✨ [pi4] Containerize Actual service

flake.lock

@@ -9,11 +9,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1736090999,
-        "narHash": "sha256-B5CJuHqfJrzPa7tObK0H9669/EClSHpa/P7B9EuvElU=",
+        "lastModified": 1744557573,
+        "narHash": "sha256-XAyj0iDuI51BytJ1PwN53uLpzTDdznPDQFG4RwihlTQ=",
         "owner": "aylur",
         "repo": "ags",
-        "rev": "5527c3c07d92c11e04e7fd99d58429493dba7e3c",
+        "rev": "3ed9737bdbc8fc7a7c7ceef2165c9109f336bff6",
         "type": "github"
       },
       "original": {
@@ -31,11 +31,32 @@
         ]
       },
       "locked": {
-        "lastModified": 1735172721,
-        "narHash": "sha256-rtEAwGsHSppnkR3Qg3eRJ6Xh/F84IY9CrBBLzYabalY=",
+        "lastModified": 1742571008,
+        "narHash": "sha256-5WgfJAeBpxiKbTR/gJvxrGYfqQRge5aUDcGKmU1YZ1Q=",
         "owner": "aylur",
         "repo": "astal",
-        "rev": "6c84b64efc736e039a8a10774a4a1bf772c37aa2",
+        "rev": "dc0e5d37abe9424c53dcbd2506a4886ffee6296e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "aylur",
+        "repo": "astal",
+        "type": "github"
+      }
+    },
+    "astal_2": {
+      "inputs": {
+        "nixpkgs": [
+          "hyprpanel",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1748416910,
+        "narHash": "sha256-FEQcs58HL8Fe4i7XlqVEUwthjxwvRvgX15gTTfW17sU=",
+        "owner": "aylur",
+        "repo": "astal",
+        "rev": "c1bd89a47c81c66ab5fc6872db5a916c0433fb89",
         "type": "github"
       },
       "original": {
@@ -147,11 +168,11 @@
         "nixpkgs": "nixpkgs_2"
       },
       "locked": {
-        "lastModified": 1748262720,
-        "narHash": "sha256-b9SRqnglNtyWE+ivBcIyyGybrDN1uy9zEy2D6X284bo=",
+        "lastModified": 1748772835,
+        "narHash": "sha256-p/hGSN1DOU/pELQi5PTds8eL+czjmb/0RvwvLm7nGC8=",
         "owner": "rishabh5321",
         "repo": "grayjay-flake",
-        "rev": "b523be9dba411e9e7e5f36f71676dddede93c664",
+        "rev": "998cbc285d936a45daf07414d03db3f60c133caa",
         "type": "github"
       },
       "original": {
@@ -167,11 +188,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1748226808,
-        "narHash": "sha256-GaBRgxjWO1bAQa8P2+FDxG4ANBVhjnSjBms096qQdxo=",
+        "lastModified": 1748665073,
+        "narHash": "sha256-RMhjnPKWtCoIIHiuR9QKD7xfsKb3agxzMfJY8V9MOew=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "83665c39fa688bd6a1f7c43cf7997a70f6a109f9",
+        "rev": "282e1e029cb6ab4811114fc85110613d72771dea",
         "type": "github"
       },
       "original": {
@@ -205,14 +226,15 @@
     "hyprpanel": {
       "inputs": {
         "ags": "ags",
+        "astal": "astal_2",
         "nixpkgs": "nixpkgs_3"
       },
       "locked": {
-        "lastModified": 1748203813,
-        "narHash": "sha256-VCwlSYJjXFhQSdwjk7FdeyALIzknOM1TavCDt3KLgB8=",
+        "lastModified": 1748962037,
+        "narHash": "sha256-MkrOyZ6CqTzzmlfmvkPiezy51hG96xqucrR38xQpK/0=",
         "owner": "Jas-SinghFSU",
         "repo": "HyprPanel",
-        "rev": "12d6960e198cf5107aed84a4b21e95c826d43dad",
+        "rev": "8422c6b80526f8289a30b93cb5b354d9f007141d",
         "type": "github"
       },
       "original": {
@@ -255,11 +277,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1748162331,
-        "narHash": "sha256-rqc2RKYTxP3tbjA+PB3VMRQNnjesrT0pEofXQTrMsS8=",
