From d7b79ab6e9d3ab2cf9de1356727332b375686f6d Mon Sep 17 00:00:00 2001
From: oddlama <oddlama@oddlama.org>
Date: Sat, 26 Apr 2025 14:39:43 +0200
Subject: [PATCH] feat: add firefly pico

---
 config/users.nix                              |   1 +
 hosts/kroma/default.nix                       |   3 +
 hosts/ward/guests/firefly.nix                 |  45 +-
 modules/default.nix                           |   1 +
 modules/firefly-pico.nix                      | 410 ++++++++++++++++++
 pkgs/default.nix                              |   1 +
 pkgs/firefly-pico-frontend.nix                |  50 +++
 pkgs/firefly-pico.nix                         |  73 ++++
 ...ly-app-key.age => firefly-iii-app-key.age} |   0
 .../ward-firefly/firefly-pico-app-key.age     | Bin 0 -> 417 bytes
 ...e868a44f8f70bd383-firefly-pico-app-key.age |   7 +
 ...9cc7bd4199c9db79d103de-firefly-app-key.age |   7 -
 ...bd4199c9db79d103de-firefly-iii-app-key.age | Bin 0 -> 353 bytes
 13 files changed, 587 insertions(+), 11 deletions(-)
 create mode 100644 modules/firefly-pico.nix
 create mode 100644 pkgs/firefly-pico-frontend.nix
 create mode 100644 pkgs/firefly-pico.nix
 rename secrets/generated/ward-firefly/{firefly-app-key.age => firefly-iii-app-key.age} (100%)
 create mode 100644 secrets/generated/ward-firefly/firefly-pico-app-key.age
 create mode 100644 secrets/rekeyed/ward-firefly/0c03e82003735b0e868a44f8f70bd383-firefly-pico-app-key.age
 delete mode 100644 secrets/rekeyed/ward-firefly/3e9f3cf2a49cc7bd4199c9db79d103de-firefly-app-key.age
 create mode 100644 secrets/rekeyed/ward-firefly/3e9f3cf2a49cc7bd4199c9db79d103de-firefly-iii-app-key.age

diff --git a/config/users.nix b/config/users.nix
index cb06188..22dbea5 100644
--- a/config/users.nix
+++ b/config/users.nix
@@ -44,5 +44,6 @@
       plugdev.gid = 967;
       tss = uidGid 966;
       firefly-iii = uidGid 965;
+      firefly-pico = uidGid 964;
     };
 }
diff --git a/hosts/kroma/default.nix b/hosts/kroma/default.nix
index 2df3790..53a7361 100644
--- a/hosts/kroma/default.nix
+++ b/hosts/kroma/default.nix
@@ -91,6 +91,9 @@
   programs.nix-ld.enable = true;
   topology.self.icon = "devices.desktop";
 
+  # Mainly for client-side formatting in websites like firefly-iii
+  i18n.supportedLocales = [ "de_DE.UTF-8/UTF-8" ];
+
   hardware.nvidia-container-toolkit.enable = true;
   virtualisation.containers.enable = true;
   virtualisation.podman = {
diff --git a/hosts/ward/guests/firefly.nix b/hosts/ward/guests/firefly.nix
index f7639f3..02e0bb5 100644
--- a/hosts/ward/guests/firefly.nix
+++ b/hosts/ward/guests/firefly.nix
@@ -20,8 +20,20 @@ in
     expectedBodyRegex = "Firefly III";
     network = "home-lan.vlans.services";
   };
+  globals.monitoring.http.firefly-pico = {
+    url = "https://${fireflyDomain}/pico";
+    expectedBodyRegex = "Pico";
+    network = "home-lan.vlans.services";
+  };
 
-  age.secrets.firefly-app-key = {
+  age.secrets.firefly-iii-app-key = {
+    generator.script = _: ''
+      echo "base64:$(head -c 32 /dev/urandom | base64)"
+    '';
+    owner = "firefly-iii";
+  };
+
+  age.secrets.firefly-pico-app-key = {
     generator.script = _: ''
       echo "base64:$(head -c 32 /dev/urandom | base64)"
     '';
@@ -33,21 +45,39 @@ in
