diff --git a/hosts/sire/guests/actual.nix b/hosts/sire/guests/actual.nix index 26c208b..40e56a1 100644 --- a/hosts/sire/guests/actual.nix +++ b/hosts/sire/guests/actual.nix @@ -1,11 +1,14 @@ { config, globals, + lib, + pkgs, nodes, ... }: let actualDomain = "finance.${globals.domains.me}"; + client_id = "actual"; in { wireguard.proxy-sentinel = { @@ -13,6 +16,11 @@ in firewallRuleForNode.sentinel.allowedTCPPorts = [ config.services.actual.settings.port ]; }; + # Mirror the original oauth2 secret + age.secrets.actual-oauth2-client-secret = { + inherit (nodes.ward-kanidm.config.age.secrets.kanidm-oauth2-actual) rekeyFile; + }; + environment.persistence."/persist".directories = [ { directory = "/var/lib/private/actual"; @@ -25,6 +33,29 @@ in settings.trustedProxies = [ nodes.sentinel.config.wireguard.proxy-sentinel.ipv4 ]; }; + # NOTE: state: to enable openid, we need to call their enable-openid script once + # which COPIES this data to the database :( so changing these values later will + # require manual intervention. + systemd.services.actual = { + serviceConfig.ExecStart = lib.mkForce [ + (pkgs.writeShellScript "start-actual" '' + export ACTUAL_OPENID_CLIENT_SECRET=$(< "$CREDENTIALS_DIRECTORY"/oauth2-client-secret) + exec ${lib.getExe config.services.actual.package} + '') + ]; + serviceConfig.LoadCredential = [ + "oauth2-client-secret:${config.age.secrets.actual-oauth2-client-secret.path}" + ]; + environment = { + ACTUAL_OPENID_ENFORCE = "true"; + ACTUAL_TOKEN_EXPIRATION = "openid-provider"; + + ACTUAL_OPENID_DISCOVERY_URL = "https://${globals.services.kanidm.domain}/oauth2/openid/${client_id}/.well-known/openid-configuration"; + ACTUAL_OPENID_CLIENT_ID = client_id; + ACTUAL_OPENID_SERVER_HOSTNAME = "https://${actualDomain}"; + }; + }; + globals.services.actual.domain = actualDomain; globals.monitoring.http.actual = { url = "https://${actualDomain}/"; diff --git a/hosts/ward/guests/kanidm.nix b/hosts/ward/guests/kanidm.nix index 010bfa2..7995222 100644 --- a/hosts/ward/guests/kanidm.nix +++ b/hosts/ward/guests/kanidm.nix @@ -35,6 +35,7 @@ in age.secrets.kanidm-admin-password = mkRandomSecret; age.secrets.kanidm-idm-admin-password = mkRandomSecret; + age.secrets.kanidm-oauth2-actual = mkRandomSecret; age.secrets.kanidm-oauth2-forgejo = mkRandomSecret; age.secrets.kanidm-oauth2-grafana = mkRandomSecret; age.secrets.kanidm-oauth2-immich = mkRandomSecret; @@ -136,6 +137,23 @@ in ]; }; + # Actual + groups."actual.access" = { }; + systems.oauth2.actual = { + displayName = "Actual Budget"; + originUrl = "https://${globals.services.actual.domain}/openid/callback"; + originLanding = "https://${globals.services.actual.domain}/"; + basicSecretFile = config.age.secrets.kanidm-oauth2-actual.path; + preferShortUsername = true; + # XXX: RS256 is used instead of ES256 so additionally we need legacy crypto + enableLegacyCrypto = true; + scopeMaps."actual.access" = [ + "openid" + "email" + "profile" + ]; + }; + # Firezone groups."firezone.access" = { }; systems.oauth2.firezone = { diff --git a/secrets/generated/ward-kanidm/kanidm-oauth2-actual.age b/secrets/generated/ward-kanidm/kanidm-oauth2-actual.age new file mode 100644 index 0000000..654c68e Binary files /dev/null and b/secrets/generated/ward-kanidm/kanidm-oauth2-actual.age differ diff --git a/secrets/global.nix.age b/secrets/global.nix.age index 83d2b51..43d7953 100644 Binary files a/secrets/global.nix.age and b/secrets/global.nix.age differ diff --git a/secrets/rekeyed/sire-actual/cdf5433be3f5150b4dbe650fc8c655b6-actual-oauth2-client-secret.age b/secrets/rekeyed/sire-actual/cdf5433be3f5150b4dbe650fc8c655b6-actual-oauth2-client-secret.age new file mode 100644 index 0000000..033e9dc --- /dev/null +++ b/secrets/rekeyed/sire-actual/cdf5433be3f5150b4dbe650fc8c655b6-actual-oauth2-client-secret.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 11F4Ig 1NNgSEVlsAXLFuOa+DtVdIjqDyEPaQtruPjdGGDi9Tk +kVlPzNbF0smCXrUCp1bpJsX7tF1yzDOT7zaJTjYN5lk +-> TEO5r\@)-grease Su(^^ Vb1Y3i aBSP +ZzrXeIeghzGXua8A8Yl1B19VhtPw8jsPKt3T6HatyGplBrFWMq8ipW/Sg8lT+B6p +1c05R0oSRxc8ZPMJm+MlveZA1qIU7a/TZ5qKZA +--- tM9Q029kJaGbozrNPUdzGL9o6E5KCyH7iXWzZK/ws7E +܋|tDND~n60[f̆;D0FmE'2[Ks"Nr*&W,0` \ No newline at end of file diff --git a/secrets/rekeyed/ward-kanidm/60542dbad9f5a1dbbf8cfc65e0d83c02-kanidm-oauth2-actual.age b/secrets/rekeyed/ward-kanidm/60542dbad9f5a1dbbf8cfc65e0d83c02-kanidm-oauth2-actual.age new file mode 100644 index 0000000..82f4c59 --- /dev/null +++ b/secrets/rekeyed/ward-kanidm/60542dbad9f5a1dbbf8cfc65e0d83c02-kanidm-oauth2-actual.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 QciEZQ VcWKLWPg9nAruDvA/KXaDefLu8SF7PbMH/FJRfHteFc +1AvjkdFCx+2nqE9qvQr6/2AqxUuLgm2q9krLZ1FVqA4 +-> V]-grease gujG %5pig +jiipvJVY7Td0OMyhH7nTdSf4EBwcKQ +--- eaCRPI5enSnNczltwLy4EPgf1FRgUiBxL8BoA8vekh8 +̖mI["O!05giSCZJ* ZP*S^@`j /? \ No newline at end of file