nixos/actual: init at 24.10.1

nixos/doc/manual/release-notes/rl-2411.section.md

@@ -128,6 +128,8 @@
 
 - [wg-access-server](https://github.com/freifunkMUC/wg-access-server/), an all-in-one WireGuard VPN solution with a web ui for connecting devices. Available at [services.wg-access-server](#opt-services.wg-access-server.enable).
 
+- [Actual Budget](https://actualbudget.org/), a local-first personal finance app. Available as [services.actual](#opt-services.actual.enable).
+
 - [Pingvin Share](https://github.com/stonith404/pingvin-share), a self-hosted file sharing platform and an alternative for WeTransfer. Available as [services.pingvin-share](#opt-services.pingvin-share.enable).
 
 - [Envision](https://gitlab.com/gabmus/envision), a UI for building, configuring and running Monado, the open source OpenXR runtime. Available as [programs.envision](#opt-programs.envision.enable).

nixos/modules/module-list.nix

@@ -1379,6 +1379,7 @@
   ./services/video/v4l2-relayd.nix
   ./services/wayland/cage.nix
   ./services/wayland/hypridle.nix
+  ./services/web-apps/actual.nix
   ./services/web-apps/akkoma.nix
   ./services/web-apps/alps.nix
   ./services/web-apps/anuko-time-tracker.nix

nixos/modules/services/web-apps/actual.nix

@@ -0,0 +1,121 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+let
+  inherit (lib)
+    getExe
+    mkDefault
+    mkEnableOption
+    mkIf
+    mkOption
+    mkPackageOption
+    types
+    ;
+
+  cfg = config.services.actual;
+  configFile = formatType.generate "config.json" cfg.settings;
+  dataDir = "/var/lib/actual";
+
+  formatType = pkgs.formats.json { };
+in
+{
+  options.services.actual = {
+    enable = mkEnableOption "actual, a privacy focused app for managing your finances";
+    package = mkPackageOption pkgs "actual-server" { };
+
+    openFirewall = mkOption {
+      default = false;
+      type = types.bool;
+      description = "Whether to open the firewall for the specified port.";
+    };
+
+    settings = mkOption {
+      default = { };
+      description = "Server settings, refer to (the documentation)[https://actualbudget.org/docs/config/] for available options.";
+      type = types.submodule {
+        freeformType = formatType.type;
+
+        options = {
+          hostname = mkOption {
+            type = types.str;
+            description = "The address to listen on";
+            default = "::";
+          };
+
+          port = mkOption {
+            type = types.port;
+            description = "The port to listen on";
+            default = 3000;
+          };
+        };
+
+        config = {
+          serverFiles = mkDefault "${dataDir}/server-files";
+          userFiles = mkDefault "${dataDir}/user-files";
+          dataDir = mkDefault dataDir;
+        };
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.settings.port ];
+
+    systemd.services.actual = {
+      description = "Actual server, a local-first personal finance app";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      environment.ACTUAL_CONFIG_PATH = configFile;
+      serviceConfig = {
+        ExecStart = getExe cfg.package;
+        DynamicUser = true;
+        User = "actual";
+        Group = "actual";
+        StateDirectory = "actual";
+        WorkingDirectory = dataDir;
+        LimitNOFILE = "1048576";
+        PrivateTmp = true;
+        PrivateDevices = true;
+        StateDirectoryMode = "0700";
+        Restart = "always";
+
+        # Hardening
+        CapabilityBoundingSet = "";
+        LockPersonality = true;
+        #MemoryDenyWriteExecute = true; # Leads to coredump because V8 does JIT
+        PrivateUsers = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProcSubset = "pid";
+        ProtectSystem = "strict";
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+          "AF_NETLINK"
+        ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service"
+          "@pkey"
+        ];
+        UMask = "0077";
+      };
+    };
+  };
+
+  meta.maintainers = [
+    lib.maintainers.oddlama
+    lib.maintainers.patrickdag
+  ];
+}