       directory = "/var/lib/firefly-iii";
       user = "firefly-iii";
     }
+    {
+      directory = "/var/lib/firefly-pico";
+      user = "firefly-pico";
+    }
   ];
 
-  i18n.supportedLocales = [ "all" ];
   services.firefly-iii = {
     enable = true;
     enableNginx = true;
     virtualHost = globals.services.firefly.domain;
     settings = {
       AUDIT_LOG_LEVEL = "emergency"; # disable audit logs
-      LOG_CHANNEL = "stdout";
+      LOG_CHANNEL = "syslog";
       APP_URL = "https://${globals.services.firefly.domain}";
       TZ = "Europe/Berlin";
       TRUSTED_PROXIES = wardWebProxyCfg.wireguard.proxy-home.ipv4;
       SITE_OWNER = "admin@${globals.domains.me}";
-      APP_KEY_FILE = config.age.secrets.firefly-app-key.path;
+      APP_KEY_FILE = config.age.secrets.firefly-iii-app-key.path;
+    };
+  };
+
+  services.firefly-pico = {
+    enable = true;
+    enableNginx = true;
+    virtualHost = "pico.internal";
+    settings = {
+      LOG_CHANNEL = "syslog";
+      APP_URL = "https://${globals.services.firefly.domain}/pico";
+      TZ = "Europe/Berlin";
+      FIREFLY_URL = config.services.firefly-iii.settings.APP_URL;
+      TRUSTED_PROXIES = wardWebProxyCfg.wireguard.proxy-home.ipv4;
+      SITE_OWNER = "admin@${globals.domains.me}";
+      APP_KEY_FILE = config.age.secrets.firefly-pico-app-key.path;
     };
   };
 
@@ -71,6 +101,13 @@ in
           proxyPass = "http://firefly";
           proxyWebsockets = true;
         };
+        locations."/pico" = {
+          proxyPass = "http://firefly/"; # Trailing slash matters! (remove location suffix)
+          proxyWebsockets = true;
+          extraConfig = ''
+            proxy_set_header Host pico.internal;
+          '';
+        };
         extraConfig = ''
           allow ${globals.net.home-lan.vlans.home.cidrv4};
           allow ${globals.net.home-lan.vlans.home.cidrv6};
diff --git a/modules/default.nix b/modules/default.nix
index fe00f12..fc7701e 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -4,6 +4,7 @@
     ./backups.nix
     ./deterministic-ids.nix
     ./distributed-config.nix
+    ./firefly-pico.nix
     ./globals.nix
     ./meta.nix
     ./nginx-upstream-monitoring.nix
diff --git a/modules/firefly-pico.nix b/modules/firefly-pico.nix
new file mode 100644
index 0000000..aededec
--- /dev/null
+++ b/modules/firefly-pico.nix
@@ -0,0 +1,410 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+
+let
+  cfg = config.services.firefly-pico;
+
+  inherit (cfg) user;
+  inherit (cfg) group;
+
+  defaultUser = "firefly-pico";
+  defaultGroup = "firefly-pico";
+
+  artisan = "${cfg.package}/share/php/firefly-pico/artisan";
+
+  env-file-values = lib.attrsets.mapAttrs' (
+    n: v: lib.attrsets.nameValuePair (lib.strings.removeSuffix "_FILE" n) v
+  ) (lib.attrsets.filterAttrs (n: _v: lib.strings.hasSuffix "_FILE" n) cfg.settings);
+  env-nonfile-values = lib.attrsets.filterAttrs (
+    n: _v: !lib.strings.hasSuffix "_FILE" n
+  ) cfg.settings;
+
+  firefly-pico-maintenance = pkgs.writeShellScript "firefly-pico-maintenance.sh" ''
+    set -a
+    ${lib.strings.toShellVars env-nonfile-values}
+    ${lib.strings.concatLines (
+      lib.attrsets.mapAttrsToList (n: v: "${n}=\"$(< ${v})\"") env-file-values
