package}/migrations /var/lib/actual/";
+      ExecStart = lib.getExe cfg.package;
+      User = "actual";
+      Group = "actual";
+      DynamicUser = true;
+      StateDirectory = "actual";
+      WorkingDirectory = "/var/lib/actual";
+      LimitNOFILE = "1048576";
+      PrivateTmp = true;
+      PrivateDevices = true;
+      StateDirectoryMode = "0700";
+      Restart = "always";
+
+      # Hardening
+      CapabilityBoundingSet = "";
+      LockPersonality = true;
+      #MemoryDenyWriteExecute = true; # Leads to coredump because V8 does JIT
+      PrivateUsers = true;
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      ProtectSystem = "strict";
+      RestrictAddressFamilies = [
+        "AF_INET"
+        "AF_INET6"
+        "AF_NETLINK"
+      ];
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      SystemCallArchitectures = "native";
+      SystemCallFilter = [
+        "@system-service"
+        "@pkey"
+      ];
+      UMask = "0077";
+    };
+    wantedBy = ["multi-user.target"];
+  };
 }

modules/services/actual.nix

@@ -0,0 +1,16 @@
+{
+  wireguard.elisabeth = {
+    client.via = "elisabeth";
+    firewallRuleForNode.elisabeth.allowedTCPPorts = [3000];
+  };
+  imports = [../actual.nix];
+  services.actual = {
+    enable = true;
+    settings.port = 3000;
+  };
+  environment.persistence."/persist".directories = [
+    {
+      directory = "/var/lib/private/actual";
+    }
+  ];
+}

modules/services/kanidm.nix

@@ -89,6 +89,7 @@ in {
       };
 
       groups."rss.access" = {};
+      groups."oauth2-proxy.access" = {};
 
       groups."nextcloud.access" = {
         members = ["nextcloud.admins"];
@@ -136,10 +137,12 @@ in {
         originUrl = "https://oauth2.${config.secrets.secrets.global.domains.web}/";
         basicSecretFile = config.age.secrets.oauth2-proxy.path;
         scopeMaps."adguardhome.access" = ["openid" "email" "profile"];
+        scopeMaps."rss.access" = ["openid" "email" "profile"];
         preferShortUsername = true;
         claimMaps.groups = {
           joinType = "array";
           valuesByGroup."adguardhome.access" = ["adguardhome_access"];
+          valuesByGroup."rss.access" = ["ttrss_access"];
         };
       };
 

nix/devshell.nix

@@ -22,6 +22,7 @@ in
       pre-commit
       rage
       nix
+      nix-diff
     ];
     commands = [
       {

pkgs/actual.nix

@@ -67,5 +67,11 @@ stdenv.mkDerivation rec {
   '';
 
   meta = with lib; {
+    description = "A super fast privacy-focused app for managing your finances";
+    homepage = "https://actualbudget.com/";
+    license = licenses.mit;
+    mainProgram = "actual-server";
+    maintainers = with maintainers; [patrickdag];
+    platforms = ["x86_64-linux"];
   };
 }

secrets/wireguard/elisabeth/keys/elisabeth-actual.age

@@ -0,0 +1,16 @@
+age-encryption.org/v1
+-> X25519 Mv11pZInyrNKXp9yT3maeq+nLpYWEKGSTog8bpa/KWw
+ybH+dojanR8n4Ubq1H9D7CE5ipz9y3nqUnqw/6h9VNY
+-> piv-p256 XTQkUA A3oYQXSUKuRPADT5kQEcZdgnkWuquWC2IMTYY7PHxU2g
+dHajYp4/VOsBjdhQD1+UmX47F0v6q54zAFtJk82H1Os
+-> piv-p256 ZFgiIw As8XHst+QSiFmM+jsDEPunagwwGsy9XG5ECAH3p4nUzp
+qRxV2IOLGyMvsGIIKEj5wsjPzv8VB3s8UsXZ5tSJwxE
+-> piv-p256 5vmPtQ At3pi/3ckCTfglnBNUOo3Iw182iBhm4/BdpEo6j51FZi
+hJlqdt9g3g/BnvoXzjpjJgaRaNQlNgebF1SvGxLFTkw
+-> piv-p256 ZFgiIw A3idLYAMWytoYJMcEl3wMbmWYxkFKMgQyBBp6KT/+OsY
+29hfrgCAF+wRMQD4f+cItT63oOp0lx05FqpCKZTNyXs
+-> 9O-grease < `3z5 sj+v
+Qp3zpkMRcdwm62T+5GuIsMOd8dP1UetRc2x+z95NyQGM4lgNwjV2yoGPFNo8igPR
+Hd7p4XkjjEcYtS9jv8m+pZbIi2KRdVCMLRC8f+Av7Y2ONQI
+--- ViopD9rjKx8zdT8FHjYlB+N0MUsQT9imiTv8dlzF6RU
+z”ëç<C3AB>¹“
Š~{†r¶Ë<C2B6>ƒ<03><>÷‘Ʀo<>Ã]¸-µñ
¢<>¦!;$Ùûd“J<|I
À<>óÎÁíás*Ó·ö×v¿$öÅ

secrets/wireguard/elisabeth/keys/elisabeth-actual.pub

@@ -0,0 +1 @@
+n3HlzW2vkFj565rNTLcZHgJbBip9MXe4s1rctRWi1TQ=

secrets/wireguard/elisabeth/psks/elisabeth+elisabeth-actual.age

@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> X25519 EYthUGeAWjYiRRcvPvVuWppnAnVEKvbBgkegeGFGzGQ
+STGglgLwWiYP0Plr69RVxlIGVh0ZohPCaUy0Tl2rnbw
+-> piv-p256 XTQkUA A1Tk7Xmx3KAxWakrxXyjLHzuAvwc0Y7p582tV/i45s/0
+nhkvRnz7+lr0df84MMoHQJbpUoj+0UrdTw/XISq8taU
+-> piv-p256 ZFgiIw A4rpsK3V2kcIQ2DRRL3Vj9nZUgANguzqvtHuLAVsCVlP
+3V0M6j9CU/LWRkYaDI+3qvynu3s8UU91pjCaMEG8sTc
+-> piv-p256 5vmPtQ AsD/VOJLQcHSoOVtJ8zdHxSnOv2JX/MsAGP0fB3SPvBq
+yy4YY33Tzflj3rQg9xVAfJe47NNeX3GLBn4iZa0+aVM
+-> piv-p256 ZFgiIw ApTVTCfJLHfVGA1Qbi44CisjSX4j/tJINa8xRDnEGYAN
+4Z9/mK57H6JH7fsAlQTcEX/JjdzDiA+XgsA8tvcqM7U
+-> Vffv6Z%t-grease Kc1"0ol xYS0
+SOTywmAk8Z0fVaBEgVlPJMVWYNrN
+--- GsqSM5RXgbGD3xulF6piH/NxH7AcVRVJT6rHQUqV/sY
+xA€Żˇ,©Afí°ôáYíüU„R×!·$9ŻQăöUcNj¤<6A>Ţn%îHĺŇýnźÂĹáu
éîČťÜVA
ŃéâtébJ ^Ă