From 65fdfb5aca72db73fcd5bdff22d4a80f14d295db Mon Sep 17 00:00:00 2001 From: Dennis Date: Fri, 17 Oct 2025 10:08:14 +0200 Subject: [PATCH 01/17] adds config for actual server --- hosts/dnsc-vps-sm/default.nix | 6 ++++++ modules/actual-server/default.nix | 18 ++++++++++++++++++ 2 files changed, 24 insertions(+) create mode 100644 modules/actual-server/default.nix diff --git a/hosts/dnsc-vps-sm/default.nix b/hosts/dnsc-vps-sm/default.nix index ff59149..1ca704d 100644 --- a/hosts/dnsc-vps-sm/default.nix +++ b/hosts/dnsc-vps-sm/default.nix @@ -16,6 +16,7 @@ ../../modules/uptime-kuma ../../modules/homepage ../../modules/docker + ../../modules/actual-server ]; # Secrets @@ -79,6 +80,7 @@ description = "dennis"; initialPassword = "admin"; isNormalUser = true; + linger = true; extraGroups = [ "wheel" "networkmanager" @@ -111,6 +113,7 @@ neovim wget docker-compose + actual-server ]; # Programs @@ -161,6 +164,9 @@ virtualHosts."home.dnsc.io".extraConfig = '' reverse_proxy localhost:9001 ''; + virtualHosts."finance.dnsc.io".extraConfig = '' + reverse_proxy localhost:9002 + ''; }; # Environment variables diff --git a/modules/actual-server/default.nix b/modules/actual-server/default.nix new file mode 100644 index 0000000..2e7280f --- /dev/null +++ b/modules/actual-server/default.nix @@ -0,0 +1,18 @@ +{ + pkgs, + ... +}: +{ + systemd.user.services.actual-server = { + enable = true; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + description = "user service for the actual budgeting server instance"; + serviceConfig = { + type = "simple"; + ExecStart = "ACTUAL_PORT=9002 ${pkgs.actual-server}"; + Restart = "on-failure"; + RestartSec = 3; + }; + }; +} From f4f99bfceb8928f60df29c23dbbd71fcf4591d66 Mon Sep 17 00:00:00 2001 From: Dennis Date: Fri, 17 Oct 2025 10:08:45 +0200 Subject: [PATCH 02/17] adds tailscale back to dnsc-work --- hosts/dnsc-work/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/dnsc-work/default.nix b/hosts/dnsc-work/default.nix index 4c26c21..a94574b 100644 --- a/hosts/dnsc-work/default.nix +++ b/hosts/dnsc-work/default.nix @@ -98,7 +98,7 @@ casks = [ "arc" "microsoft-teams" - # "tailscale" + "tailscale" "font-victor-mono" "font-victor-mono-nerd-font" "vlc" From a167bdad8dee0bd0ef236034b172e9cbae78bc4a Mon Sep 17 00:00:00 2001 From: Dennis Schoepf Date: Fri, 17 Oct 2025 10:15:25 +0200 Subject: [PATCH 03/17] updates lockfile --- flake.lock | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/flake.lock b/flake.lock index e9f8423..ce13c5f 100644 --- a/flake.lock +++ b/flake.lock @@ -24,16 +24,16 @@ "brew-src": { "flake": false, "locked": { - "lastModified": 1756059815, - "narHash": "sha256-UALOxoXoFIHbwKzcqbqCAqw5cC0MJEehLaWSet5vxfE=", + "lastModified": 1758543057, + "narHash": "sha256-lw3V2jOGYphUFHYQ5oARcb6urlbNpUCLJy1qhsGdUmc=", "owner": "Homebrew", "repo": "brew", - "rev": "02947ea4edbdef5fcce9ee57fa289547f4d096c9", + "rev": "5b236456eb93133c2bd0d60ef35ed63f1c0712f6", "type": "github" }, "original": { "owner": "Homebrew", - "ref": "4.6.7", + "ref": "4.6.12", "repo": "brew", "type": "github" } @@ -88,11 +88,11 @@ ] }, "locked": { - "lastModified": 1757997814, - "narHash": "sha256-F+1aoG+3NH4jDDEmhnDUReISyq6kQBBuktTUqCUWSiw=", + "lastModified": 1760662441, + "narHash": "sha256-mlDqR1Ntgs9uYYEAUR1IhamKBO0lxoNS4zGLzEZaY0A=", "owner": "nix-community", "repo": "home-manager", - "rev": "5820376beb804de9acf07debaaff1ac84728b708", + "rev": "722792af097dff5790f1a66d271a47759f477755", "type": "github" }, "original": { @@ -126,11 +126,11 @@ ] }, "locked": { - "lastModified": 1757430124, - "narHash": "sha256-MhDltfXesGH8VkGv3hmJ1QEKl1ChTIj9wmGAFfWj/Wk=", + "lastModified": 1760338583, + "narHash": "sha256-IGwy02SH5K2hzIFrKMRsCmyvwOwWxrcquiv4DbKL1S4=", "owner": "LnL7", "repo": "nix-darwin", - "rev": "830b3f0b50045cf0bcfd4dab65fad05bf882e196", + "rev": "9a9ab01072f78823ca627ae5e895e40d493c3ecf", "type": "github" }, "original": { @@ -145,11 +145,11 @@ "brew-src": "brew-src" }, "locked": { - "lastModified": 1756398546, - "narHash": "sha256-n4GVDLhKu65XFraJuCzap2AaZji4xhPaZMTJ8aQdD3s=", + "lastModified": 1758598228, + "narHash": "sha256-qr60maXGbZ4FX5tejPRI3nr0bnRTnZ3AbbbfO6/6jq4=", "owner": "zhaofengli", "repo": "nix-homebrew", - "rev": "3aa475996cb3bc1ecefa88c99c466e6f0bc17431", + "rev": "f36e5db56e117f7df701ab152d0d2036ea85218c", "type": "github" }, "original": { @@ -188,11 +188,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1757935978, - "narHash": "sha256-xeHiYTqlibGf6VQADGrZ2GzayTOJo8G0g8D8f5zCE3Y=", + "lastModified": 1760596604, + "narHash": "sha256-J/i5K6AAz/y5dBePHQOuzC7MbhyTOKsd/GLezSbEFiM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "0b96957fb614f693d0cee1bd65fbfc0e610df47f", + "rev": "3cbe716e2346710d6e1f7c559363d14e11c32a43", "type": "github" }, "original": { From 0acd98a8a5d2914f5ff0c73653aeb75d660bb7c0 Mon Sep 17 00:00:00 2001 From: Dennis Date: Fri, 17 Oct 2025 10:27:02 +0200 Subject: [PATCH 04/17] adapts actual server config --- modules/actual-server/default.nix | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/modules/actual-server/default.nix b/modules/actual-server/default.nix index 2e7280f..18e93c6 100644 --- a/modules/actual-server/default.nix +++ b/modules/actual-server/default.nix @@ -8,9 +8,12 @@ after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; description = "user service for the actual budgeting server instance"; + environment = { + ACTUAL_PORT = 9002; + }; serviceConfig = { - type = "simple"; - ExecStart = "ACTUAL_PORT=9002 ${pkgs.actual-server}"; + Type = "simple"; + ExecStart = "${pkgs.actual-server}"; Restart = "on-failure"; RestartSec = 3; }; From cd14ccf417603eecb62a74b81b526861355ac6b7 Mon Sep 17 00:00:00 2001 From: Dennis Date: Fri, 17 Oct 2025 10:39:16 +0200 Subject: [PATCH 05/17] fixes data type of env var --- modules/actual-server/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/actual-server/default.nix b/modules/actual-server/default.nix index 18e93c6..4e7946b 100644 --- a/modules/actual-server/default.nix +++ b/modules/actual-server/default.nix @@ -9,7 +9,7 @@ wantedBy = [ "multi-user.target" ]; description = "user service for the actual budgeting server instance"; environment = { - ACTUAL_PORT = 9002; + ACTUAL_PORT = "9002"; }; serviceConfig = { Type = "simple"; From b9a18d4ef534425afbb074476e173f07aa9353ac Mon Sep 17 00:00:00 2001 From: Dennis Date: Fri, 17 Oct 2025 10:55:11 +0200 Subject: [PATCH 06/17] makes actual-server system-wide and hardens it --- modules/actual-server/default.nix | 39 ++++++++++++++++++++++++++++++- 1 file changed, 38 insertions(+), 1 deletion(-) diff --git a/modules/actual-server/default.nix b/modules/actual-server/default.nix index 4e7946b..91bd8a7 100644 --- a/modules/actual-server/default.nix +++ b/modules/actual-server/default.nix @@ -3,7 +3,7 @@ ... }: { - systemd.user.services.actual-server = { + systemd.services.actual-server = { enable = true; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; @@ -18,4 +18,41 @@ RestartSec = 3; }; }; + + # hardening + DynamicUser = true; + DevicePolicy = "closed"; + CapabilityBoundingSet = ""; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_UNIX" + "AF_NETLINK" + ]; + DeviceAllow = ""; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "strict"; + LockPersonality = true; + RemoveIPC = true; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@resources" + ]; + ProtectProc = "invisible"; + ProtectHostname = true; + UMask = "0077"; } From 7e5e823f217d5acd210a80d74e47c82f452dbb73 Mon Sep 17 00:00:00 2001 From: Dennis Date: Fri, 17 Oct 2025 10:57:40 +0200 Subject: [PATCH 07/17] removes unavailable param --- modules/actual-server/default.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/actual-server/default.nix b/modules/actual-server/default.nix index 91bd8a7..3b905d1 100644 --- a/modules/actual-server/default.nix +++ b/modules/actual-server/default.nix @@ -22,7 +22,6 @@ # hardening DynamicUser = true; DevicePolicy = "closed"; - CapabilityBoundingSet = ""; RestrictAddressFamilies = [ "AF_INET" "AF_INET6" From 4dae85c485bcde8383df9043aeb1b60856015857 Mon Sep 17 00:00:00 2001 From: Dennis Date: Fri, 17 Oct 2025 10:57:59 +0200 Subject: [PATCH 08/17] up --- modules/actual-server/default.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/actual-server/default.nix b/modules/actual-server/default.nix index 3b905d1..93ff6b4 100644 --- a/modules/actual-server/default.nix +++ b/modules/actual-server/default.nix @@ -28,7 +28,6 @@ "AF_UNIX" "AF_NETLINK" ]; - DeviceAllow = ""; NoNewPrivileges = true; PrivateDevices = true; PrivateMounts = true; From 4f731290012593984cc4d292152c9d678f1f20ce Mon Sep 17 00:00:00 2001 From: Dennis Date: Fri, 17 Oct 2025 10:58:21 +0200 Subject: [PATCH 09/17] up --- modules/actual-server/default.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/actual-server/default.nix b/modules/actual-server/default.nix index 93ff6b4..61b19bf 100644 --- a/modules/actual-server/default.nix +++ b/modules/actual-server/default.nix @@ -21,7 +21,6 @@ # hardening DynamicUser = true; - DevicePolicy = "closed"; RestrictAddressFamilies = [ "AF_INET" "AF_INET6" From e0083b547191184a07377907b036a9c8aefec76b Mon Sep 17 00:00:00 2001 From: Dennis Date: Fri, 17 Oct 2025 10:58:39 +0200 Subject: [PATCH 10/17] up --- modules/actual-server/default.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/actual-server/default.nix b/modules/actual-server/default.nix index 61b19bf..5d26988 100644 --- a/modules/actual-server/default.nix +++ b/modules/actual-server/default.nix @@ -20,7 +20,6 @@ }; # hardening - DynamicUser = true; RestrictAddressFamilies = [ "AF_INET" "AF_INET6" From b1836bc303b3b1cad3118eb1139e2d87dd96c373 Mon Sep 17 00:00:00 2001 From: Dennis Date: Fri, 17 Oct 2025 10:58:55 +0200 Subject: [PATCH 11/17] up --- modules/actual-server/default.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/actual-server/default.nix b/modules/actual-server/default.nix index 5d26988..21e3907 100644 --- a/modules/actual-server/default.nix +++ b/modules/actual-server/default.nix @@ -38,7 +38,6 @@ ProtectKernelModules = true; ProtectKernelTunables = true; ProtectSystem = "strict"; - LockPersonality = true; RemoveIPC = true; RestrictNamespaces = true; RestrictRealtime = true; From 2e5fd1abe0efa2f90dd41b9a7ebc679721277045 Mon Sep 17 00:00:00 2001 From: Dennis Date: Fri, 17 Oct 2025 10:59:17 +0200 Subject: [PATCH 12/17] up --- modules/actual-server/default.