feat: add openid connect to actual

hosts/sire/guests/actual.nix

@@ -1,11 +1,14 @@
 {
   config,
   globals,
+  lib,
+  pkgs,
   nodes,
   ...
 }:
 let
   actualDomain = "finance.${globals.domains.me}";
+  client_id = "actual";
 in
 {
   wireguard.proxy-sentinel = {
@@ -13,6 +16,11 @@ in
     firewallRuleForNode.sentinel.allowedTCPPorts = [ config.services.actual.settings.port ];
   };
 
+  # Mirror the original oauth2 secret
+  age.secrets.actual-oauth2-client-secret = {
+    inherit (nodes.ward-kanidm.config.age.secrets.kanidm-oauth2-actual) rekeyFile;
+  };
+
   environment.persistence."/persist".directories = [
     {
       directory = "/var/lib/private/actual";
@@ -25,6 +33,29 @@ in
     settings.trustedProxies = [ nodes.sentinel.config.wireguard.proxy-sentinel.ipv4 ];
   };
 
+  # NOTE: state: to enable openid, we need to call their enable-openid script once
+  # which COPIES this data to the database :( so changing these values later will
+  # require manual intervention.
+  systemd.services.actual = {
+    serviceConfig.ExecStart = lib.mkForce [
+      (pkgs.writeShellScript "start-actual" ''
+        export ACTUAL_OPENID_CLIENT_SECRET=$(< "$CREDENTIALS_DIRECTORY"/oauth2-client-secret)
+        exec ${lib.getExe config.services.actual.package}
+      '')
+    ];
+    serviceConfig.LoadCredential = [
+      "oauth2-client-secret:${config.age.secrets.actual-oauth2-client-secret.path}"
+    ];
+    environment = {
+      ACTUAL_OPENID_ENFORCE = "true";
+      ACTUAL_TOKEN_EXPIRATION = "openid-provider";
+
+      ACTUAL_OPENID_DISCOVERY_URL = "https://${globals.services.kanidm.domain}/oauth2/openid/${client_id}/.well-known/openid-configuration";
+      ACTUAL_OPENID_CLIENT_ID = client_id;
+      ACTUAL_OPENID_SERVER_HOSTNAME = "https://${actualDomain}";
+    };
+  };
+
   globals.services.actual.domain = actualDomain;
   globals.monitoring.http.actual = {
     url = "https://${actualDomain}/";

hosts/ward/guests/kanidm.nix

@@ -35,6 +35,7 @@ in
   age.secrets.kanidm-admin-password = mkRandomSecret;
   age.secrets.kanidm-idm-admin-password = mkRandomSecret;
 
+  age.secrets.kanidm-oauth2-actual = mkRandomSecret;
   age.secrets.kanidm-oauth2-forgejo = mkRandomSecret;
   age.secrets.kanidm-oauth2-grafana = mkRandomSecret;
   age.secrets.kanidm-oauth2-immich = mkRandomSecret;
@@ -136,6 +137,23 @@ in
         ];
       };
 
+      # Actual
+      groups."actual.access" = { };
+      systems.oauth2.actual = {
+        displayName = "Actual Budget";
+        originUrl = "https://${globals.services.actual.domain}/openid/callback";
+        originLanding = "https://${globals.services.actual.domain}/";
+        basicSecretFile = config.age.secrets.kanidm-oauth2-actual.path;
+        preferShortUsername = true;
+        # XXX: RS256 is used instead of ES256 so additionally we need legacy crypto
+        enableLegacyCrypto = true;
+        scopeMaps."actual.access" = [
+          "openid"
+          "email"
+          "profile"
+        ];
+      };
+
       # Firezone
       groups."firezone.access" = { };
       systems.oauth2.firezone = {

secrets/rekeyed/sire-actual/cdf5433be3f5150b4dbe650fc8c655b6-actual-oauth2-client-secret.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 11F4Ig 1NNgSEVlsAXLFuOa+DtVdIjqDyEPaQtruPjdGGDi9Tk
+kVlPzNbF0smCXrUCp1bpJsX7tF1yzDOT7zaJTjYN5lk
+-> TEO5r\@)-grease Su(^^ Vb1Y3i aBSP
+ZzrXeIeghzGXua8A8Yl1B19VhtPw8jsPKt3T6HatyGplBrFWMq8ipW/Sg8lT+B6p
+1c05R0oSRxc8ZPMJm+MlveZA1qIU7a/TZ5qKZA
+--- tM9Q029kJaGbozrNPUdzGL9o6E5KCyH7iXWzZK/ws7E
+æˆûÜ‹™|åtDND~nö6Ë0’ûÒ[f̆’Ž;×™D‘º0‹£FmÕ¢£Eô±'2—[ëøÀKÝs”û"Nrœ£*&WÝâ,Ä0`èõ

secrets/rekeyed/ward-kanidm/60542dbad9f5a1dbbf8cfc65e0d83c02-kanidm-oauth2-actual.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 QciEZQ VcWKLWPg9nAruDvA/KXaDefLu8SF7PbMH/FJRfHteFc
+1AvjkdFCx+2nqE9qvQr6/2AqxUuLgm2q9krLZ1FVqA4
+-> V]-grease gujG %5pig
+jiipvJVY7Td0OMyhH7nTdSf4EBwcKQ
+--- eaCRPI5enSnNczltwLy4EPgf1FRgUiBxL8BoA8vekh8
+ßÌ–•m“»I½ô[÷"O!0®ô5g‹½�ÆiSêãÌCñZJ*ëZPÜ*ÛâØÀ¸óSÊ©ñ^
Š±¦úÉ@�`µj	öß/?¿