feat: actual module

2024-03-30 20:34:44 +01:00 · 2024-03-30 20:34:44 +01:00 · 8b45dc4d7e
parent 2ad57db0e1
commit 8b45dc4d7e
13 changed files with 149 additions and 6 deletions
--- a/hosts/elisabeth/guests.nix
+++ b/hosts/elisabeth/guests.nix
@ -22,6 +22,7 @@
      kanidm = "auth";
      oauth2-proxy = "oauth2";
      netbird = "netbird";
+      actual = "actual";
    };
  in "${domains.${hostName}}.${config.secrets.secrets.global.domains.web}";
  # TODO hard coded elisabeth nicht so schön
@ -57,7 +58,7 @@ in {
          + virtualHostExtraConfig;
      };
    };
-    proxyProtect = hostName: cfg:
+    proxyProtect = hostName: cfg: allowedGroup:
      lib.mkMerge [
        (blockOf hostName cfg)
        {
@ -86,7 +87,7 @@ in {
            };

            locations."= /oauth2/auth" = {
-              proxyPass = "http://oauth2-proxy/oauth2/auth?allowed_groups=${hostName}_access";
+              proxyPass = "http://oauth2-proxy/oauth2/auth" + lib.optionalString allowedGroup "?allowed_groups=${hostName}_access";
              extraConfig = ''
                internal;

@ -151,12 +152,13 @@ in {
        };
      }
      (blockOf "vaultwarden" {maxBodySize = "1G";})
+      (blockOf "actual" {})
      (blockOf "forgejo" {maxBodySize = "1G";})
      (blockOf "immich" {maxBodySize = "5G";})
-      (proxyProtect "adguardhome" {})
-      (proxyProtect "oauth2-proxy" {})
+      (proxyProtect "adguardhome" {} true)
+      (proxyProtect "oauth2-proxy" {} false)
      (blockOf "paperless" {maxBodySize = "5G";})
-      (proxyProtect "ttrss" {port = 80;})
+      (proxyProtect "ttrss" {port = 80;} true)
      (blockOf "yourspotify" {port = 80;})
      (blockOf "apispotify" {
        port = 3000;
@ -268,6 +270,7 @@ in {
    // mkContainer "ttrss" {}
    // mkContainer "yourspotify" {}
    // mkContainer "netbird" {}
+    // mkContainer "actual" {}
    // mkContainer "kanidm" {}
    // mkContainer "nextcloud" {
      enablePanzer = true;
--- a/hosts/elisabeth/secrets/actual/host.pub
+++ b/hosts/elisabeth/secrets/actual/host.pub
@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINOcPKlxhRrF8gfAqI2yj8THuT8OTG4Yt5Rj8mHXR/vq
--- a/hosts/elisabeth/secrets/kanidm/secrets.nix.age
+++ b/hosts/elisabeth/secrets/kanidm/secrets.nix.age
--- a/hosts/elisabeth/secrets/murmur/host.pub
+++ b/hosts/elisabeth/secrets/murmur/host.pub
@ -1 +1 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDfJQBQg5BlE03TZw3MLGGPK/YjYqR59OpYOEsvJX3u3
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMGzGvzKvKZAODPCH5qsV6USwnbeEMWfDGIXFMRr+HsU
--- a/modules/actual.nix
+++ b/modules/actual.nix
@ -1,2 +1,83 @@
 {
+  lib,
+  pkgs,
+  config,
+  ...
+}: let
+  inherit
+    (lib)
+    types
+    mkEnableOption
+    mkPackageOption
+    mkOption
+    ;
+
+  cfg = config.services.actual;
+  configFile = formatType.generate "config.json" cfg.settings;
+
+  formatType = pkgs.formats.json {};
+in {
+  options.services.actual = {
+    enable = mkEnableOption "actual, a privacy focused app for managing your finances";
+    package = mkPackageOption pkgs "actual" {};
+    settings = mkOption {
+      default = {};
+      type = types.submodule {
+        freeformType = formatType.type;
+        config = {
+          serverFiles = "/var/lib/actual/server-files";
+          userFiles = "/var/lib/actual/user-files";
+          dataDir = "/var/lib/actual";
+        };
+      };
+    };
+  };
+  config.systemd.services.actual = {
+    after = ["network.target"];
+    environment.ACTUAL_CONFIG_PATH = configFile;
+    serviceConfig = {
+      ExecStartPre = "${pkgs.coreutils}/bin/ln -sf ${cfg.package}/migrations /var/lib/actual/";
+      ExecStart = lib.getExe cfg.package;
+      User = "actual";
+      Group = "actual";
+      DynamicUser = true;
+      StateDirectory = "actual";
+      WorkingDirectory = "/var/lib/actual";
+      LimitNOFILE = "1048576";
+      PrivateTmp = true;
+      PrivateDevices = true;
+      StateDirectoryMode = "0700";
+      Restart = "always";
+
+      # Hardening
+      CapabilityBoundingSet = "";
+      LockPersonality = true;
+      #MemoryDenyWriteExecute = true; # Leads to coredump because V8 does JIT
+      PrivateUsers = true;
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      ProtectSystem = "strict";
+      RestrictAddressFamilies = [
+        "AF_INET"
+        "AF_INET6"
+        "AF_NETLINK"
+      ];
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      SystemCallArchitectures = "native";
+      SystemCallFilter = [
+        "@system-service"
+        "@pkey"
+      ];
+      UMask = "0077";
+    };
+    wantedBy = ["multi-user.target"];
+  };
 }
--- a/modules/services/actual.nix
+++ b/modules/services/actual.nix
@ -0,0 +1,16 @@
+{
+  wireguard.elisabeth = {
+    client.via = "elisabeth";
+    firewallRuleForNode.elisabeth.allowedTCPPorts = [3000];
+  };
+  imports = [../actual.nix];
+  services.actual = {
+    enable = true;
+    settings.port = 3000;
+  };
+  environment.persistence."/persist".directories = [
+    {
+      directory = "/var/lib/private/actual";
+    }
+  ];
+}
--- a/modules/services/kanidm.nix
+++ b/modules/services/kanidm.nix
@ -89,6 +89,7 @@ in {
      };