+    )}
+    set +a
+    ${lib.optionalString (
+      cfg.settings.DB_CONNECTION == "sqlite"
+    ) "touch ${cfg.dataDir}/storage/database/database.sqlite"}
+    ${artisan} migrate --isolated --force
+    ${artisan} config:clear
+    ${artisan} config:cache
+    ${artisan} cache:clear
+  '';
+
+  commonServiceConfig = {
+    Type = "oneshot";
+    User = user;
+    Group = group;
+    StateDirectory = "firefly-pico";
+    ReadWritePaths = [ cfg.dataDir ];
+    WorkingDirectory = cfg.package;
+    PrivateTmp = true;
+    PrivateDevices = true;
+    CapabilityBoundingSet = "";
+    AmbientCapabilities = "";
+    ProtectSystem = "strict";
+    ProtectKernelTunables = true;
+    ProtectKernelModules = true;
+    ProtectControlGroups = true;
+    ProtectClock = true;
+    ProtectHostname = true;
+    ProtectHome = "tmpfs";
+    ProtectKernelLogs = true;
+    ProtectProc = "invisible";
+    ProcSubset = "pid";
+    PrivateNetwork = false;
+    RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX";
+    SystemCallArchitectures = "native";
+    SystemCallFilter = [
+      "@system-service @resources"
+      "~@obsolete @privileged"
+    ];
+    RestrictSUIDSGID = true;
+    RemoveIPC = true;
+    NoNewPrivileges = true;
+    RestrictRealtime = true;
+    RestrictNamespaces = true;
+    LockPersonality = true;
+    PrivateUsers = true;
+  };
+
+in
+{
+
+  options.services.firefly-pico = {
+
+    enable = lib.mkEnableOption "Firefly-Pico: A delightful Firefly III companion web app for effortless transaction tracking";
+
+    user = lib.mkOption {
+      type = lib.types.str;
+      default = defaultUser;
+      description = "User account under which firefly-pico runs.";
+    };
+
+    group = lib.mkOption {
+      type = lib.types.str;
+      default = if cfg.enableNginx then "nginx" else defaultGroup;
+      defaultText = "If `services.firefly-pico.enableNginx` is true then `nginx` else ${defaultGroup}";
+      description = ''
+        Group under which firefly-pico runs. It is best to set this to the group
+        of whatever webserver is being used as the frontend.
+      '';
+    };
+
+    dataDir = lib.mkOption {
+      type = lib.types.path;
+      default = "/var/lib/firefly-pico";
+      description = ''
+        The place where firefly-pico stores its state.
+      '';
+    };
+
+    package =
+      lib.mkPackageOption pkgs "firefly-pico" { }
+      // lib.mkOption {
+        apply =
+          firefly-pico:
+          firefly-pico.override {
+            inherit (cfg) dataDir;
+          };
+      };
+
+    enableNginx = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = ''
+        Whether to enable nginx or not. If enabled, an nginx virtual host will
+        be created for access to firefly-pico. If not enabled, then you may use
+        `''${config.services.firefly-pico.package}` as your document root in
+        whichever webserver you wish to setup.
+      '';
+    };
+
+    virtualHost = lib.mkOption {
+      type = lib.types.str;
+      default = "localhost";
+      description = ''
+        The hostname at which you wish firefly-pico to be served. If you have
+        enabled nginx using `services.firefly-pico.enableNginx` then this will
+        be used.
