{ ... }: let actualPort = 3333; hostDataDir = "/media/nas/ssd/nix-app-data/jellyseerr"; dataDir = "/var/lib/private/actual-data"; stateDir = "/var/lib/private/actual"; hostAddress = "10.0.1.18"; localAddress = "10.0.3.18"; in { containers.actual = { autoStart = true; privateNetwork = true; hostAddress = hostAddress; localAddress = localAddress; bindMounts = { ${dataDir} = { hostPath = hostDataDir; isReadOnly = false; }; ${stateDir} = { hostPath = stateDir; isReadOnly = false; }; }; config = { lib, ... }: { services.actual = { enable = true; openFirewall = true; settings = { trustedProxies = [ hostAddress ]; port = actualPort; config = { dataDir = dataDir; openId = { issuer = "https://authentik.mjallen.dev/application/o/actual-budget/"; client_id = "1PGCrRdndq7SoOSLuNMnXFmHpgd1NKRMOa5LSia2"; client_secret = "1PGCrRdndq7SoOSLuNMnXFmHpgd1NKRMOa5LSia2"; server_hostname = "https://actual.mjallen.dev"; authMethod = "openid"; }; }; }; }; networking = { firewall = { enable = true; allowedTCPPorts = [ actualPort ]; }; # Use systemd-resolved inside the container # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686 useHostResolvConf = lib.mkForce false; }; # Create and set permissions for required directories # system.activationScripts.actual-dirs = '' # mkdir -p /var/lib/private/actual-data # chown -R nobody:nogroup /var/lib/private/actual-data # chmod -R 775 /var/lib/private/actual-data # ln -sf /var/lib/private/actual /var/lib/actual-data # ''; services.resolved.enable = true; system.stateVersion = "23.11"; }; }; networking.nat = { forwardPorts = [ { destination = "${localAddress}:${toString actualPort}"; sourcePort = actualPort; } ]; }; }