✨ [pi4] Containerize Actual service

hosts/pi4/actual.nix

@@ -0,0 +1,42 @@
+{ config, common, ... }:
+let
+  domain = "beta.budget.${common.domain}";
+in
+{
+  networking.nat = {
+    enable = true;
+    internalInterfaces = [ "ve-*" ];
+    externalInterface = "wlan0";
+    # Lazy IPv6 connectivity for the container
+    enableIPv6 = true;
+  };
+
+  containers.actual = {
+    autoStart = true;
+    privateNetwork = true;
+    hostAddress = "192.168.10.188";
+    localAddress = "192.168.10.11";
+    config =
+      { ... }:
+      {
+        services = {
+          actual = {
+            enable = true;
+            settings = {
+              port = 8084;
+              loginMethod = "password";
+            };
+          };
+        };
+        system.stateVersion = common.system.version;
+      };
+  };
+  services.nginx.virtualHosts.${domain} = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://${config.containers.actual.localAddress}:8084";
+      proxyWebsockets = true;
+    };
+  };
+}

hosts/pi4/default.nix

@@ -3,13 +3,17 @@
 {
   imports = with lib.custom; [
     (relativeToBase "modules")
+    ./actual.nix
     ./boot.nix
     ./caddy.nix
     ./forgejo.nix
     ./hardware.nix
+    ./headscale.nix
     ./mailserver.nix
     ./nextcloud.nix
+    ./nginx.nix
     ./podman.nix
+    ./postgres.nix
     ./security
   ];
 }

hosts/pi4/forgejo.nix

@@ -2,21 +2,34 @@
   config,
   pkgs,
   lib,
+  systemConfig,
   common,
   ...
 }:
 let
+  cfg = config.services.forgejo;
+  srv = cfg.settings.server;
   domain = "beta.code.${common.domain}";
   passwordKey = "forgejo/admin-pass";
   runnerTokenKey = "forgejo/runner-token";
 in
 {
   services = {
+    nginx.virtualHosts.${domain} = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/".proxyPass = "http://127.0.0.1:${builtins.toString srv.HTTP_PORT}";
+      serverAliases = [ "beta.git.${common.domain}" ];
+    };
+
     forgejo = {
       enable = true;
       database.type = "postgres";
       # Enable support for Git Large File Storage
       lfs.enable = true;
+
+      secrets.mailer.PASSWD = config.sops.secrets."mailserver/password-hash".path;
+
       settings = {
         server = {
           DOMAIN = domain;
@@ -39,10 +52,9 @@ in
           PROTOCOL = "smtps";
           SMTP_ADDR = config.mailserver.fqdn;
           FROM = "noreply-forgejo@${common.domain}";
-          USER = "noreply@${common.domain}";
+          USER = "${systemConfig.username}@${common.domain}";
         };
       };
-      #mailerPasswordFile = config.sops.secrets."forgejo/mailer-password".path;
     };
     gitea-actions-runner = {
       package = pkgs.forgejo-actions-runner;
@@ -76,7 +88,7 @@ in
     in
     ''
       ${adminCmd} create --admin --email "${email}" --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true
-      ## Alter an existing user
-      ${adminCmd} change-password --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true
+      ## Alter an existing user. Will prompt new password on login
+      # ${adminCmd} change-password --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true
     '';
 }

hosts/pi4/headscale.nix

@@ -0,0 +1,66 @@
+{
+  config,
+  common,
+  ...
+}:
+let
+  cfg = config.services.headscale;
+
+  domain = "beta.vpn.${common.domain}";
+  dnsDomain = "secure.${common.domain}";
+in
+{
+  networking.firewall = {
+    trustedInterfaces = [ config.services.tailscale.interfaceName ];
+    allowedUDPPorts = [ config.services.tailscale.port ];
+  };
+
+  services = {
+    headscale = {
+      enable = true;
+      address = "0.0.0.0";
+      port = 8083;
+      settings = {
+        database = {
+          postgres = {
+            host = "/run/postgresql";
+            name = "headscale";
+            port = config.services.postgresql.settings.port;
+            user = cfg.user;
+          };
+          type = "postgres";
+        };
+        dns = {
+          base_domain = dnsDomain;
+          magic_dns = true;
+        };
+        logtail.enabled = false;
+        server_url = "https://${domain}";
+      };
+    };
+
+    nginx.virtualHosts.${domain} = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://localhost:${toString config.services.headscale.port}";
+        proxyWebsockets = true;
+      };
+    };
+
+    postgresql =
+      let
+        psql = cfg.settings.database.postgres;
+      in
+      {
+        ensureDatabases = [ psql.name ];
+        ensureUsers = [
+          {
+            name = psql.user;
+            ensureDBOwnership = true;
+          }
+        ];
+      };
+  };
+
+}