+        "lastModified": 1748889542,
+        "narHash": "sha256-Hb4iMhIbjX45GcrgOp3b8xnyli+ysRPqAgZ/LZgyT5k=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "7c43f080a7f28b2774f3b3f43234ca11661bf334",
+        "rev": "10d7f8d34e5eb9c0f9a0485186c1ca691d2c5922",
         "type": "github"
       },
       "original": {
@@ -271,11 +293,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1748026106,
-        "narHash": "sha256-6m1Y3/4pVw1RWTsrkAK2VMYSzG4MMIj7sqUy7o8th1o=",
+        "lastModified": 1748693115,
+        "narHash": "sha256-StSrWhklmDuXT93yc3GrTlb0cKSS0agTAxMGjLKAsY8=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "063f43f2dbdef86376cc29ad646c45c46e93234c",
+        "rev": "910796cabe436259a29a72e8d3f5e180fc6dfacc",
         "type": "github"
       },
       "original": {
@@ -287,11 +309,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1748026106,
-        "narHash": "sha256-6m1Y3/4pVw1RWTsrkAK2VMYSzG4MMIj7sqUy7o8th1o=",
+        "lastModified": 1748693115,
+        "narHash": "sha256-StSrWhklmDuXT93yc3GrTlb0cKSS0agTAxMGjLKAsY8=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "063f43f2dbdef86376cc29ad646c45c46e93234c",
+        "rev": "910796cabe436259a29a72e8d3f5e180fc6dfacc",
         "type": "github"
       },
       "original": {
@@ -303,11 +325,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1736344531,
-        "narHash": "sha256-8YVQ9ZbSfuUk2bUf2KRj60NRraLPKPS0Q4QFTbc+c2c=",
+        "lastModified": 1748370509,
+        "narHash": "sha256-QlL8slIgc16W5UaI3w7xHQEP+Qmv/6vSNTpoZrrSlbk=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "bffc22eb12172e6db3c5dde9e3e5628f8e3e7912",
+        "rev": "4faa5f5321320e49a78ae7848582f684d64783e9",
         "type": "github"
       },
       "original": {
@@ -319,11 +341,11 @@
     },
     "nixpkgs_4": {
       "locked": {
-        "lastModified": 1748162331,
-        "narHash": "sha256-rqc2RKYTxP3tbjA+PB3VMRQNnjesrT0pEofXQTrMsS8=",
+        "lastModified": 1748889542,
+        "narHash": "sha256-Hb4iMhIbjX45GcrgOp3b8xnyli+ysRPqAgZ/LZgyT5k=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "7c43f080a7f28b2774f3b3f43234ca11661bf334",
+        "rev": "10d7f8d34e5eb9c0f9a0485186c1ca691d2c5922",
         "type": "github"
       },
       "original": {
@@ -431,11 +453,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1748147548,
-        "narHash": "sha256-9IaAQkgyF4PFtVyui8vF6oJah0iVcO9DaOefjdTMthE=",
+        "lastModified": 1748752728,
+        "narHash": "sha256-en008ncPUQjVx2i3PbM4RWeZkD9DNbJwIy0epppXe2o=",
         "owner": "Gerg-L",
         "repo": "spicetify-nix",
-        "rev": "f0595e3b59260457042450749eaec00a5a47db35",
+        "rev": "0e03de40d5128eb2ad600c98f57cf5db2cdf3240",
         "type": "github"
       },
       "original": {
@@ -465,11 +487,11 @@
         "nixpkgs": "nixpkgs_6"
       },
       "locked": {
-        "lastModified": 1748229380,
-        "narHash": "sha256-ulYljT6A8/v9QsMWnTsDYxa1/bG/22Ufy+KfrN4jA74=",
+        "lastModified": 1748920570,
+        "narHash": "sha256-m7EshkqPxa3IxN/qwxP1LlMlRdn37aiK0hghDieho8A=",
         "owner": "0xc000022070",
         "repo": "zen-browser-flake",
-        "rev": "14207b0fc7caba6b6a9c7a9aecf7f901435daa93",
+        "rev": "ff5bf0bcf588e8c1d0f5fcd635b0c8e1cce8aee5",
         "type": "github"
       },
       "original": {

