Add Actual Budget (#146)

* Add Actual Budget

* Format code

Author: ethnt

hosts/bastion/profiles/authelia/default.nix

@@ -127,6 +127,24 @@
             redirect_uris = [ "https://termix.e10.camp/users/oidc/callback" ];
             token_endpoint_auth_method = "client_secret_post";
           }
+          {
+            client_id =
+              "pV6drSFL4uNhslIfnTxi~oDMhqTIVVWM~307jSrBE9CNPuuwqMRDwYnW0PG6tYYL5HqCpFJu";
+            client_name = "Actual Budget";
+            client_secret =
+              "$pbkdf2-sha512$310000$78au487f6p.HXge7fFeMcQ$FXpI9224tVfyMNkyLj3sqtP.gWUUN./gJemo3l0KcwjVseC0Wlqe50LsYtm6lBBzRXuBxAa/Jhw2q3EaIGMd3A";
+            public = false;
+            authorization_policy = "two_factor";
+            require_pkce = false;
+            pkce_challenge_method = "";
+            redirect_uris = [ "https://actual.e10.camp/openid/callback" ];
+            scopes = [ "openid" "profile" "groups" "email" ];
+            response_types = [ "code" ];
+            grant_types = [ "authorization_code" ];
+            access_token_signed_response_alg = "none";
+            userinfo_signed_response_alg = "none";
+            token_endpoint_auth_method = "client_secret_basic";
+          }
         ];
       };
 

hosts/bastion/profiles/caddy/default.nix

@@ -261,6 +261,11 @@
         inherit (hosts.controller.config.services.termix) port;
       };
 
+      "actual.e10.camp" = {
+        host = hosts.matrix;
+        inherit (hosts.matrix.config.services.actual.settings) port;
+      };
+
       "jellyfin.e10.video" = {
         host = hosts.htpc;
         port = 8096;

hosts/matrix/configuration.nix

@@ -9,6 +9,7 @@
       profiles.media-management.immich.default
       profiles.networking.printing
       profiles.power.tripp-lite-smart1500lcd
+      profiles.services.actual.default
       profiles.services.attic-watch-store.default
       profiles.services.bentopdf
       profiles.services.changedetection-io

modules/profiles/services/actual/default.nix

@@ -0,0 +1,25 @@
+{ config, ... }: {
+  sops.secrets = {
+    actual_oauth2_client_secret = {
+      sopsFile = ./secrets.json;
+      mode = "0777";
+    };
+  };
+
+  services.actual = {
+    enable = true;
+    openFirewall = true;
+    settings = {
+      loginMethod = "openid";
+      openId = {
+        discoveryURL = "https://auth.e10.camp";
+        client_id =
+          "pV6drSFL4uNhslIfnTxi~oDMhqTIVVWM~307jSrBE9CNPuuwqMRDwYnW0PG6tYYL5HqCpFJu";
+        client_secret._secret =
+          config.sops.secrets.actual_oauth2_client_secret.path;
+        server_hostname = "https://actual.e10.camp";
+        authMethod = "oauth2";
+      };
+    };
+  };
+}

modules/profiles/services/actual/secrets.json

@@ -33,8 +33,8 @@
                 cache = "1m";
                 title = "Services";
                 sites = let
-                  mkSite = { title, url, check-url ? null, icon
-                    , basicAuth ? false }: {
+                  mkSite =
+                    { title, url, check-url ? null, icon, basicAuth ? false }: {
                       inherit title url check-url icon;
                       basic-auth = lib.mkIf basicAuth {
                         username = "\${AUTHELIA_BASIC_AUTH_USERNAME}";