modules/actual: init on fae, only until https://github.com/NixOS/nixpkgs/pull/347825

made it into nixos-unstable
This commit is contained in:
teutat3s 2024-11-13 21:32:22 +01:00
parent d9262e6f4b
commit f54a81ee2d
Signed by: teutat3s
GPG key ID: 4FA1D3FA524F22C1
7 changed files with 261 additions and 0 deletions

View file

@ -79,6 +79,7 @@
self.nixosModules.pub-solar self.nixosModules.pub-solar
self.nixosModules.acme self.nixosModules.acme
self.nixosModules.invoiceplane self.nixosModules.invoiceplane
self.nixosModules.actual
]; ];
}; };

28
hosts/fae/actual.nix Normal file
View file

@ -0,0 +1,28 @@
{
flake,
config,
pkgs,
lib,
...
}:
let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in
{
security.acme.certs = {
"actual.faenix.eu" = { };
};
services.nginx.virtualHosts = {
"actual.faenix.eu" = {
forceSSL = true;
useACMEHost = "actual.faenix.eu";
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString config.services.actual.settings.port}";
};
};
services.actual = {
enable = true;
};
}

View file

@ -1,6 +1,7 @@
{ ... }: { ... }:
{ {
imports = [ imports = [
./actual.nix
./paperless.nix ./paperless.nix
./invoiceplane.nix ./invoiceplane.nix
./fae.nix ./fae.nix

121
modules/actual/default.nix Normal file
View file

@ -0,0 +1,121 @@
{
lib,
pkgs,
config,
...
}:
let
inherit (lib)
getExe
mkDefault
mkEnableOption
mkIf
mkOption
mkPackageOption
types
;
cfg = config.services.actual;
configFile = formatType.generate "config.json" cfg.settings;
dataDir = "/var/lib/actual";
formatType = pkgs.formats.json { };
in
{
options.services.actual = {
enable = mkEnableOption "actual, a privacy focused app for managing your finances";
package = mkPackageOption pkgs "actual-server" { };
openFirewall = mkOption {
default = false;
type = types.bool;
description = "Whether to open the firewall for the specified port.";
};
settings = mkOption {
default = { };
description = "Server settings, refer to (the documentation)[https://actualbudget.org/docs/config/] for available options.";
type = types.submodule {
freeformType = formatType.type;
options = {
hostname = mkOption {
type = types.str;
description = "The address to listen on";
default = "::";
};
port = mkOption {
type = types.port;
description = "The port to listen on";
default = 3000;
};
};
config = {
serverFiles = mkDefault "${dataDir}/server-files";
userFiles = mkDefault "${dataDir}/user-files";
dataDir = mkDefault dataDir;
};
};
};
};
config = mkIf cfg.enable {
networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.settings.port ];
systemd.services.actual = {
description = "Actual server, a local-first personal finance app";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
environment.ACTUAL_CONFIG_PATH = configFile;
serviceConfig = {
ExecStart = getExe cfg.package;
DynamicUser = true;
User = "actual";
Group = "actual";
StateDirectory = "actual";
WorkingDirectory = dataDir;
LimitNOFILE = "1048576";
PrivateTmp = true;
PrivateDevices = true;
StateDirectoryMode = "0700";
Restart = "always";
# Hardening
CapabilityBoundingSet = "";
LockPersonality = true;
#MemoryDenyWriteExecute = true; # Leads to coredump because V8 does JIT
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProcSubset = "pid";
ProtectSystem = "strict";
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_NETLINK"
];
RestrictNamespaces = true;
RestrictRealtime = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"@pkey"
];
UMask = "0077";
};
};
};
meta.maintainers = [
lib.maintainers.oddlama
lib.maintainers.patrickdag
];
}

View file

@ -3,6 +3,7 @@
flake = { flake = {
nixosModules = rec { nixosModules = rec {
acme = import ./acme; acme = import ./acme;
actual = import ./actual;
audio = import ./audio; audio = import ./audio;
bluetooth = import ./bluetooth; bluetooth = import ./bluetooth;
core = import ./core; core = import ./core;

108
pkgs/actual-server.nix Normal file
View file

@ -0,0 +1,108 @@
self:
with self;
let
version = "24.11.0";
src = fetchFromGitHub {
owner = "actualbudget";
repo = "actual-server";
rev = "v${version}";
hash = "sha256-GwtJ42dBJXrOBIxwdrSvNeqQCl91m1XrtS3RBpEuZX0=";
};
# We cannot use fetchYarnDeps because that doesn't support yarn2/berry
# lockfiles (see https://github.com/NixOS/nixpkgs/issues/254369)
offlineCache = stdenvNoCC.mkDerivation {
name = "actual-server-${version}-offline-cache";
inherit src;
nativeBuildInputs = [
cacert # needed for git
gitMinimal # needed to download git dependencies
yarn
];
SUPPORTED_ARCHITECTURES = builtins.toJSON {
os = [
"darwin"
"linux"
];
cpu = [
"arm"
"arm64"
"ia32"
"x64"
];
libc = [
"glibc"
"musl"
];
};
buildPhase = ''
runHook preBuild
export HOME=$(mktemp -d)
yarn config set enableTelemetry 0
yarn config set cacheFolder $out
yarn config set --json supportedArchitectures "$SUPPORTED_ARCHITECTURES"
yarn
runHook postBuild
'';
installPhase = ''
runHook preInstall
mkdir -p $out
cp -r ./node_modules $out/node_modules
runHook postInstall
'';
dontFixup = true;
outputHashAlgo = "sha256";
outputHashMode = "recursive";
outputHash = "sha256-O/KsHAGa+zIWM3Q8+rD/MtyWBuFuce3yUSkF/t9ihMw=";
};
in
stdenv.mkDerivation {
pname = "actual-server";
inherit version src;
nativeBuildInputs = [
makeWrapper
yarn
];
installPhase = ''
runHook preInstall
mkdir -p $out/{bin,lib,lib/actual}
cp -r ${offlineCache}/node_modules/ $out/lib/actual
cp -r ./ $out/lib/actual
makeWrapper ${lib.getExe nodejs} "$out/bin/actual-server" \
--add-flags "$out/lib/actual/app.js" \
--set NODE_PATH "$out/node_modules"
runHook postInstall
'';
passthru = {
inherit offlineCache;
tests = nixosTests.actual;
updateScript = nix-update-script { };
};
meta = {
changelog = "https://github.com/actualbudget/actual-server/releases/tag/v${version}";
description = "A super fast privacy-focused app for managing your finances";
homepage = "https://actualbudget.org/";
mainProgram = "actual-server";
license = lib.licenses.mit;
maintainers = [
lib.maintainers.oddlama
lib.maintainers.patrickdag
];
};
}

View file

@ -25,6 +25,7 @@ final: prev: with prev; {
record-screen = writeShellScriptBin "record-screen" (import ./record-screen.nix final); record-screen = writeShellScriptBin "record-screen" (import ./record-screen.nix final);
cockroach-bin = import ./cockroach.nix final; cockroach-bin = import ./cockroach.nix final;
prison-break = import ./prison-break.nix final; prison-break = import ./prison-break.nix final;
actual-server = import ./actual-server.nix final;
# ps-fixes # ps-fixes
} }