From 2aed01c9a45f03351e0934688995f55517dcce36 Mon Sep 17 00:00:00 2001
From: TheWanderingCrow <contact@wanderingcrow.net>
Date: Tue, 11 Nov 2025 15:33:57 -0500
Subject: [PATCH] API key secures the API, also fix the env templates there
 whew

---
 modules/services/actualbudget/default.nix | 31 +++++++++++++----------
 1 file changed, 17 insertions(+), 14 deletions(-)

diff --git a/modules/services/actualbudget/default.nix b/modules/services/actualbudget/default.nix
index 5bef057..d1de565 100644
--- a/modules/services/actualbudget/default.nix
+++ b/modules/services/actualbudget/default.nix
@@ -28,13 +28,17 @@ in
         sopsFile = "${sopsFolder}/services.yaml";
       };
     };
+
+    templates."actualbudget-env".content = ''
+      ACTUAL_OPENID_DISCOVERY_URL=https://auth.wanderingcrow.net/.well-known/openid-configuration
+      ACTUAL_OPENID_CLIENT_ID=${config.sops.placeholder."actualbudget/client-id"}
+      ACTUAL_OPENID_CLIENT_SECRET=${config.sops.placeholder."actualbudget/client-secret"}
+      ACTUAL_OPENID_SERVER_HOSTNAME=https://budget.wanderingcrow.net
+    '';
     templates."actualbudget-api-env".content = ''
-      ACTUAL_SERVER_PASSWORD="${config.sops.placeholder."actualbudget/pass"}"
-      API_KEY="${config.sops.placeholder."actualbudget/key"}"
-      ACTUAL_OPENID_DISCOVERY_URL="https://auth.wanderingcrow.net/.well-known/openid-configuration"
-      ACTUAL_OPENID_CLIENT_ID="${config.sops.placeholder."actualbudget/client-id"}"
-      ACTUAL_OPENID_CLIENT_SECRET="${config.sops.placeholder."actualbudget/client-secret"}"
-      ACTUAL_OPENID_SERVER_HOSTNAME="https://budget.wanderingcrow.net"
+      ACTUAL_SERVER_URL=https://budget.wanderingcrow.net
+      ACTUAL_SERVER_PASSWORD=${config.sops.placeholder."actualbudget/pass"}
+      API_KEY=${config.sops.placeholder."actualbudget/key"}
     '';
   };
 
@@ -44,11 +48,11 @@ in
       "budget.wanderingcrow.net".extraConfig = ''
         reverse_proxy http://10.88.0.12
       '';
-      #"api.budget.wanderingcrow.net".extraConfig = ''
-      #  @block not remote_ip ${inputs.nix-secrets.network.primary.publicIP} private_ranges
-      #  abort @block
-      #  reverse_proxy http://10.88.0.13:5007
-      #'';
+      "api.budget.wanderingcrow.net".extraConfig = ''
+        @block not remote_ip ${inputs.nix-secrets.network.primary.publicIP} private_ranges
+        abort @block
+        reverse_proxy http://10.88.0.13:5007
+      '';
     };
   };
   virtualisation.oci-containers = {
@@ -61,14 +65,13 @@ in
         environment = {
           ACTUAL_PORT = "80";
         };
+        environmentFiles = [ config.sops.templates."actualbudget-env".path ];
+
       };
       "actualbudget-api" = {
         image = "jhonderson/actual-http-api:25.10.0";
         volumes = [ "${volumePath}/actualbudget-api:/data" ];
         extraOptions = [ "--ip=10.88.0.13" ];
-        environment = {
-          ACTUAL_SERVER_URL = "http://10.88.0.12";
-        };
         environmentFiles = [ config.sops.templates."actualbudget-api-env".path ];
       };
     };