hosts/pi4/mailserver.nix

@@ -1,5 +1,4 @@
 {
-  lib,
   config,
   inputs,
   common,
@@ -7,7 +6,6 @@
   ...
 }:
 let
-  cfg = config.mailserver;
   passwordHashKey = "mailserver/password-hash";
 in
 {
@@ -33,22 +31,13 @@ in
 
     # Use Let's Encrypt certificates. Note that this needs to set up a stripped
     # down nginx and opens port 80.
-    # certificateScheme = "acme-nginx";
+    certificateScheme = "acme-nginx";
   };
-  # security.acme.acceptTerms = true;
-  # security.acme.defaults.email = "security@example.com";
 
-  services.nginx.virtualHosts.${cfg.fqdn}.listen = lib.mkForce [
-    {
-      addr = "127.0.0.1";
-      port = 8003;
-      ssl = false;
-    }
-    {
-      addr = "192.168.10.188";
-      port = 8003;
-      ssl = false;
-    }
+  networking.firewall.allowedTCPPorts = [
+    25
+    465
+    587
   ];
 
   sops.secrets.${passwordHashKey}.neededForUsers = true;

hosts/pi4/nextcloud.nix

@@ -12,6 +12,11 @@ let
   dbuser = dbname;
 in
 {
+  security.acme = {
+    acceptTerms = true;
+    certs.${config.services.nextcloud.hostName}.email = "acme@${common.domain}";
+  };
+
   services = {
     nextcloud = {
       enable = true;
@@ -52,8 +57,12 @@ in
       };
     };
 
+    nginx.virtualHosts.${config.services.nextcloud.hostName} = {
+      forceSSL = true;
+      enableACME = true;
+    };
+
     postgresql = {
-      enable = true;
       ensureDatabases = [ dbname ];
       ensureUsers = [
         {

hosts/pi4/nginx.nix

@@ -0,0 +1,93 @@
+{
+  common,
+  ...
+}:
+let
+  domain = common.domain;
+  proxyTo = address: port: {
+    enableACME = true;
+    forceSSL = true;
+    locations."/".proxyPass = "${address}:${builtins.toString port}";
+  };
+  proxyLocations = locations: {
+    enableACME = true;
+    forceSSL = true;
+    inherit locations;
+  };
+  homelab = "http://${common.localIpAddr 231}";
+  homelabProxy = proxyTo homelab; # TODO get homelab local ip from systems
+  redirect = subdomain: {
+    enableACME = true;
+    forceSSL = true;
+    globalRedirect = if subdomain == "" then domain else "${subdomain}.${domain}";
+  };
+in
+{
+  services.nginx = {
+    enable = true;
+    enableReload = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    virtualHosts = {
+      # Beta is currently stable
+      "www.${domain}" = redirect "";
+      "beta.${domain}" = redirect "";
+      "git.${domain}" = redirect "code";
+      "kitchenowl.${domain}" = redirect "grocery";
+      # Gitea
+      "code.${domain}" = homelabProxy 3000;
+      # Nextcloud
+      "nextcloud.${domain}" = proxyLocations {
+        "/".proxyPass = "${homelab}:11000";
+        "/.well-known/carddav".return = "301 /remote.php/dav";
+        "/.well-known/caldav".return = "301 /remote.php/dav";
+      };
+      # Kitchenowl
+      "grocery.${domain}" = homelabProxy 800;
+      # Actual budget
+      "budget.${domain}" = homelabProxy 5006;
+      # Uptime Kuma
+      "status.${domain}" = homelabProxy 3001;
+      # Headscale
+      "vpn.${domain}" = proxyLocations {
+        "/web".proxyPass = "${homelab}:8084";
+        "/" = {
+          proxyPass = "${homelab}:8082";
+          extraConfig = ''
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;
+            proxy_redirect http:// https://;
+            proxy_buffering off;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
+          '';
+        };
+      };
+      # Headscale SmartDNS
+      "dns.${domain}" = homelabProxy 8082;
+      # FreshRSS
+      "rss.${domain}" = homelabProxy 8085;
+      # Ente backend
+      "api.ente.${domain}" = homelabProxy 8083;
+      # Ente Photos frontend
+      "ente.${domain}" = homelabProxy 3003;
+      # Ente Auth frontend
+      "mfa.${domain}" = homelabProxy 3004;
+      # Homepage / portfolio
+      "${domain}" = homelabProxy 4321;
+      # Yamtrack
+      "track.${domain}" = homelabProxy 8090;
+      # Donetick
+      "chore.${domain}" = homelabProxy 2021;
+    };
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "acme@${domain}";
+  };
+}

