{ config, pkgs, lib, namespace, ... }: with lib; let name = "actual"; cfg = config.${namespace}.services.${name}; actualConfig = lib.${namespace}.mkModule { inherit config name; description = "Actual Personal Finance Planner"; options = { }; moduleConfig = { sops = { secrets = { "jallen-nas/actual/client-id" = { sopsFile = lib.snowfall.fs.get-file "secrets/nas-secrets.yaml"; owner = "actual"; restartUnits = [ "actual.service" ]; }; "jallen-nas/actual/client-secret" = { sopsFile = lib.snowfall.fs.get-file "secrets/nas-secrets.yaml"; owner = "actual"; restartUnits = [ "actual.service" ]; }; }; }; services.actual = { inherit (cfg) openFirewall; enable = true; settings = { inherit (cfg) port; trustedProxies = [ config.${namespace}.network.ipv4.address ]; serverFiles = "${cfg.configDir}/${name}/server-files"; userFiles = "${cfg.configDir}/${name}/user-files"; dataDir = "${cfg.configDir}/${name}"; openId = { discoveryURL = "https://authentik.mjallen.dev/application/o/actual/.well-known/openid-configuration"; client_id._secret = config.sops.secrets."jallen-nas/actual/client-id".path; client_secret._secret = config.sops.secrets."jallen-nas/actual/client-secret".path; server_hostname = "https://authentik.mjallen.dev"; authMethod = "openid"; }; }; }; systemd.services = lib.mkIf cfg.createUser { actual = { environment.ACTUAL_CONFIG_PATH = lib.mkForce "/run/actual/config.json"; serviceConfig = { ExecStart = lib.mkForce "${lib.getExe pkgs.actual-server} --config /run/actual/config.json"; WorkingDirectory = lib.mkForce "${cfg.configDir}/${name}"; StateDirectoryMode = lib.mkForce 700; DynamicUser = lib.mkForce false; ProtectSystem = lib.mkForce "full"; }; }; }; }; }; in { imports = [ actualConfig ]; }