fix actual again

hosts/nas/apps/actual/default.nix

@@ -1,10 +1,12 @@
-{ ... }:
+{ config, pkgs, lib, ... }:
 let
   actualPort = 3333;
   hostDataDir = "/media/nas/ssd/nix-app-data/actual";
-  dataDir = "/var/lib/actual";
+  dataDir = "/data";
   hostAddress = "10.0.1.18";
   localAddress = "10.0.3.18";
+  actualUserId = config.users.users.nix-apps.uid;
+  actualGroupId = config.users.groups.jallen-nas.gid;
 in
 {
   containers.actual = {
@@ -28,8 +30,46 @@ in
           settings = {
             trustedProxies = [ hostAddress ];
             port = actualPort;
-            config = {
+            dataDir = dataDir;
-              dataDir = dataDir;
+            serverFiles = "${dataDir}/server-files";
+            userFiles = "${dataDir}/user-files";
+          };
+        };
+
+        users.users.actual = {
+          isSystemUser = true;
+          uid = lib.mkForce actualUserId;
+          group = "actual";
+        };
+
+        users.groups = {
+          actual = {
+            gid = lib.mkForce actualGroupId;
+          };
+        };
+
+        # System packages
+        environment.systemPackages = with pkgs; [
+          sqlite
+        ];
+
+        # Create and set permissions for required directories
+        system.activationScripts.actual-dirs = ''
+          mkdir -p ${dataDir}
+          chown -R actual:actual ${dataDir}
+          chmod -R 0700 ${dataDir}
+        '';
+
+        systemd.services = {
+          actual = {            
+            environment.ACTUAL_CONFIG_PATH = lib.mkForce "${dataDir}/config.json";
+            serviceConfig = {
+              ExecStart = lib.mkForce "${pkgs.actual-server}/bin/actual-server --config ${dataDir}/config.json";
+              WorkingDirectory = lib.mkForce dataDir;
+              StateDirectory = lib.mkForce dataDir;
+              StateDirectoryMode = lib.mkForce 0700;
+              DynamicUser = lib.mkForce false;
+              ProtectSystem = lib.mkForce null;
             };
           };
         };