✨ [pi4] Containerize Actual service

hosts/pi4/actual.nix

@@ -0,0 +1,42 @@
+{ config, common, ... }:
+let
+  domain = "beta.budget.${common.domain}";
+in
+{
+  networking.nat = {
+    enable = true;
+    internalInterfaces = [ "ve-*" ];
+    externalInterface = "wlan0";
+    # Lazy IPv6 connectivity for the container
+    enableIPv6 = true;
+  };
+
+  containers.actual = {
+    autoStart = true;
+    privateNetwork = true;
+    hostAddress = "192.168.10.188";
+    localAddress = "192.168.10.11";
+    config =
+      { ... }:
+      {
+        services = {
+          actual = {
+            enable = true;
+            settings = {
+              port = 8084;
+              loginMethod = "password";
+            };
+          };
+        };
+        system.stateVersion = common.system.version;
+      };
+  };
+  services.nginx.virtualHosts.${domain} = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://${config.containers.actual.localAddress}:8084";
+      proxyWebsockets = true;
+    };
+  };
+}

hosts/pi4/default.nix

@@ -3,6 +3,7 @@
 {
   imports = with lib.custom; [
     (relativeToBase "modules")
+    ./actual.nix
     ./boot.nix
     ./caddy.nix
     ./forgejo.nix

hosts/pi4/security/firewall.nix

@@ -1,3 +1,5 @@
+{ common, ... }:
+
 {
   networking = {
     firewall = {
@@ -6,13 +8,8 @@
         80
         443
       ];
-      trustedInterfaces = [ "tailscale0" ];
-      extraInputRules =
-        let
-          localIPv4Range = "192.168.10.0/24";
-        in
-        ''
-          ip saddr ${localIPv4Range} accept
+      extraInputRules = ''
+        ip saddr ${common.localIpRange} accept
       '';
     };
     nftables.enable = true;

shared/common.nix

@@ -16,6 +16,7 @@ rec {
   domain = "martials.no";
   tailnetDomain = "dns.${domain}";
   localIpPrefix = "192.168.10.";
+  localIpRange = "${localIpPrefix}0/24";
   localIpAddr = subAddr: "${localIpPrefix}${builtins.toString subAddr}";
   tailnetAddr = host: "${host}.${tailnetDomain}";