      groups."rss.access" = {};
+      groups."oauth2-proxy.access" = {};

      groups."nextcloud.access" = {
        members = ["nextcloud.admins"];
@ -136,10 +137,12 @@ in {
        originUrl = "https://oauth2.${config.secrets.secrets.global.domains.web}/";
        basicSecretFile = config.age.secrets.oauth2-proxy.path;
        scopeMaps."adguardhome.access" = ["openid" "email" "profile"];
+        scopeMaps."rss.access" = ["openid" "email" "profile"];
        preferShortUsername = true;
        claimMaps.groups = {
          joinType = "array";
          valuesByGroup."adguardhome.access" = ["adguardhome_access"];
+          valuesByGroup."rss.access" = ["ttrss_access"];
        };
      };

--- a/nix/devshell.nix
+++ b/nix/devshell.nix
@ -22,6 +22,7 @@ in
      pre-commit
      rage
      nix
+      nix-diff
    ];
    commands = [
      {
--- a/pkgs/actual.nix
+++ b/pkgs/actual.nix
@ -67,5 +67,11 @@ stdenv.mkDerivation rec {
  '';

  meta = with lib; {
+    description = "A super fast privacy-focused app for managing your finances";
+    homepage = "https://actualbudget.com/";
+    license = licenses.mit;
+    mainProgram = "actual-server";
+    maintainers = with maintainers; [patrickdag];
+    platforms = ["x86_64-linux"];
  };
 }
--- a/secrets/secrets.nix.age
+++ b/secrets/secrets.nix.age
--- a/secrets/wireguard/elisabeth/keys/elisabeth-actual.age
+++ b/secrets/wireguard/elisabeth/keys/elisabeth-actual.age
@ -0,0 +1,16 @@
+age-encryption.org/v1
+-> X25519 Mv11pZInyrNKXp9yT3maeq+nLpYWEKGSTog8bpa/KWw
+ybH+dojanR8n4Ubq1H9D7CE5ipz9y3nqUnqw/6h9VNY
+-> piv-p256 XTQkUA A3oYQXSUKuRPADT5kQEcZdgnkWuquWC2IMTYY7PHxU2g
+dHajYp4/VOsBjdhQD1+UmX47F0v6q54zAFtJk82H1Os
+-> piv-p256 ZFgiIw As8XHst+QSiFmM+jsDEPunagwwGsy9XG5ECAH3p4nUzp
+qRxV2IOLGyMvsGIIKEj5wsjPzv8VB3s8UsXZ5tSJwxE