hosts/desktop/default.nix

@@ -11,5 +11,5 @@
     ./hardware-configuration.nix
   ];
 
-  boot.kernelPackages = pkgs.linuxPackages_latest;
+  boot.kernelPackages = pkgs.linuxPackages_6_14;
 }

hosts/pi4/actual.nix

@@ -0,0 +1,42 @@
+{ config, common, ... }:
+let
+  domain = "beta.budget.${common.domain}";
+in
+{
+  networking.nat = {
+    enable = true;
+    internalInterfaces = [ "ve-*" ];
+    externalInterface = "wlan0";
+    # Lazy IPv6 connectivity for the container
+    enableIPv6 = true;
+  };
+
+  containers.actual = {
+    autoStart = true;
+    privateNetwork = true;
+    hostAddress = "192.168.10.188";
+    localAddress = "192.168.10.11";
+    config =
+      { ... }:
+      {
+        services = {
+          actual = {
+            enable = true;
+            settings = {
+              port = 8084;
+              loginMethod = "password";
+            };
+          };
+        };
+        system.stateVersion = common.system.version;
+      };
+  };
+  services.nginx.virtualHosts.${domain} = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://${config.containers.actual.localAddress}:8084";
+      proxyWebsockets = true;
+    };
+  };
+}

hosts/pi4/default.nix

@@ -3,13 +3,17 @@
 {
   imports = with lib.custom; [
     (relativeToBase "modules")
+    ./actual.nix
     ./boot.nix
     ./caddy.nix
     ./forgejo.nix
     ./hardware.nix
+    ./headscale.nix
     ./mailserver.nix
     ./nextcloud.nix
+    ./nginx.nix
     ./podman.nix
+    ./postgres.nix
     ./security
   ];
 }

hosts/pi4/forgejo.nix

@@ -2,21 +2,34 @@
   config,
   pkgs,
   lib,
+  systemConfig,
   common,
   ...
 }:
 let
+  cfg = config.services.forgejo;
+  srv = cfg.settings.server;
   domain = "beta.code.${common.domain}";
   passwordKey = "forgejo/admin-pass";
   runnerTokenKey = "forgejo/runner-token";
 in
 {
   services = {
+    nginx.virtualHosts.${domain} = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/".proxyPass = "http://127.0.0.1:${builtins.toString srv.HTTP_PORT}";
+      serverAliases = [ "beta.git.${common.domain}" ];
+    };
+
     forgejo = {
       enable = true;
       database.type = "postgres";
       # Enable support for Git Large File Storage
       lfs.enable = true;
+
+      secrets.mailer.PASSWD = config.sops.secrets."mailserver/password-hash".path;
+
       settings = {
         server = {
           DOMAIN = domain;
@@ -39,10 +52,9 @@ in
           PROTOCOL = "smtps";
           SMTP_ADDR = config.mailserver.fqdn;
           FROM = "noreply-forgejo@${common.domain}";
-          USER = "noreply@${common.domain}";
+          USER = "${systemConfig.username}@${common.domain}";
         };
       };
-      #mailerPasswordFile = config.sops.secrets."forgejo/mailer-password".path;
     };
     gitea-actions-runner = {
       package = pkgs.forgejo-actions-runner;
@@ -76,7 +88,7 @@ in
     in
     ''
       ${adminCmd} create --admin --email "${email}" --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true
-      ## Alter an existing user
-      ${adminCmd} change-password --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true
+      ## Alter an existing user. Will prompt new password on login
+      # ${adminCmd} change-password --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true
     '';
 }

