+2

nixos/doc/manual/release-notes/rl-2505.section.md

··· 50 50 51 51 - [nostr-rs-relay](https://git.sr.ht/~gheartsfield/nostr-rs-relay/), This is a nostr relay, written in Rust. Available as [services.nostr-rs-relay](options.html#opt-services.nostr-rs-relay.enable). 52 52 53 53 + - [Actual Budget](https://actualbudget.org/), a local-first personal finance app. Available as [services.actual](#opt-services.actual.enable). 54 54 + 53 55 - [mqtt-exporter](https://github.com/kpetremann/mqtt-exporter/), a Prometheus exporter for exposing messages from MQTT. Available as [services.prometheus.exporters.mqtt](#opt-services.prometheus.exporters.mqtt.enable). 54 56 55 57 - [nvidia-gpu](https://github.com/utkuozdemir/nvidia_gpu_exporter), a Prometheus exporter that scrapes `nvidia-smi` for GPU metrics. Available as [services.prometheus.exporters.nvidia-gpu](#opt-services.prometheus.exporters.nvidia-gpu.enable).

+1

nixos/modules/module-list.nix

··· 1420 1420 ./services/video/wivrn.nix 1421 1421 ./services/wayland/cage.nix 1422 1422 ./services/wayland/hypridle.nix 1423 1423 + ./services/web-apps/actual.nix 1423 1424 ./services/web-apps/akkoma.nix 1424 1425 ./services/web-apps/agorakit.nix 1425 1426 ./services/web-apps/alps.nix

+121

nixos/modules/services/web-apps/actual.nix

··· 1 1 + { 2 2 + lib, 3 3 + pkgs, 4 4 + config, 5 5 + ... 6 6 + }: 7 7 + let 8 8 + inherit (lib) 9 9 + getExe 10 10 + mkDefault 11 11 + mkEnableOption 12 12 + mkIf 13 13 + mkOption 14 14 + mkPackageOption 15 15 + types 16 16 + ; 17 17 + 18 18 + cfg = config.services.actual; 19 19 + configFile = formatType.generate "config.json" cfg.settings; 20 20 + dataDir = "/var/lib/actual"; 21 21 + 22 22 + formatType = pkgs.formats.json { }; 23 23 + in 24 24 + { 25 25 + options.services.actual = { 26 26 + enable = mkEnableOption "actual, a privacy focused app for managing your finances"; 27 27 + package = mkPackageOption pkgs "actual-server" { }; 28 28 + 29 29 + openFirewall = mkOption { 30 30 + default = false; 31 31 + type = types.bool; 32 32 + description = "Whether to open the firewall for the specified port."; 33 33 + }; 34 34 + 35 35 + settings = mkOption { 36 36 + default = { }; 37 37 + description = "Server settings, refer to [the documentation](https://actualbudget.org/docs/config/) for available options."; 38 38 + type = types.submodule { 39 39 + freeformType = formatType.type; 40 40 + 41 41 + options = { 42 42 + hostname = mkOption { 43 43 + type = types.str; 44 44 + description = "The address to listen on"; 45 45 + default = "::"; 46 46 + }; 47 47 + 48 48 + port = mkOption { 49 49 + type = types.port; 50 50 + description = "The port to listen on"; 51 51 + default = 3000; 52 52 + }; 53 53 + }; 54 54 + 55 55 + config = { 56 56 + serverFiles = mkDefault "${dataDir}/server-files"; 57 57 + userFiles = mkDefault "${dataDir}/user-files"; 58 58 + dataDir = mkDefault dataDir; 59 59 + }; 60 60 + }; 61 61 + }; 62 62 + }; 63 63 + 64 64 + config = mkIf cfg.enable { 65 65 + networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.settings.port ]; 66 66 + 67 67 + systemd.services.actual = { 68 68 + description = "Actual server, a local-first personal finance app"; 69 69 + after = [ "network.target" ]; 70 70 + wantedBy = [ "multi-user.target" ]; 71 71 + environment.ACTUAL_CONFIG_PATH = configFile; 72 72 + serviceConfig = { 73 73 + ExecStart = getExe cfg.package; 74 74 + DynamicUser = true; 75 75 + User = "actual"; 76 76 + Group = "actual"; 77 77 + StateDirectory = "actual"; 78 78 + WorkingDirectory = dataDir; 79 79 + LimitNOFILE = "1048576"; 80 80 + PrivateTmp = true; 81 81 + PrivateDevices = true; 82 82 + StateDirectoryMode = "0700"; 83 83 + Restart = "always"; 84 84 + 85 85 + # Hardening 86 86 + CapabilityBoundingSet = ""; 87 87 + LockPersonality = true; 88 88 + #MemoryDenyWriteExecute = true; # Leads to coredump because V8 does JIT 89 89 + PrivateUsers = true; 90 90 + ProtectClock = true; 91 91 + ProtectControlGroups = true; 92 92 + ProtectHome = true; 93 93 + ProtectHostname = true; 94 94 + ProtectKernelLogs = true; 95 95 + ProtectKernelModules = true; 96 96 + ProtectKernelTunables = true; 97 97 + ProtectProc = "invisible"; 98 98 + ProcSubset = "pid"; 99 99 + ProtectSystem = "strict"; 100 100 + RestrictAddressFamilies = [ 101 101 + "AF_INET" 102 102 + "AF_INET6" 103 103 + "AF_NETLINK" 104 104 + ]; 105 105 + RestrictNamespaces = true; 106 106 + RestrictRealtime = true; 107 107 + SystemCallArchitectures = "native"; 108 108 + SystemCallFilter = [ 109 109 + "@system-service" 110 110 + "@pkey" 111 111 + ]; 112 112 + UMask = "0077"; 113 113 + }; 114 114 + }; 115 115 + }; 116 116 + 117 117 + meta.maintainers = [ 118 118 + lib.maintainers.oddlama 119 119 + lib.maintainers.patrickdag 120 120 + ]; 121 121 + }

