Initial config for actual budget

host/configuration.nix

@@ -6,6 +6,7 @@
     ./../nixosModules/secrets.nix
     ./../nixosModules/website.nix
     ./../nixosModules/auto-updade.nix
+    ./../nixosModules/actual-budget.nix
   ];
 
   boot.loader.grub = {
@@ -30,7 +31,10 @@
   ];
 
   secrets.enable = true;
+
+  # Apps
   website.enable = true;
+  actualBudget.enable = true;
 
   # Automatically pull this config from git
   autoUpdate.enable = true;

nixosModules/actual-budget.nix

@@ -1,23 +1,53 @@
 { pkgs, lib, config, ... }: {
 
+  imports = [
+    ./acme.nix
+  ];
+
   options = {
-    actual-budget.enable = lib.mkEnableOption "enables actual-budget";
+    actualBudget.enable = lib.mkEnableOption "enables actual-budget";
   };
 
-  config = lib.mkIf config.actual-budget.enable {
-    # services.nginx.virtualHosts."budget.kyren.codes" = {
-    #     useACMEHost = "kyren.codes";
-    #     forceSSL = true;
-    #
-    #     locations."/".proxyPass = "http://actual-server:5006/";
-    #     locations."/".extraConfig = ''
-    #       include /config/nginx/proxy.conf;
-    #       include /config/nginx/resolver.conf;
-    #
-    #       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    #       proxy_set_header Host $host;
-    #     '';
-    #
-    # };
+  config = lib.mkIf config.actualBudget.enable {
+
+    users.users.actualbudget = {
+      createHome = false;
+      isNormalUser = true;
+      group = "users";
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO7P9K9D5RkBk+JCRRS6AtHuTAc6cRpXfRfRMg/Kyren"
+      ];
+      packages = with pkgs; [
+        nodejs_22
+        yarn
+        gitMinimal
+      ];
+    };
+
+    # Make sure the "website" user has access to /srv/website
+    systemd.tmpfiles.rules = [
+      "d /srv/actual-server 0700 actualbudget users"
+    ];
+
+    # Open http and https ports to the public
+    networking.firewall.allowedTCPPorts = [ 443 80 ];
+
+    # Make sure acme module is active for the "kyren.codes" ssl cert
+    acme.enable = true;
+
+    services.nginx.virtualHosts."budget.kyren.codes" = {
+        useACMEHost = "kyren.codes";
+        forceSSL = true;
+
+        locations."/".proxyPass = "http://localhost:5006/";
+        # locations."/".extraConfig = ''
+        #   include /config/nginx/proxy.conf;
+        #   include /config/nginx/resolver.conf;
+        #
+        #   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        #   proxy_set_header Host $host;
+        # '';
+
+    };
   };
 }

nixosModules/auto-updade.nix

@@ -5,6 +5,11 @@
   };
 
   config = lib.mkIf config.autoUpdate.enable {
+
+    # PAT to be able to access the repo
+    sops.secrets.github-access-token = { };
+    nix.extraOptions = "!include /run/secrets/github-access-token";
+
     system.autoUpgrade = {
       enable = true;
       flake = "github:kyren223/server#default";

nixosModules/website.nix

@@ -25,15 +25,10 @@
       "d /srv/website 0750 website users"
     ];
 
-    # Set secrets for CD (let github actions upload builds to /srv/website)
-    sops.secrets.github-access-token = { };
-    nix.extraOptions = "!include /run/secrets/github-access-token";
-
-
     # Open http and https ports to the public
     networking.firewall.allowedTCPPorts = [ 443 80 ];
 
-    # Make sure acme module is active for the "kyrej.codes" ssl cert
+    # Make sure acme module is active for the "kyren.codes" ssl cert
     acme.enable = true;
 
     services.nginx.enable = true;