hosts/pi4/headscale.nix

@@ -0,0 +1,66 @@
+{
+  config,
+  common,
+  ...
+}:
+let
+  cfg = config.services.headscale;
+
+  domain = "beta.vpn.${common.domain}";
+  dnsDomain = "secure.${common.domain}";
+in
+{
+  networking.firewall = {
+    trustedInterfaces = [ config.services.tailscale.interfaceName ];
+    allowedUDPPorts = [ config.services.tailscale.port ];
+  };
+
+  services = {
+    headscale = {
+      enable = true;
+      address = "0.0.0.0";
+      port = 8083;
+      settings = {
+        database = {
+          postgres = {
+            host = "/run/postgresql";
+            name = "headscale";
+            port = config.services.postgresql.settings.port;
+            user = cfg.user;
+          };
+          type = "postgres";
+        };
+        dns = {
+          base_domain = dnsDomain;
+          magic_dns = true;
+        };
+        logtail.enabled = false;
+        server_url = "https://${domain}";
+      };
+    };
+
+    nginx.virtualHosts.${domain} = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://localhost:${toString config.services.headscale.port}";
+        proxyWebsockets = true;
+      };
+    };
+
+    postgresql =
+      let
+        psql = cfg.settings.database.postgres;
+      in
+      {
+        ensureDatabases = [ psql.name ];
+        ensureUsers = [
+          {
+            name = psql.user;
+            ensureDBOwnership = true;
+          }
+        ];
+      };
+  };
+
+}

hosts/pi4/mailserver.nix

@@ -1,5 +1,4 @@
 {
-  lib,
   config,
   inputs,
   common,
@@ -7,7 +6,6 @@
   ...
 }:
 let
-  cfg = config.mailserver;
   passwordHashKey = "mailserver/password-hash";
 in
 {
@@ -33,22 +31,13 @@ in
 
     # Use Let's Encrypt certificates. Note that this needs to set up a stripped
     # down nginx and opens port 80.
-    # certificateScheme = "acme-nginx";
+    certificateScheme = "acme-nginx";
   };
-  # security.acme.acceptTerms = true;
-  # security.acme.defaults.email = "security@example.com";
 
-  services.nginx.virtualHosts.${cfg.fqdn}.listen = lib.mkForce [
-    {
-      addr = "127.0.0.1";
-      port = 8003;
-      ssl = false;
-    }
-    {
-      addr = "192.168.10.188";
-      port = 8003;
-      ssl = false;
-    }
+  networking.firewall.allowedTCPPorts = [
+    25
+    465
+    587
   ];
 
   sops.secrets.${passwordHashKey}.neededForUsers = true;

hosts/pi4/nextcloud.nix

@@ -12,6 +12,11 @@ let
   dbuser = dbname;
 in
 {
+  security.acme = {
+    acceptTerms = true;
+    certs.${config.services.nextcloud.hostName}.email = "acme@${common.domain}";
+  };
+
   services = {
     nextcloud = {
       enable = true;
@@ -52,8 +57,12 @@ in
       };
     };
 