+18

nixos/tests/actual.nix

··· 1 1 + import ./make-test-python.nix ( 2 2 + { lib, ... }: 3 3 + { 4 4 + name = "actual"; 5 5 + meta.maintainers = [ lib.maintainers.oddlama ]; 6 6 + 7 7 + nodes.machine = 8 8 + { ... }: 9 9 + { 10 10 + services.actual.enable = true; 11 11 + }; 12 12 + 13 13 + testScript = '' 14 14 + machine.wait_for_open_port(3000) 15 15 + machine.succeed("curl -fvvv -Ls http://localhost:3000/ | grep 'Actual'") 16 16 + ''; 17 17 + } 18 18 + )

+1

nixos/tests/all-tests.nix

··· 107 107 aaaaxy = runTest ./aaaaxy.nix; 108 108 acme = runTest ./acme.nix; 109 109 acme-dns = handleTest ./acme-dns.nix {}; 110 110 + actual = handleTest ./actual.nix {}; 110 111 adguardhome = runTest ./adguardhome.nix; 111 112 aesmd = runTestOn ["x86_64-linux"] ./aesmd.nix; 112 113 agate = runTest ./web-servers/agate.nix;

+128

pkgs/by-name/ac/actual-server/package.nix

··· 1 1 + { 2 2 + lib, 3 3 + stdenv, 4 4 + stdenvNoCC, 5 5 + fetchFromGitHub, 6 6 + makeWrapper, 7 7 + cacert, 8 8 + gitMinimal, 9 9 + nodejs_20, 10 10 + yarn, 11 11 + nixosTests, 12 12 + nix-update-script, 13 13 + }: 14 14 + let 15 15 + version = "24.12.0"; 16 16 + src = fetchFromGitHub { 17 17 + owner = "actualbudget"; 18 18 + repo = "actual-server"; 19 19 + tag = "v${version}"; 20 20 + hash = "sha256-qCATfpYjDlR2LaalkF0/b5tD4HDE4aNDrLvTC4g0ctY="; 21 21 + }; 22 22 + 23 23 + yarn_20 = yarn.override { nodejs = nodejs_20; }; 24 24 + 25 25 + # We cannot use fetchYarnDeps because that doesn't support yarn2/berry 26 26 + # lockfiles (see https://github.com/NixOS/nixpkgs/issues/254369) 27 27 + offlineCache = stdenvNoCC.mkDerivation { 28 28 + name = "actual-server-${version}-offline-cache"; 29 29 + inherit src; 30 30 + 31 31 + nativeBuildInputs = [ 32 32 + cacert # needed for git 33 33 + gitMinimal # needed to download git dependencies 34 34 + yarn_20 35 35 + ]; 36 36 + 37 37 + SUPPORTED_ARCHITECTURES = builtins.toJSON { 38 38 + os = [ 39 39 + "darwin" 40 40 + "linux" 41 41 + ]; 42 42 + cpu = [ 43 43 + "arm" 44 44 + "arm64" 45 45 + "ia32" 46 46 + "x64" 47 47 + ]; 48 48 + libc = [ 49 49 + "glibc" 50 50 + "musl" 51 51 + ]; 52 52 + }; 53 53 + 54 54 + buildPhase = '' 55 55 + runHook preBuild 56 56 + 57 57 + export HOME=$(mktemp -d) 58 58 + yarn config set enableTelemetry 0 59 59 + yarn config set cacheFolder $out 60 60 + yarn config set --json supportedArchitectures "$SUPPORTED_ARCHITECTURES" 61 61 + yarn 62 62 + 63 63 + runHook postBuild 64 64 + ''; 65 65 + 66 66 + installPhase = '' 67 67 + runHook preInstall 68 68 + 69 69 + mkdir -p $out 70 70 + cp -r ./node_modules $out/node_modules 71 71 + 72 72 + runHook postInstall 73 73 + ''; 74 74 + dontFixup = true; 75 75 + 76 76 + outputHashAlgo = "sha256"; 77 77 + outputHashMode = "recursive"; 78 78 + outputHash = 79 79 + { 80 80 + x86_64-linux = "sha256-Rz+iKw4JDWtZOrCjs9sbHVw/bErAEY4TfoG+QfGKY94="; 81 81 + aarch64-linux = "sha256-JGpRoIQrEI6crczHD62ZQO08GshBbzJC0dONYD69K/I="; 82 82 + aarch64-darwin = "sha256-v2qzKmtqBdU6igyHat+NyL/XTzWgq/CKlNpai/iFHyQ="; 83 83 + x86_64-darwin = "sha256-0ksWLlF/a58KY/8NgOQ5aPOLoXzqDqO3lhkmFvT17Bk="; 84 84 + } 85 85 + .${stdenv.hostPlatform.system} or (throw "Unsupported system: ${stdenv.hostPlatform.system}"); 86 86 + }; 87 87 + in 88 88 + stdenv.mkDerivation { 89 89 + pname = "actual-server"; 90 90 + inherit version src; 91 91 + 92 92 + nativeBuildInputs = [ 93 93 + makeWrapper 94 94 + yarn_20 95 95 + ]; 96 96 + 97 97 + installPhase = '' 98 98 + runHook preInstall 99 99 + 100 100 + mkdir -p $out/{bin,lib,lib/actual} 101 101 + cp -r ${offlineCache}/node_modules/ $out/lib/actual 102 102 + cp -r ./ $out/lib/actual 103 103 + 104 104 + makeWrapper ${lib.getExe nodejs_20} "$out/bin/actual-server" \ 105 105 + --add-flags "$out/lib/actual/app.js" \ 106 106 + --set NODE_PATH "$out/node_modules" 107 107 + 108 108 + runHook postInstall 109 109 + ''; 110 110 + 111 111 + passthru = { 112 112 + inherit offlineCache; 113 113 + tests = nixosTests.actual; 114 114 + passthru.updateScript = nix-update-script { }; 115 115 + }; 116 116 + 117 117 + meta = { 118 118 + changelog = "https://actualbudget.org/docs/releases"; 119 119 + description = "Super fast privacy-focused app for managing your finances"; 120 120 + homepage = "https://actualbudget.org/"; 121 121 + mainProgram = "actual-server"; 122 122 + license = lib.licenses.mit; 123 123 + maintainers = [ 124 124 + lib.maintainers.oddlama 125 125 + lib.maintainers.patrickdag 126 126 + ]; 127 127 + }; 128 128 + }