{ inputs, config, ... }: let volumePath = "/overseer/services"; sopsFolder = builtins.toString inputs.nix-secrets + "/sops"; in { systemd.tmpfiles.rules = [ "d ${volumePath}/actualbudget" "d ${volumePath}/actualbudget-api" ]; sops = { secrets = { "actualbudget/pass" = { sopsFile = "${sopsFolder}/services.yaml"; }; "actualbudget/key" = { sopsFile = "${sopsFolder}/services.yaml"; }; "actualbudget/client-id" = { sopsFile = "${sopsFolder}/services.yaml"; }; "actualbudget/client-secret" = { sopsFile = "${sopsFolder}/services.yaml"; }; }; templates."actualbudget-api-env".content = '' ACTUAL_SERVER_PASSWORD="${config.sops.placeholder."actualbudget/pass"}" API_KEY="${config.sops.placeholder."actualbudget/key"}" ACTUAL_OPENID_DISCOVERY_URL="https://auth.wanderingcrow.net/.well-known/openid-configuration" ACTUAL_OPENID_CLIENT_ID="${config.sops.placeholder."actualbudget/client-id"}" ACTUAL_OPENID_CLIENT_SECRET="${config.sops.placeholder."actualbudget/client-secret"}" ACTUAL_OPENID_SERVER_HOSTNAME="https://budget.wanderingcrow.net" ''; }; services.caddy = { enable = true; virtualHosts = { "budget.wanderingcrow.net".extraConfig = '' reverse_proxy http://10.88.0.12 ''; "api.budget.wanderingcrow.net".extraConfig = '' @block not remote_ip ${inputs.nix-secrets.network.primary.publicIP} private_ranges abort @block reverse_proxy http://10.88.0.13:5007 ''; }; }; virtualisation.oci-containers = { backend = "podman"; containers = { "actualbudget" = { image = "actualbudget/actual-server:25.10.0"; volumes = [ "${volumePath}/actualbudget:/data" ]; extraOptions = [ "--ip=10.88.0.12" ]; environment = { ACTUAL_PORT = "80"; }; }; "actualbudget-api" = { image = "jhonderson/actual-http-api:25.10.0"; volumes = [ "${volumePath}/actualbudget-api:/data" ]; extraOptions = [ "--ip=10.88.0.13" ]; environment = { ACTUAL_SERVER_URL = "http://10.88.0.12"; }; environmentFiles = [ config.sops.templates."actualbudget-api-env".path ]; }; }; }; }