nixos/tests/actual.nix

@@ -0,0 +1,18 @@
+import ./make-test-python.nix (
+  { lib, ... }:
+  {
+    name = "actual";
+    meta.maintainers = [ lib.maintainers.oddlama ];
+
+    nodes.machine =
+      { ... }:
+      {
+        services.actual.enable = true;
+      };
+
+    testScript = ''
+      machine.wait_for_open_port(3000)
+      machine.succeed("curl -fvvv -Ls http://localhost:3000/ | grep 'Actual'")
+    '';
+  }
+)

nixos/tests/all-tests.nix

@@ -107,6 +107,7 @@ in {
   aaaaxy = runTest ./aaaaxy.nix;
   acme = runTest ./acme.nix;
   acme-dns = handleTest ./acme-dns.nix {};
+  actual = handleTest ./actual.nix {};
   adguardhome = runTest ./adguardhome.nix;
   aesmd = runTestOn ["x86_64-linux"] ./aesmd.nix;
   agate = runTest ./web-servers/agate.nix;

pkgs/by-name/ac/actual-server/package.nix

@@ -0,0 +1,119 @@
+{
+  lib,
+  stdenv,
+  stdenvNoCC,
+  fetchFromGitHub,
+  makeWrapper,
+  cacert,
+  gitMinimal,
+  nodejs,
+  yarn,
+  nixosTests,
+  nix-update-script,
+}:
+let
+  version = "24.11.0";
+  src = fetchFromGitHub {
+    owner = "actualbudget";
+    repo = "actual-server";
+    rev = "v${version}";
+    hash = "sha256-tEanuY2GRufLbyjkhwFcsn8Nl3wlf/PbVJjzJfTTk7g=";
+  };
+
+  # We cannot use fetchYarnDeps because that doesn't support yarn2/berry
+  # lockfiles (see https://github.com/NixOS/nixpkgs/issues/254369)
+  offlineCache = stdenvNoCC.mkDerivation {
+    name = "actual-server-${version}-offline-cache";
+    inherit src;
+
+    nativeBuildInputs = [
+      cacert # needed for git
+      gitMinimal # needed to download git dependencies
+      yarn
+    ];
+
+    SUPPORTED_ARCHITECTURES = builtins.toJSON {
+      os = [
+        "darwin"
+        "linux"
+      ];
+      cpu = [
+        "arm"
+        "arm64"
+        "ia32"
+        "x64"
+      ];
+      libc = [
+        "glibc"
+        "musl"
+      ];
+    };
+
+    buildPhase = ''
+      runHook preBuild
+
+      export HOME=$(mktemp -d)
+      yarn config set enableTelemetry 0
+      yarn config set cacheFolder $out
+      yarn config set --json supportedArchitectures "$SUPPORTED_ARCHITECTURES"
+      yarn
+
+      runHook postBuild
+    '';
+
+    installPhase = ''
+      runHook preInstall
+
+      mkdir -p $out
+      cp -r ./node_modules $out/node_modules
+
+      runHook postInstall
+    '';
+    dontFixup = true;
+
+    outputHashAlgo = "sha256";
+    outputHashMode = "recursive";
+    outputHash = "sha256-yda1GdnPRHOoaJzkGz755Lm9/J60lFDsVvBgf/2e+3I=";
+  };
+in
+stdenv.mkDerivation {
+  pname = "actual-server";
+  inherit version src;
+
+  nativeBuildInputs = [
+    makeWrapper
+    yarn
+  ];
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/{bin,lib,lib/actual}
+    cp -r ${offlineCache}/node_modules/ $out/lib/actual
+    cp -r ./ $out/lib/actual
+
+    makeWrapper ${lib.getExe nodejs} "$out/bin/actual-server" \
+      --add-flags "$out/lib/actual/app.js" \
+      --set NODE_PATH "$out/node_modules"
+
+    runHook postInstall
+  '';
+
+  passthru = {
+    inherit offlineCache;
+    tests = nixosTests.actual;
+    updateScript = nix-update-script { };
+  };
+
+  meta = {
+    changelog = "https://github.com/firefly-iii/firefly-iii/releases/tag/v${version}";
+    description = "A super fast privacy-focused app for managing your finances";
+    homepage = "https://actualbudget.org/";
+    mainProgram = "actual-server";
+    license = lib.licenses.mit;
+    maintainers = [
+      lib.maintainers.oddlama
+      lib.maintainers.patrickdag
+    ];
+  };
+}