+-> piv-p256 5vmPtQ At3pi/3ckCTfglnBNUOo3Iw182iBhm4/BdpEo6j51FZi
+hJlqdt9g3g/BnvoXzjpjJgaRaNQlNgebF1SvGxLFTkw
+-> piv-p256 ZFgiIw A3idLYAMWytoYJMcEl3wMbmWYxkFKMgQyBBp6KT/+OsY
+29hfrgCAF+wRMQD4f+cItT63oOp0lx05FqpCKZTNyXs
+-> 9O-grease < `3z5 sj+v
+Qp3zpkMRcdwm62T+5GuIsMOd8dP1UetRc2x+z95NyQGM4lgNwjV2yoGPFNo8igPR
+Hd7p4XkjjEcYtS9jv8m+pZbIi2KRdVCMLRC8f+Av7Y2ONQI
+--- ViopD9rjKx8zdT8FHjYlB+N0MUsQT9imiTv8dlzF6RU
+z”ëç<C3AB>¹“
Š~{†r¶Ë<C2B6>ƒ<03><>÷‘Æ¦o<>Ã]¸-µñ¢<>¦!;$Ùûd“J<|IÀ<>óÎÁíás*Ó·ö×v¿$öÅ
--- a/secrets/wireguard/elisabeth/keys/elisabeth-actual.pub
+++ b/secrets/wireguard/elisabeth/keys/elisabeth-actual.pub
@ -0,0 +1 @@
+n3HlzW2vkFj565rNTLcZHgJbBip9MXe4s1rctRWi1TQ=
--- a/secrets/wireguard/elisabeth/psks/elisabeth+elisabeth-actual.age
+++ b/secrets/wireguard/elisabeth/psks/elisabeth+elisabeth-actual.age
@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> X25519 EYthUGeAWjYiRRcvPvVuWppnAnVEKvbBgkegeGFGzGQ
+STGglgLwWiYP0Plr69RVxlIGVh0ZohPCaUy0Tl2rnbw
+-> piv-p256 XTQkUA A1Tk7Xmx3KAxWakrxXyjLHzuAvwc0Y7p582tV/i45s/0
+nhkvRnz7+lr0df84MMoHQJbpUoj+0UrdTw/XISq8taU
+-> piv-p256 ZFgiIw A4rpsK3V2kcIQ2DRRL3Vj9nZUgANguzqvtHuLAVsCVlP
+3V0M6j9CU/LWRkYaDI+3qvynu3s8UU91pjCaMEG8sTc
+-> piv-p256 5vmPtQ AsD/VOJLQcHSoOVtJ8zdHxSnOv2JX/MsAGP0fB3SPvBq
+yy4YY33Tzflj3rQg9xVAfJe47NNeX3GLBn4iZa0+aVM
+-> piv-p256 ZFgiIw ApTVTCfJLHfVGA1Qbi44CisjSX4j/tJINa8xRDnEGYAN
+4Z9/mK57H6JH7fsAlQTcEX/JjdzDiA+XgsA8tvcqM7U
+-> Vffv6Z%t-grease Kc1"0ol xYS0
+SOTywmAk8Z0fVaBEgVlPJMVWYNrN
+--- GsqSM5RXgbGD3xulF6piH/NxH7AcVRVJT6rHQUqV/sY
+xA€Żˇ,©Afí°ôáYíüU„R×!·$9ŻQăöUcNj¤<6A>Ţn%îHĺŇýnźÂĹáuéîČťÜVAŃéâtébJ ^Ă
				`@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINOcPKlxhRrF8gfAqI2yj8THuT8OTG4Yt5Rj8mHXR/vq`
				`@ -0,0 +1 @@`
				`n3HlzW2vkFj565rNTLcZHgJbBip9MXe4s1rctRWi1TQ=`