+    nginx.virtualHosts.${config.services.nextcloud.hostName} = {
+      forceSSL = true;
+      enableACME = true;
+    };
+
     postgresql = {
-      enable = true;
       ensureDatabases = [ dbname ];
       ensureUsers = [
         {

hosts/pi4/nginx.nix

@@ -0,0 +1,93 @@
+{
+  common,
+  ...
+}:
+let
+  domain = common.domain;
+  proxyTo = address: port: {
+    enableACME = true;
+    forceSSL = true;
+    locations."/".proxyPass = "${address}:${builtins.toString port}";
+  };
+  proxyLocations = locations: {
+    enableACME = true;
+    forceSSL = true;
+    inherit locations;
+  };
+  homelab = "http://${common.localIpAddr 231}";
+  homelabProxy = proxyTo homelab; # TODO get homelab local ip from systems
+  redirect = subdomain: {
+    enableACME = true;
+    forceSSL = true;
+    globalRedirect = if subdomain == "" then domain else "${subdomain}.${domain}";
+  };
+in
+{
+  services.nginx = {
+    enable = true;
+    enableReload = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    virtualHosts = {
+      # Beta is currently stable
+      "www.${domain}" = redirect "";
+      "beta.${domain}" = redirect "";
+      "git.${domain}" = redirect "code";
+      "kitchenowl.${domain}" = redirect "grocery";
+      # Gitea
+      "code.${domain}" = homelabProxy 3000;
+      # Nextcloud
+      "nextcloud.${domain}" = proxyLocations {
+        "/".proxyPass = "${homelab}:11000";
+        "/.well-known/carddav".return = "301 /remote.php/dav";
+        "/.well-known/caldav".return = "301 /remote.php/dav";
+      };
+      # Kitchenowl
+      "grocery.${domain}" = homelabProxy 800;
+      # Actual budget
+      "budget.${domain}" = homelabProxy 5006;
+      # Uptime Kuma
+      "status.${domain}" = homelabProxy 3001;
+      # Headscale
+      "vpn.${domain}" = proxyLocations {
+        "/web".proxyPass = "${homelab}:8084";
+        "/" = {
+          proxyPass = "${homelab}:8082";
+          extraConfig = ''
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;
+            proxy_redirect http:// https://;
+            proxy_buffering off;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
+          '';
+        };
+      };
+      # Headscale SmartDNS
+      "dns.${domain}" = homelabProxy 8082;
+      # FreshRSS
+      "rss.${domain}" = homelabProxy 8085;
+      # Ente backend
+      "api.ente.${domain}" = homelabProxy 8083;
+      # Ente Photos frontend
+      "ente.${domain}" = homelabProxy 3003;
+      # Ente Auth frontend
+      "mfa.${domain}" = homelabProxy 3004;
+      # Homepage / portfolio
+      "${domain}" = homelabProxy 4321;
+      # Yamtrack
+      "track.${domain}" = homelabProxy 8090;
+      # Donetick
+      "chore.${domain}" = homelabProxy 2021;
+    };
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "acme@${domain}";
+  };
+}

hosts/pi4/postgres.nix

@@ -0,0 +1,11 @@
+{ pkgs, ... }:
+
+{
+  services.postgresql = {
+    enable = true;
+    authentication = pkgs.lib.mkOverride 10 ''
+      #type database  DBuser        auth-method
+      local all       all           trust
+    '';
+  };
+}

hosts/pi4/security/firewall.nix

@@ -1,3 +1,5 @@
+{ common, ... }:
+
 {
   networking = {
     firewall = {
@@ -6,14 +8,9 @@
         80
         443
       ];
-      trustedInterfaces = [ "tailscale0" ];
-      extraInputRules =
-        let
-          localIPv4Range = "192.168.10.0/24";
-        in
-        ''
-          ip saddr ${localIPv4Range} accept
-        '';
+      extraInputRules = ''
+        ip saddr ${common.localIpRange} accept
+      '';
     };
     nftables.enable = true;
   };

shared/common.nix

@@ -16,6 +16,7 @@ rec {
   domain = "martials.no";
   tailnetDomain = "dns.${domain}";
   localIpPrefix = "192.168.10.";
+  localIpRange = "${localIpPrefix}0/24";
   localIpAddr = subAddr: "${localIpPrefix}${builtins.toString subAddr}";
   tailnetAddr = host: "${host}.${tailnetDomain}";
 