+      '';
+    };
+
+    poolConfig = lib.mkOption {
+      type = lib.types.attrsOf (
+        lib.types.oneOf [
+          lib.types.str
+          lib.types.int
+          lib.types.bool
+        ]
+      );
+      default = { };
+      defaultText = ''
+        {
+          "pm" = "dynamic";
+          "pm.max_children" = 32;
+          "pm.start_servers" = 2;
+          "pm.min_spare_servers" = 2;
+          "pm.max_spare_servers" = 4;
+          "pm.max_requests" = 500;
+        }
+      '';
+      description = ''
+        Options for the Firefly III PHP pool. See the documentation on <literal>php-fpm.conf</literal>
+        for details on configuration directives.
+      '';
+    };
+
+    settings = lib.mkOption {
+      default = { };
+      description = ''
+        Options for firefly-iii configuration. Refer to
+        <https://github.com/firefly-iii/firefly-iii/blob/main/.env.example> for
+        details on supported values. All <option>_FILE values supported by
+        upstream are supported here.
+
+        APP_URL will be the same as `services.firefly-iii.virtualHost` if the
+        former is unset in `services.firefly-iii.settings`.
+      '';
+      example = lib.literalExpression ''
+        {
+          APP_ENV = "production";
+          APP_KEY_FILE = "/var/secrets/firefly-pico-app-key.txt";
+          SITE_OWNER = "mail@example.com";
+          DB_CONNECTION = "mysql";
+          DB_HOST = "db";
+          DB_PORT = 3306;
+          DB_DATABASE = "firefly";
+          DB_USERNAME = "firefly";
+          DB_PASSWORD_FILE = "/var/secrets/firefly-pico-mysql-password.txt";
+        }
+      '';
+      type = lib.types.submodule {
+        freeformType = lib.types.attrsOf (
+          lib.types.oneOf [
+            lib.types.str
+            lib.types.int
+            lib.types.bool
+          ]
+        );
+        options = {
+          DB_CONNECTION = lib.mkOption {
+            type = lib.types.enum [
+              "sqlite"
+              "pgsql"
+              "mysql"
+            ];
+            default = "sqlite";
+            example = "pgsql";
+            description = ''
+              The type of database you wish to use. Can be one of "sqlite",
+              "mysql" or "pgsql".
+            '';
+          };
+          APP_ENV = lib.mkOption {
+            type = lib.types.enum [
+              "local"
+              "production"
+              "testing"
+            ];
+            default = "local";
+            example = "production";
+            description = ''
+              The app environment. It is recommended to keep this at "local".
+              Possible values are "local", "production" and "testing"
+            '';
+          };
+          DB_DATABASE = lib.mkOption {
+            type = lib.types.nullOr lib.types.str;
+            default =
+              if cfg.settings.DB_CONNECTION == "pgsql" then
+                "firefly-pico"
+              else if cfg.settings.DB_CONNECTION == "mysql" then
+                "firefly-pico"
+              else
+                cfg.dataDir + "storage/database/database.sqlite";
+            defaultText = ''
+              `cfg.dataDir + "storage/database/database.sqlite` if DB_CONNECTION is "sqlite", `firefly-pico` if "mysql" or "pgsql"
+            '';
+            description = ''
+              The absolute path or name of your firefly-pico database.
+            '';
+          };
+          DB_PORT = lib.mkOption {
+            type = lib.types.nullOr lib.types.int;
+            default =
+              if cfg.settings.DB_CONNECTION == "pgsql" then
+                5432
+              else if cfg.settings.DB_CONNECTION == "mysql" then
+                3306
+              else
+                null;
+            defaultText = ''
+              `null` if DB_CONNECTION is "sqlite", `3306` if "mysql", `5432` if "pgsql"
+            '';
+            description = ''
+              The port your database is listening at. sqlite does not require
+              this value to be filled.