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/actual-server/default.nix b/modules/actual-server/default.nix index 21e3907..9de133b 100644 --- a/modules/actual-server/default.nix +++ b/modules/actual-server/default.nix @@ -26,7 +26,6 @@ "AF_UNIX" "AF_NETLINK" ]; - NoNewPrivileges = true; PrivateDevices = true; PrivateMounts = true; PrivateTmp = true; From 8d7f769f2595feec67fcc0d471e91f91fee30147 Mon Sep 17 00:00:00 2001 From: Dennis Date: Fri, 17 Oct 2025 10:59:37 +0200 Subject: [PATCH 13/17] up --- modules/actual-server/default.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/actual-server/default.nix b/modules/actual-server/default.nix index 9de133b..1f65482 100644 --- a/modules/actual-server/default.nix +++ b/modules/actual-server/default.nix @@ -26,7 +26,6 @@ "AF_UNIX" "AF_NETLINK" ]; - PrivateDevices = true; PrivateMounts = true; PrivateTmp = true; PrivateUsers = true; From 9c28766c72282703212bcd857a585c3109906ac3 Mon Sep 17 00:00:00 2001 From: Dennis Date: Fri, 17 Oct 2025 10:59:58 +0200 Subject: [PATCH 14/17] up --- modules/actual-server/default.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/actual-server/default.nix b/modules/actual-server/default.nix index 1f65482..e834c66 100644 --- a/modules/actual-server/default.nix +++ b/modules/actual-server/default.nix @@ -26,7 +26,6 @@ "AF_UNIX" "AF_NETLINK" ]; - PrivateMounts = true; PrivateTmp = true; PrivateUsers = true; ProtectClock = true; From 1df4bcca5014937e3696455281c2637008e76842 Mon Sep 17 00:00:00 2001 From: Dennis Date: Fri, 17 Oct 2025 11:00:27 +0200 Subject: [PATCH 15/17] removes unavailable params --- modules/actual-server/default.nix | 29 ----------------------------- 1 file changed, 29 deletions(-) diff --git a/modules/actual-server/default.nix b/modules/actual-server/default.nix index e834c66..867bb2d 100644 --- a/modules/actual-server/default.nix +++ b/modules/actual-server/default.nix @@ -18,33 +18,4 @@ RestartSec = 3; }; }; - - # hardening - RestrictAddressFamilies = [ - "AF_INET" - "AF_INET6" - "AF_UNIX" - "AF_NETLINK" - ]; - PrivateTmp = true; - PrivateUsers = true; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectSystem = "strict"; - RemoveIPC = true; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - SystemCallArchitectures = "native"; - SystemCallFilter = [ - "@system-service" - "~@resources" - ]; - ProtectProc = "invisible"; - ProtectHostname = true; - UMask = "0077"; } From 3ddd10a68366b59efcc6bc9e6898c32d07e81609 Mon Sep 17 00:00:00 2001 From: Dennis Date: Fri, 17 Oct 2025 11:02:17 +0200 Subject: [PATCH 16/17] fixes exec path for actual server --- modules/actual-server/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/actual-server/default.nix b/modules/actual-server/default.nix index 867bb2d..f1d289b 100644 --- a/modules/actual-server/default.nix +++ b/modules/actual-server/default.nix @@ -13,7 +13,7 @@ }; serviceConfig = { Type = "simple"; - ExecStart = "${pkgs.actual-server}"; + ExecStart = "${pkgs.actual-server}/bin/actual-server"; Restart = "on-failure"; RestartSec = 3; }; From 6ee4809542a6c4191abe70140cb915e75db485b0 Mon Sep 17 00:00:00 2001 From: Dennis Date: Fri, 17 Oct 2025 11:05:12 +0200 Subject: [PATCH 17/17] updates homepage with new service --- modules/homepage/default.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/modules/homepage/default.nix b/modules/homepage/default.nix index ab06e3a..28debae 100644 --- a/modules/homepage/default.nix +++ b/modules/homepage/default.nix @@ -44,6 +44,12 @@ icon = "uptime-kuma.png"; }; } + { + "Actual" = { + href = "https://finance.dnsc.io"; + icon = "actual-budget.png"; + }; + } { "Slides" = { href = "https://slides.dnsc.io";