shared/desktop/home-manager/shell/yazi/default.nix

@@ -14,7 +14,7 @@
     enable = true;
     enableFishIntegration = true;
     keymap = {
-      manager.prepend_keymap = [
+      mgr.prepend_keymap = [
         {
           run = "hidden toggle";
           on = [ "<C-h>" ];
@@ -23,7 +23,7 @@
       ];
     };
     settings = {
-      manager = {
+      mgr = {
         ratio = [
           2
           4

shared/desktop/modules/hardware/graphics/nvidia.nix

@@ -30,20 +30,7 @@ lib.mkIf systemConfig.nvidia.enable {
         finegrained = false;
       };
 
-      # https://discourse.nixos.org/t/nvidia-dgpu-prime-offload-mode-amd-igpu-wayland/63194/3
-      package = config.boot.kernelPackages.nvidiaPackages.mkDriver {
-        version = "570.133.07";
-        # this is the third one it will complain is wrong
-        sha256_64bit = "sha256-LUPmTFgb5e9VTemIixqpADfvbUX1QoTT2dztwI3E3CY=";
-        # unused
-        sha256_aarch64 = "sha256-2l8N83Spj0MccA8+8R1uqiXBS0Ag4JrLPjrU3TaXHnM=";
-        # this is the second one it will complain is wrong
-        openSha256 = "sha256-9l8N83Spj0MccA8+8R1uqiXBS0Ag4JrLPjrU3TaXHnM=";
-        # this is the first one it will complain is wrong
-        settingsSha256 = "sha256-XMk+FvTlGpMquM8aE8kgYK2PIEszUZD2+Zmj2OpYrzU=";
-        # unused
-        persistencedSha256 = "sha256-4l8N83Spj0MccA8+8R1uqiXBS0Ag4JrLPjrU3TaXHnM=";
-      };
+      package = config.boot.kernelPackages.nvidiaPackages.latest;
     };
   };
 

shared/secrets/secrets.yaml

@@ -36,7 +36,7 @@ sops:
         SGdNMnVlQlNEeVJkWmZEM1FRT2JJMGMKbZ/znJM6tFhzhHariRXMLgH/4CRZZKrb
         YtmSdeL/Pd5YIecCpjDHDn4vQ0TBAmLaX+zVbNbRKmMZoY7777ywfA==
         -----END AGE ENCRYPTED FILE-----
-  lastmodified: "2025-06-02T17:06:40Z"
-  mac: ENC[AES256_GCM,data:gwYDPAicJCWdCwW5hikEUkByf0KtSBGNOzfqyTdtsMvTi2HCOiKL2JgBnqjDF82o2XfbHalzzYTstxfWla62lLzF/xPWWoWOtAVB7w2YcEkptr66qU4q3iQi7t878B/+VVHva35TEho8b2JL2vgJNpBp3l06XeWMYCpupc5P7pM=,iv:ZaTpfjfcMeeExySTfI2wMSmFBFi6aoH83yYiucZXRQM=,tag:XwAvMtrX1bUumEaRf3T7Cg==,type:str]
+  lastmodified: "2025-06-23T17:39:10Z"
+  mac: ENC[AES256_GCM,data:+6X13vyCteJKZFo6RMI4rCo/gizcJO828xTL/gspgZemHcnqaf1P6nIntE5flin7IsfkxqoH8k25Xqzp6TLddsw8oYGA7fyDX7l28wFoxASTaZu2KChqGeRsEuVjuQGIAHKbB/4aI003NPT48l+uePOMNwUzlBrRnRYE5MMgQRI=,iv:UefKr2KL0+py7soUGjS0Onql/cAO+mXpvzJKJjtRppU=,tag:qcvB7rrdDRC3EfgjonM6uw==,type:str]
   unencrypted_suffix: _unencrypted
   version: 3.10.2