+            '';
+          };
+          DB_HOST = lib.mkOption {
+            type = lib.types.str;
+            default = if cfg.settings.DB_CONNECTION == "pgsql" then "/run/postgresql" else "localhost";
+            defaultText = ''
+              "localhost" if DB_CONNECTION is "sqlite" or "mysql", "/run/postgresql" if "pgsql".
+            '';
+            description = ''
+              The machine which hosts your database. This is left at the
+              default value for "mysql" because we use the "DB_SOCKET" option
+              to connect to a unix socket instead. "pgsql" requires that the
+              unix socket location be specified here instead of at "DB_SOCKET".
+              This option does not affect "sqlite".
+            '';
+          };
+          APP_KEY_FILE = lib.mkOption {
+            type = lib.types.path;
+            description = ''
+              The path to your appkey. The file should contain a 32 character
+              random app key. This may be set using `echo "base64:$(head -c 32
+              /dev/urandom | base64)" > /path/to/key-file`.
+            '';
+          };
+          APP_URL = lib.mkOption {
+            type = lib.types.str;
+            default =
+              if cfg.virtualHost == "localhost" then
+                "http://${cfg.virtualHost}"
+              else
+                "https://${cfg.virtualHost}";
+            defaultText = ''
+              http(s)://''${config.services.firefly-pico.virtualHost}
+            '';
+            description = ''
+              The APP_URL used by firefly-pico internally. Please make sure this
+              URL matches the external URL of your Firefly pico installation.
+            '';
+          };
+          FIREFLY_URL = lib.mkOption {
+            type = lib.types.str;
+            example = ''
+              https://firefly.example
+            '';
+            description = '''';
+          };
+        };
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+
+    services.phpfpm.pools.firefly-pico = {
+      inherit user group;
+      inherit (cfg.package) phpPackage;
+      phpOptions = ''
+        log_errors = on
+      '';
+      settings = {
+        "listen.mode" = lib.mkDefault "0660";
+        "listen.owner" = lib.mkDefault user;
+        "listen.group" = lib.mkDefault group;
+        "pm" = lib.mkDefault "dynamic";
+        "pm.max_children" = lib.mkDefault 32;
+        "pm.start_servers" = lib.mkDefault 2;
+        "pm.min_spare_servers" = lib.mkDefault 2;
+        "pm.max_spare_servers" = lib.mkDefault 4;
+        "pm.max_requests" = lib.mkDefault 500;
+      } // cfg.poolConfig;
+    };
+
+    systemd.services.firefly-pico-setup = {
+      after = [
+        "postgresql.service"
+        "mysql.service"
+      ];
+      requiredBy = [ "phpfpm-firefly-pico.service" ];
+      before = [ "phpfpm-firefly-pico.service" ];
+      serviceConfig = {
+        ExecStart = firefly-pico-maintenance;
+        RemainAfterExit = true;
+      } // commonServiceConfig;
+      unitConfig.JoinsNamespaceOf = "phpfpm-firefly-pico.service";
+      restartTriggers = [ cfg.package ];
+      partOf = [ "phpfpm-firefly-pico.service" ];
+    };
+
+    services.nginx = lib.mkIf cfg.enableNginx {
+      enable = true;
+      recommendedTlsSettings = lib.mkDefault true;
