From 28bf675700ad336ec9d09d0b2b01833106893a31 Mon Sep 17 00:00:00 2001 From: Ethan Turkeltaub Date: Sat, 3 Jan 2026 01:56:26 -0500 Subject: [PATCH 1/2] Add Actual Budget --- hosts/bastion/profiles/authelia/default.nix | 18 ++++++++ hosts/bastion/profiles/caddy/default.nix | 5 +++ hosts/matrix/configuration.nix | 1 + modules/profiles/services/actual/default.nix | 25 +++++++++++ modules/profiles/services/actual/secrets.json | 43 +++++++++++++++++++ 5 files changed, 92 insertions(+) create mode 100644 modules/profiles/services/actual/default.nix create mode 100644 modules/profiles/services/actual/secrets.json diff --git a/hosts/bastion/profiles/authelia/default.nix b/hosts/bastion/profiles/authelia/default.nix index a3d508f..55eb334 100644 --- a/hosts/bastion/profiles/authelia/default.nix +++ b/hosts/bastion/profiles/authelia/default.nix @@ -127,6 +127,24 @@ redirect_uris = [ "https://termix.e10.camp/users/oidc/callback" ]; token_endpoint_auth_method = "client_secret_post"; } + { + client_id = + "pV6drSFL4uNhslIfnTxi~oDMhqTIVVWM~307jSrBE9CNPuuwqMRDwYnW0PG6tYYL5HqCpFJu"; + client_name = "Actual Budget"; + client_secret = + "$pbkdf2-sha512$310000$78au487f6p.HXge7fFeMcQ$FXpI9224tVfyMNkyLj3sqtP.gWUUN./gJemo3l0KcwjVseC0Wlqe50LsYtm6lBBzRXuBxAa/Jhw2q3EaIGMd3A"; + public = false; + authorization_policy = "two_factor"; + require_pkce = false; + pkce_challenge_method = ""; + redirect_uris = [ "https://actual.e10.camp/openid/callback" ]; + scopes = [ "openid" "profile" "groups" "email" ]; + response_types = [ "code" ]; + grant_types = [ "authorization_code" ]; + access_token_signed_response_alg = "none"; + userinfo_signed_response_alg = "none"; + token_endpoint_auth_method = "client_secret_basic"; + } ]; }; diff --git a/hosts/bastion/profiles/caddy/default.nix b/hosts/bastion/profiles/caddy/default.nix index 5805c18..d965ff8 100644 --- a/hosts/bastion/profiles/caddy/default.nix +++ b/hosts/bastion/profiles/caddy/default.nix @@ -261,6 +261,11 @@ inherit (hosts.controller.config.services.termix) port; }; + "actual.e10.camp" = { + host = hosts.matrix; + inherit (hosts.matrix.config.services.actual.settings) port; + }; + "jellyfin.e10.video" = { host = hosts.htpc; port = 8096; diff --git a/hosts/matrix/configuration.nix b/hosts/matrix/configuration.nix index 8152203..26a4a2a 100644 --- a/hosts/matrix/configuration.nix +++ b/hosts/matrix/configuration.nix @@ -9,6 +9,7 @@ profiles.media-management.immich.default profiles.networking.printing profiles.power.tripp-lite-smart1500lcd + profiles.services.actual.default profiles.services.attic-watch-store.default profiles.services.bentopdf profiles.services.changedetection-io diff --git a/modules/profiles/services/actual/default.nix b/modules/profiles/services/actual/default.nix new file mode 100644 index 0000000..d45d701 --- /dev/null +++ b/modules/profiles/services/actual/default.nix @@ -0,0 +1,25 @@ +{ config, ... }: { + sops.secrets = { + actual_oauth2_client_secret = { + sopsFile = ./secrets.json; + mode = "0777"; + }; + }; + + services.actual = { + enable = true; + openFirewall = true; + settings = { + loginMethod = "openid"; + openId = { + discoveryURL = "https://auth.e10.camp"; + client_id = + "pV6drSFL4uNhslIfnTxi~oDMhqTIVVWM~307jSrBE9CNPuuwqMRDwYnW0PG6tYYL5HqCpFJu"; + client_secret._secret = + config.sops.secrets.actual_oauth2_client_secret.path; + server_hostname = "https://actual.e10.camp"; + authMethod = "oauth2"; + }; + }; + }; +} diff --git a/modules/profiles/services/actual/secrets.json b/modules/profiles/services/actual/secrets.json new file mode 100644 index 0000000..98b0ff2 --- /dev/null +++ b/modules/profiles/services/actual/secrets.json @@ -0,0 +1,43 @@ +{ + "actual_oauth2_client_secret": "ENC[AES256_GCM,data:Ny8p1oDoj2mmvtKj6UYFXD3we/9I30Gpj2LZ680BVyIezNBiVVLV4ZtXa0+aZ1zltsRrZyGymAUKVodNpfEf4LprNoHGVbsq,iv:HGRTJdqLFqZWVYbTV/Fe+rMjxA6KFC+tt2l6Z7jro6Q=,tag:4cOPzA+A6WGVDL0KVf+qkQ==,type:str]", + "sops": { + "age": [ + { + "recipient": "age10539mc6shf02hpa8huyjktdw3nfyavxdg8pt247wwvq4xrv8h5zs8nc0k0", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhaDdpazRsdklYOUxRczgz\nSWh3NkVyWjVzb1dicG8vOS92aHpyQmFTaW04CmVXU3FkdTFmUjEwMmZSRE5MeFQv\nK2lQenE0VDJzcDZqWngxSE12Q0FLME0KLS0tIGZjR1lPNzFpMVZ6ZjY3OGpOclNJ\nbGlPdkFFUVpOQ25mTTljci94VXBCVlkKe5dwlvQJWAPaK6iXWuekUcPqS08SwwJu\nhphgzz3ey/RIUFT68nH2DakF8Uokuy8Hn7+WVxkUBDt6i8xXRENblQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1g22ghnrdg858yv6w2ux8hgntj8gkdyjn28axdkmzyx38d4vx6geqj4px9a", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0VkE4YlltYjFEUVVJY1hn\nckt0aUQ3TDVVV2ZPcUx0aGRlbE5FWFR6MFgwCjBaUkk4LzFvemVaNEVuNnJiZitT\nQUhDcStxK3hqUlhTa090TEtiNU9EN0EKLS0tIERYRTE1a2ozWHJGamw2NTFHVENu\nbG5mZHlWdlFya3J6ZS9qa24vYmNubkkKlNyVGzkEJ6MR1ZA/HIrIaNh992xc9uBy\nxMM4FdpZ3Y2MaYiGxLB2tX15roeJm7qW/2DPuteGReEmFiQA/LCkQQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1k5nzxq4ej2u9ls97c2dhlz96j2vghv0assz5g0p4npzyc8c8fqlqld72hg", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNZ0NyMWliTVBobEJtU0Fq\nNU1wUTE3aHMwbjRnYTJMVS9uUzdrejdPckdvCnlaRGw1K2pzUkJERXB3NVkwNE90\nQmhYalMrQ1JEeFQ2ZmxEeFcyMVdGMEUKLS0tIE95Tis5Tk5vZXFxSXdwZzhaZGo5\naXdJUk9nWFIvaURWbk8vYVJ1Z1dab1UK8j+mBNZQx10LWYggFRdzulgcOMprFKfR\n1YXjnC4XnitBrJsLV56ClefAokUHNHPu71vu/Vx1r0+LEpE2kWu0sA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1gkzp905yqkla54l52m4xkqtxpn0sndkx0vh6qqa8d2tu29x8f35q354gpe", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrTUp5UVJTV2ptekRLajMz\nalI2OXdIaXIxRVp3b1FtYlZQVzFTMjB1S1U4CnVpNStCL1lacTRzT2tWY0Rod3J5\ndEMydFRQMWFLRmg4S1BYbFRKS1kzTkEKLS0tIEY4czhPZSthWGNXQTZSWldleDdZ\nbUdKRklTcWUxd3hYNGhDWXVZdEJ1VWsKV0ccSoL3tSnVkgkvyuj84hkneoVAJEVQ\nWGwaWqsoLUtlBHP6h/zQw0y5RUWYDDC7ps43hvJahcsNq4xVvh7t2A==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1c4d93hmawmx8nt8g2sjrxcngfl7qx7y6vwxpqqg7grrkhjen6fvstljgg9", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwMUZKOERUOVhxVzdJTGdP\na0lrUlNrRWgvNG93VTF4eGp4ZXVuNkx4UVZJCm1NUEg0UGxaRnhDRWNoZzE0MUhH\ndVlNV0hodmx2K01ldUNXRHNNN3duaUkKLS0tIHo0OGY1OHBOWEk5VEV2SHdsNTlG\nMU94WU8rTGtOMUUyVUJZL2p1ai9oNmsKSJirxeHyzlBgb5ZSW5U8NwESsxBV+4xM\n6Ek8uhU9Trb1QB5dTref2XahqYjp4y+PXQamIumvqORZh06k+r1uOQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age15jjykch8km3l8atssu0n9us6d2xg58z0ds9s0djtdh9l954sud5szqxv29", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGdGdUUVhkUDYyNEpqdWVZ\nQjFJMVRMU1ZVNDg2Mm9tTnIxYkxwWExVZjFvClU2R01renlFTVNlV0lPWkNIUm9V\nalpYaStOWFFKWXZ6YWVaVjZXUktoWjAKLS0tIFNubEJqYXN4L0xwWkF0eHRNMjlm\nOHBMZXZyZFdXYThianEyNUtEZ3ZpajQK/oJ5gOL132pKbqMbt/vM3mnqXSMu3lZK\n8/KFQlXARYbPNC/oXf6Ebp0Msy/cNNAKSQWrM2tpwV0xMZd49UWdRg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age10jhawn266e3wr6rx0lndkl9a47ewtk6jgh35d2582uu2l7dtn4tqdqc29c", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSR1NPdnV4bDRzL0tGZkgr\nOE9pM1BNek11TWFta3VqYXBJWXloaERwWWtzCnlNcHZKQkZXdUVacHMvOVltOU0x\nenYzcEQ0Y1psWG45eVFWNDlmaXVuTUEKLS0tIEpNbDAxZjFxdStnV0lhQ3FsWktT\nK3QyK012WEp3eVA2L2tlNDdrYVVUTWMK81aGvFTA87mMjrF/TCLyaKXFX/uHookG\nXzLClMg9y8E3gxwrlYy7FFwDxn0CcPhCx0tNZZJoDhF7pGA3Lw1U3Q==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1x708x83pjj7urp26pncx67fqz8a3htrf0umw7c00pvmxhl6y95lszjgd6r", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCc2hyY1RiamkvVUdDOW1V\nb045KzZGNjN2Z0xsRWdKMjY3aUtpSmVDM1NvCkw2TWhZdVBNL0NzVWlHTlFWYWZH\nVDRETmxLbFBOVHdPRDE4VzNGQXRtK0kKLS0tIEdOWFpDOWpscmVZT211OW1FZFRs\ndktmWTlTMk9wRFUzcjVCNFM3ZGEvT1kKoWiKcV384kpa3Dcax4UikYErXXbW91fz\nbm8mz9+zIFp+sVIdDV/GQaxBlAhRpXtoRJBXwq3lx0uaGfOq4BUxMg==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2026-01-03T06:48:46Z", + "mac": "ENC[AES256_GCM,data:oF1TY/9HBXwsyhNPmiAuBtaQSYZcAM+A3XJ8jVpBIxpx2LbdZloc9WuAMl96Urm9ABmtyXS/zT5r3q8KlnQGnJtdr/ttrVoo1KCn+KfW4VbApsNyBnBqxwevexVGvjyjQqt7RRpRG9ZEt4bhcYzUu5Ey4JUYOGZiLMF8uDHnRfc=,iv:yHkA8VF+ybVJTkDAWPy7inLBiqpvL+hJkMw+mqWyCd8=,tag:Uzjq4YqdcY0CWeGk/G3Bpg==,type:str]", + "unencrypted_suffix": "_unencrypted", + "version": "3.11.0" + } +} From caeab3c2e5bee1fb060df277749c1779e36d9ebc Mon Sep 17 00:00:00 2001 From: Ethan Turkeltaub Date: Sat, 3 Jan 2026 02:12:26 -0500 Subject: [PATCH 2/2] Format code --- modules/profiles/services/glance/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/profiles/services/glance/default.nix b/modules/profiles/services/glance/default.nix index 3699d62..428b105 100644 --- a/modules/profiles/services/glance/default.nix +++ b/modules/profiles/services/glance/default.nix @@ -33,8 +33,8 @@ cache = "1m"; title = "Services"; sites = let - mkSite = { title, url, check-url ? null, icon - , basicAuth ? false }: { + mkSite = + { title, url, check-url ? null, icon, basicAuth ? false }: { inherit title url check-url icon; basic-auth = lib.mkIf basicAuth { username = "\${AUTHELIA_BASIC_AUTH_USERNAME}";