hosts/pi4/postgres.nix

@@ -0,0 +1,11 @@
+{ pkgs, ... }:
+
+{
+  services.postgresql = {
+    enable = true;
+    authentication = pkgs.lib.mkOverride 10 ''
+      #type database  DBuser        auth-method
+      local all       all           trust
+    '';
+  };
+}

hosts/pi4/security/firewall.nix

@@ -1,3 +1,5 @@
+{ common, ... }:
+
 {
   networking = {
     firewall = {
@@ -6,13 +8,8 @@
         80
         443
       ];
-      trustedInterfaces = [ "tailscale0" ];
-      extraInputRules =
-        let
-          localIPv4Range = "192.168.10.0/24";
-        in
-        ''
-          ip saddr ${localIPv4Range} accept
+      extraInputRules = ''
+        ip saddr ${common.localIpRange} accept
       '';
     };
     nftables.enable = true;

shared/common.nix

@@ -16,6 +16,7 @@ rec {
   domain = "martials.no";
   tailnetDomain = "dns.${domain}";
   localIpPrefix = "192.168.10.";
+  localIpRange = "${localIpPrefix}0/24";
   localIpAddr = subAddr: "${localIpPrefix}${builtins.toString subAddr}";
   tailnetAddr = host: "${host}.${tailnetDomain}";
 

shared/desktop/home-manager/shell/yazi/default.nix

@@ -14,7 +14,7 @@
     enable = true;
     enableFishIntegration = true;
     keymap = {
-      manager.prepend_keymap = [
+      mgr.prepend_keymap = [
         {
           run = "hidden toggle";
           on = [ "<C-h>" ];
@@ -23,7 +23,7 @@
       ];
     };
     settings = {
-      manager = {
+      mgr = {
         ratio = [
           2
           4

shared/secrets/secrets.yaml

@@ -36,7 +36,7 @@ sops:
         SGdNMnVlQlNEeVJkWmZEM1FRT2JJMGMKbZ/znJM6tFhzhHariRXMLgH/4CRZZKrb
         YtmSdeL/Pd5YIecCpjDHDn4vQ0TBAmLaX+zVbNbRKmMZoY7777ywfA==
         -----END AGE ENCRYPTED FILE-----
-  lastmodified: "2025-06-02T17:06:40Z"
-  mac: ENC[AES256_GCM,data:gwYDPAicJCWdCwW5hikEUkByf0KtSBGNOzfqyTdtsMvTi2HCOiKL2JgBnqjDF82o2XfbHalzzYTstxfWla62lLzF/xPWWoWOtAVB7w2YcEkptr66qU4q3iQi7t878B/+VVHva35TEho8b2JL2vgJNpBp3l06XeWMYCpupc5P7pM=,iv:ZaTpfjfcMeeExySTfI2wMSmFBFi6aoH83yYiucZXRQM=,tag:XwAvMtrX1bUumEaRf3T7Cg==,type:str]
+  lastmodified: "2025-06-23T17:39:10Z"
+  mac: ENC[AES256_GCM,data:+6X13vyCteJKZFo6RMI4rCo/gizcJO828xTL/gspgZemHcnqaf1P6nIntE5flin7IsfkxqoH8k25Xqzp6TLddsw8oYGA7fyDX7l28wFoxASTaZu2KChqGeRsEuVjuQGIAHKbB/4aI003NPT48l+uePOMNwUzlBrRnRYE5MMgQRI=,iv:UefKr2KL0+py7soUGjS0Onql/cAO+mXpvzJKJjtRppU=,tag:qcvB7rrdDRC3EfgjonM6uw==,type:str]
   unencrypted_suffix: _unencrypted
   version: 3.10.2