+      recommendedOptimisation = lib.mkDefault true;
+      recommendedGzipSettings = lib.mkDefault true;
+      virtualHosts.${cfg.virtualHost} = {
+        root = "${cfg.package.frontend}/share/firefly-pico/public";
+        locations = {
+          "/api" = {
+            root = "${cfg.package}/share/php/firefly-pico/public";
+            tryFiles = "$uri $uri/ /index.php?$query_string";
+            index = "index.php";
+          };
+          "~ \\.php$" = {
+            root = "${cfg.package}/share/php/firefly-pico/public";
+            extraConfig = ''
+              include ${config.services.nginx.package}/conf/fastcgi_params ;
+              fastcgi_param SCRIPT_FILENAME $request_filename;
+              fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
+              fastcgi_pass unix:${config.services.phpfpm.pools.firefly-pico.socket};
+            '';
+          };
+        };
+      };
+    };
+
+    systemd.tmpfiles.settings."10-firefly-pico" =
+      lib.attrsets.genAttrs
+        [
+          "${cfg.dataDir}/storage"
+          "${cfg.dataDir}/storage/app"
+          "${cfg.dataDir}/storage/database"
+          "${cfg.dataDir}/storage/framework"
+          "${cfg.dataDir}/storage/framework/cache"
+          "${cfg.dataDir}/storage/framework/sessions"
+          "${cfg.dataDir}/storage/framework/views"
+          "${cfg.dataDir}/storage/logs"
+          "${cfg.dataDir}/cache"
+        ]
+        (_n: {
+          d = {
+            inherit group;
+            mode = "0700";
+            inherit user;
+          };
+        })
+      // {
+        "${cfg.dataDir}".d = {
+          inherit group;
+          mode = "0710";
+          inherit user;
+        };
+      };
+
+    users = {
+      users = lib.mkIf (user == defaultUser) {
+        ${defaultUser} = {
+          description = "Firefly-pico service user";
+          inherit group;
+          isSystemUser = true;
+          home = cfg.dataDir;
+        };
+      };
+      groups = lib.mkIf (group == defaultGroup) { ${defaultGroup} = { }; };
+    };
+  };
+}
diff --git a/pkgs/default.nix b/pkgs/default.nix
index 42128dc..4e89275 100644
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -19,6 +19,7 @@ _inputs: [
     # ];
 
     mdns-repeater = prev.callPackage ./mdns-repeater.nix { };
+    firefly-pico = prev.callPackage ./firefly-pico.nix { };
 
     formats = prev.formats // {
       ron = import ./ron.nix { inherit (prev) lib pkgs; };
diff --git a/pkgs/firefly-pico-frontend.nix b/pkgs/firefly-pico-frontend.nix
new file mode 100644
index 0000000..86ddcc0
--- /dev/null
+++ b/pkgs/firefly-pico-frontend.nix
@@ -0,0 +1,50 @@
+{
+  src,
+  version,
+  stdenvNoCC,
+  nodejs,
+  fetchNpmDeps,
+  buildPackages,
+  php84,
+  nixosTests,
+  nix-update-script,
+  meta,
+}:
+
+stdenvNoCC.mkDerivation (finalAttrs: {
+  pname = "firefly-pico-frontend";
+  inherit version src;
+
+  sourceRoot = "source/front";
+
+  nativeBuildInputs = [
+    nodejs
+    nodejs.python
+    buildPackages.npmHooks.npmConfigHook
+  ];
+
+  npmDeps = fetchNpmDeps {
+    inherit (finalAttrs) src;
+    sourceRoot = "source/front";
+    name = "${finalAttrs.pname}-npm-deps";
+    hash = "sha256-+YpWPp0ufPuuSkTn0WDD2E80S9bs5ZTQ8TzFFtgfTqU=";
+  };
+
+  passthru = {
+    phpPackage = php84;
