{ config, pkgs, lib, ... }: let actualPort = 3333; hostDataDir = "/media/nas/ssd/nix-app-data/actual"; dataDir = "/data"; hostAddress = "10.0.1.18"; localAddress = "10.0.3.18"; actualUserId = config.users.users.nix-apps.uid; actualGroupId = config.users.groups.jallen-nas.gid; in { containers.actual = { autoStart = true; privateNetwork = true; hostAddress = hostAddress; localAddress = localAddress; bindMounts = { ${dataDir} = { hostPath = hostDataDir; isReadOnly = false; }; }; config = { lib, ... }: { services.actual = { enable = true; openFirewall = true; settings = { trustedProxies = [ hostAddress ]; port = actualPort; dataDir = dataDir; serverFiles = "${dataDir}/server-files"; userFiles = "${dataDir}/user-files"; }; }; users.users.actual = { isSystemUser = true; uid = lib.mkForce actualUserId; group = "actual"; }; users.groups = { actual = { gid = lib.mkForce actualGroupId; }; }; # System packages environment.systemPackages = with pkgs; [ sqlite ]; # Create and set permissions for required directories system.activationScripts.actual-dirs = '' mkdir -p ${dataDir} chown -R actual:actual ${dataDir} chmod -R 0700 ${dataDir} ''; systemd.services = { actual = { environment.ACTUAL_CONFIG_PATH = lib.mkForce "${dataDir}/config.json"; serviceConfig = { ExecStart = lib.mkForce "${pkgs.actual-server}/bin/actual-server --config ${dataDir}/config.json"; WorkingDirectory = lib.mkForce dataDir; StateDirectory = lib.mkForce dataDir; StateDirectoryMode = lib.mkForce 0700; DynamicUser = lib.mkForce false; ProtectSystem = lib.mkForce null; }; }; }; networking = { firewall = { enable = true; allowedTCPPorts = [ actualPort ]; }; # Use systemd-resolved inside the container # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686 useHostResolvConf = lib.mkForce false; }; services.resolved.enable = true; system.stateVersion = "23.11"; }; }; networking.nat = { forwardPorts = [ { destination = "${localAddress}:${toString actualPort}"; sourcePort = actualPort; } ]; }; }