containerize actual

2025-04-24 13:46:03 -05:00
parent 41af361fee
commit 1af719c1e2
3 changed files with 93 additions and 31 deletions
--- a/hosts/nas/apps/actual/default.nix
+++ b/hosts/nas/apps/actual/default.nix
@@ -1,21 +1,84 @@
 { ... }:
+let
+  actualPort = 3333;
+  hostDataDir = "/media/nas/ssd/nix-app-data/jellyseerr";
+  dataDir = "/var/lib/private/actual-data";
+  stateDir = "/var/lib/private/actual";
+  hostAddress = "10.0.1.18";
+  localAddress = "10.0.3.18";
+in
 {
-  services.actual = {
-    enable = true;
-    openFirewall = true;
-    settings = {
-      trustedProxies = [ "10.0.1.18" ];
-      port = 3333;
-      config = {
-        dataDir = "/media/nas/ssd/nix-app-data/actual";
-        openId = {
-          issuer = "https://authentik.mjallen.dev/application/o/actual-budget/";
-          client_id = "1PGCrRdndq7SoOSLuNMnXFmHpgd1NKRMOa5LSia2";
-          client_secret = "1PGCrRdndq7SoOSLuNMnXFmHpgd1NKRMOa5LSia2";
-          server_hostname = "https://actual.mjallen.dev";
-          authMethod = "openid";
-        };
+  containers.actual = {
+    autoStart = true;
+    privateNetwork = true;
+    hostAddress = hostAddress;
+    localAddress = localAddress;
+
+    bindMounts = {
+      ${dataDir} = {
+        hostPath = hostDataDir;
+        isReadOnly = false;
+      };
+      ${stateDir} = {
+        hostPath = stateDir;
+        isReadOnly = false;
      };
    };
+
+    config = { lib, ... }:
+      {
+        services.actual = {
+          enable = true;
+          openFirewall = true;
+          settings = {
+            trustedProxies = [ hostAddress ];
+            port = actualPort;
+            config = {
+              dataDir = dataDir;
+              openId = {
+                issuer = "https://authentik.mjallen.dev/application/o/actual-budget/";
+                client_id = "1PGCrRdndq7SoOSLuNMnXFmHpgd1NKRMOa5LSia2";
+                client_secret = "1PGCrRdndq7SoOSLuNMnXFmHpgd1NKRMOa5LSia2";
+                server_hostname = "https://actual.mjallen.dev";
+                authMethod = "openid";
+              };
+            };
+          };
+        };
+
+        networking = {
+          firewall = {
+            enable = true;
+            allowedTCPPorts = [ actualPort ];
+          };
+          # Use systemd-resolved inside the container
+          # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
+          useHostResolvConf = lib.mkForce false;
+        };
+
+        # Create and set permissions for required directories
+        # system.activationScripts.actual-dirs = ''
+        #   mkdir -p /var/lib/private/actual-data
+
+        #   chown -R nobody:nogroup /var/lib/private/actual-data
+
+        #   chmod -R 775 /var/lib/private/actual-data
+
+        #   ln -sf /var/lib/private/actual /var/lib/actual-data
+
+        # '';
+
+        services.resolved.enable = true;
+        system.stateVersion = "23.11";
+      };
+  };
+
+  networking.nat = {
+    forwardPorts = [
+      {
+        destination = "${localAddress}:${toString actualPort}";
+        sourcePort = actualPort;
+      }
+    ];
  };
 }