+    tests = nixosTests.firefly-pico;
+    updateScript = nix-update-script { };
+  };
+  env.NUXT_TELEMETRY_DISABLED = 1;
+  buildPhase = ''
+    runHook preBuild
+    npm run generate
+    runHook postBuild
+  '';
+  postInstall = ''
+    mkdir -p $out/share/firefly-pico
+    cp -r .output/public $out/share/firefly-pico/
+  '';
+
+  inherit meta;
+})
diff --git a/pkgs/firefly-pico.nix b/pkgs/firefly-pico.nix
new file mode 100644
index 0000000..2c11cf7
--- /dev/null
+++ b/pkgs/firefly-pico.nix
@@ -0,0 +1,73 @@
+{
+  lib,
+  fetchFromGitHub,
+  stdenvNoCC,
+  nodejs,
+  callPackage,
+  php84,
+  nixosTests,
+  nix-update-script,
+  dataDir ? "/var/lib/firefly-pico",
+}:
+
+stdenvNoCC.mkDerivation (finalAttrs: {
+  pname = "firefly-pico";
+  version = "1.7.0";
+
+  src = fetchFromGitHub {
+    owner = "cioraneanu";
+    repo = "firefly-pico";
+    tag = "${finalAttrs.version}";
+    hash = "sha256-Ef64WZYAtViW5lCSCtTzjs6KJL7BxW9innqLSy0N2xQ=";
+  };
+  sourceRoot = "source/back";
+
+  buildInputs = [ php84 ];
+
+  nativeBuildInputs = [
+    nodejs
+    nodejs.python
+    php84.composerHooks2.composerInstallHook
+  ];
+
+  composerVendor = php84.mkComposerVendor {
+    inherit (finalAttrs) pname src version;
+    sourceRoot = "source/back";
+    composerNoDev = true;
+    composerNoPlugins = true;
+    composerNoScripts = true;
+    composerStrictValidation = true;
+    strictDeps = true;
+    vendorHash = "sha256-hwbmsvD91lX/vYa1Xk1WEo8pB6b+DTRDVd2DJ7TjocI=";
+  };
+
+  passthru = {
+    phpPackage = php84;
+    tests = nixosTests.firefly-pico;
+    updateScript = nix-update-script { };
+    frontend = callPackage ./firefly-pico-frontend.nix {
+      inherit (finalAttrs)
+        src
+        version
+        meta
+        ;
+    };
+  };
+  postInstall = ''
+    chmod +x $out/share/php/firefly-pico/artisan
+    rm -R $out/share/php/firefly-pico/{storage,bootstrap/cache}
+    ln -s ${dataDir}/storage $out/share/php/firefly-pico/storage
+    ln -s ${dataDir}/cache $out/share/php/firefly-pico/bootstrap/cache
+  '';
+
+  meta = {
+    changelog = "https://github.com/cioraneanu/firefly-pico/releases/tag/${finalAttrs.version}";
+    description = "Firefly III: a personal finances manager";
+    homepage = "https://github.com/cioraneanu/firefly-pico";
+    license = lib.licenses.agpl3Only;
+    maintainers = [
+      lib.maintainers.patrickdag
+    ];
+    hydraPlatforms = lib.platforms.linux; # build hangs on both Darwin platforms, needs investigation
+  };
+})
diff --git a/secrets/generated/ward-firefly/firefly-app-key.age b/secrets/generated/ward-firefly/firefly-iii-app-key.age
similarity index 100%
rename from secrets/generated/ward-firefly/firefly-app-key.age
rename to secrets/generated/ward-firefly/firefly-iii-app-key.age
diff --git a/secrets/generated/ward-firefly/firefly-pico-app-key.age b/secrets/generated/ward-firefly/firefly-pico-app-key.age
new file mode 100644
index 0000000000000000000000000000000000000000..7713582a059171fa45008720aec1d0c9165598c6
GIT binary patch
literal 417
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR2FFfuhYv{VT6^AE@=F3w6Xak2<@^>i}#
z(=RGZ%XD}0Psu8*bTM?y@$n1IDNJ*9i{uLSv#_-Ea4t0VEh+Kya5T&|vIzFc_AW|x
zOD+w_)K4_23NZIG&GnB+^aa^akXfc%U}S2hP*E71Y7wa5XlxQ;QV?9>=~wKSVrG<Q
z9<HC9S(qE)o2wn3>FiSI9PW~wWn5kw8IkP9rEQ$&9~4#^;_IK2W?-3|WNZ*zSrp+?
