setup actualbudget service

flake.nix

@@ -249,6 +249,7 @@
           dotfilesRepo = "https://github.com/nmasur/dotfiles";
           hostnames = {
             audiobooks = "read.${baseName}";
+            budget = "money.${baseName}";
             files = "files.${baseName}";
             git = "git.${baseName}";
             influxdb = "influxdb.${baseName}";

hosts/flame/default.nix

@@ -71,6 +71,7 @@ inputs.nixpkgs.lib.nixosSystem rec {
       dotfiles.enable = true; # Clone dotfiles
       neovim.enable = true;
       giteaRunner.enable = true;
+      services.actualbudget.enable = true;
       services.caddy.enable = true;
       services.grafana.enable = true;
       services.thelounge.enable = true;

modules/common/default.nix

@@ -86,6 +86,10 @@
         type = lib.types.str;
         description = "Hostname for audiobook server (Audiobookshelf).";
       };
+      budget = lib.mkOption {
+        type = lib.types.str;
+        description = "Hostname for budgeting server (ActualBudget).";
+      };
       files = lib.mkOption {
         type = lib.types.str;
         description = "Hostname for files server (Filebrowser).";

modules/nixos/services/actualbudget.nix

@@ -0,0 +1,68 @@
+{ config, lib, ... }:
+{
+
+  options = {
+    services.actualbudget = {
+      enable = lib.mkEnableOption "ActualBudget budgeting service";
+      port = lib.mkOption {
+        type = lib.types.port;
+        description = "Port to use for the localhost";
+        default = 5006;
+      };
+    };
+  };
+
+  config = lib.mkIf config.services.actualbudget.enable {
+
+    virtualisation.podman.enable = lib.mkDefault true;
+
+    users.users.actualbudget = {
+      isSystemUser = true;
+      group = "shared";
+      uid = 980;
+    };
+
+    # Create budget directory, allowing others to manage it
+    systemd.tmpfiles.rules = [
+      "d /var/lib/actualbudget 0770 actualbudget shared"
+    ];
+
+    virtualisation.oci-containers.containers.actualbudget = {
+      workdir = null;
+      volumes = [ "/var/lib/actualbudget:/data" ];
+      user = "${toString (builtins.toString config.users.users.actualbudget.uid)}";
+      pull = "missing";
+      privileged = false;
+      ports = [ "127.0.0.1:${builtins.toString config.services.actualbudget.port}:5006" ];
+      networks = [ ];
+      log-driver = "journald";
+      labels = {
+        app = "actualbudget";
+      };
+      image = "ghcr.io/actualbudget/actual-server:latest";
+      hostname = null;
+      environmentFiles = [ ];
+      environment = { };
+      dependsOn = [ ];
+      autoStart = true;
+    };
+
+    # Allow web traffic to Caddy
+    caddy.routes = [
+      {
+        match = [ { host = [ config.hostnames.budget ]; } ];
+        handle = [
+          {
+            handler = "reverse_proxy";
+            upstreams = [ { dial = "localhost:${builtins.toString config.services.actualbudget.port}"; } ];
+          }
+        ];
+      }
+    ];
+
+    # Configure Cloudflare DNS to point to this machine
+    services.cloudflare-dyndns.domains = [ config.hostnames.budget ];
+
+  };
+
+}

modules/nixos/services/backups.nix

@@ -84,10 +84,10 @@
       dest = "${config.secretsDirectory}/restic";
     };
 
-    services.restic.backups = {
+    services.restic.backups = lib.mkIf (config.backup.s3.glacierBucket != null) {
       default = {
         repository = "s3:s3.us-east-1.amazonaws.com/${config.backup.s3.glacierBucket}/restic";
-        paths = [ "/data/images" ];
+        paths = [ ];
         environmentFile = config.secrets.s3-glacier.dest;
         passwordFile = config.secrets.restic.dest;
         pruneOpts = [

modules/nixos/services/default.nix

@@ -5,6 +5,7 @@
 {
 
   imports = [
+    ./actualbudget.nix
     ./audiobookshelf.nix
     ./arr.nix
     ./backups.nix