zVN{fnpW&WV7GxBZn-P?e6&{)mvMV#wG{V4FH@zq|u{c#hw?rYJ(xo<5p;j|9+bGPC
z%OJ<qIkGITBC<f=vZ}Pm)6Xq3KQ)j`S65e|*ey6CC#^8cJEuG&sWc?b#3&%8IJ-F8
zKhZs?*rdeJ&BLrH*tD?7v&e+&cVTJmxn+XiChpO3O!eYcc*4dnc2nDGR#xR(56?;a
zr-&VYxiREPy|qoqHNDz40fYELxjT(c(jtd^t5&COYP?|BHQ~s5R)${V3D;{@_5EA3
I%d@@`010W5i2wiq

literal 0
HcmV?d00001

diff --git a/secrets/rekeyed/ward-firefly/0c03e82003735b0e868a44f8f70bd383-firefly-pico-app-key.age b/secrets/rekeyed/ward-firefly/0c03e82003735b0e868a44f8f70bd383-firefly-pico-app-key.age
new file mode 100644
index 0000000..66960a3
--- /dev/null
+++ b/secrets/rekeyed/ward-firefly/0c03e82003735b0e868a44f8f70bd383-firefly-pico-app-key.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 YHfciQ OTxzJ803Chy1q2nC4XEJmOHZBxSsYel7zVI4nGXgfUY
+hJcjU/zS7vR8p1FvS7PPSIcPIDTyglxu/F2/za4s3L8
+-> -4-grease A{W40{E T6yR<jP- h:Fc
+H2VZUOUBsHsujyI
+--- o9+YE4wWtvRYfwOEiQjZgU3a/RBrMRBg2MZGc5JO+4I
+{lKGE�ⒽӅ
,7��,�rCt���Ʒ:ߨ�C��)h��\��*���{j, �|=����9ϲ+k !fT�/~9
\ No newline at end of file
diff --git a/secrets/rekeyed/ward-firefly/3e9f3cf2a49cc7bd4199c9db79d103de-firefly-app-key.age b/secrets/rekeyed/ward-firefly/3e9f3cf2a49cc7bd4199c9db79d103de-firefly-app-key.age
deleted file mode 100644
index 7d800c2..0000000
--- a/secrets/rekeyed/ward-firefly/3e9f3cf2a49cc7bd4199c9db79d103de-firefly-app-key.age
+++ /dev/null
@@ -1,7 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 YHfciQ tSPGTfN5guIVsigbe6reAAmmxMjShWyVmYM6IhjIcnM
-WptTdTvgew6XKekrXwCNwKHoR7L/Viwi7Os6yqXtLLg
--> v-grease O\Q#e_5v @x>mv0D
-cxlA8RpxtXGuq0F9zq+xNtYTgLOH8rjX
---- InsyRLxK5htVkz/aKjlWGiF5X0lM6bXYzM3tZbOheo8
-��~��.Cw\C~�<6��6|�O��8}1(o���]x�I�����]����	�!w��r�P��g�6D	1��=ƶ[�X�
\ No newline at end of file
diff --git a/secrets/rekeyed/ward-firefly/3e9f3cf2a49cc7bd4199c9db79d103de-firefly-iii-app-key.age b/secrets/rekeyed/ward-firefly/3e9f3cf2a49cc7bd4199c9db79d103de-firefly-iii-app-key.age
new file mode 100644
index 0000000000000000000000000000000000000000..adf708c775ed0c3e0d0c5b477221e1caf777a2cb
GIT binary patch
literal 353
zcmV-n0iOP0XJsvAZewzJaCB*JZZ2<fXD@a!3N1b$b8~1dWn?lnH8D9LSx9DMX;C0z
zGec-Wc|=KcFLzONIWb0cQF3``P%CU#dT~N4QgT*IQ+jD?W=B<bdPxdOSZ;4gPBBhl
zD`GHWaArbASUF62b467+Q#n;qNO*EeO-@u(S7tGHWJwAwJ|HVgTp>0@F;*>Sa%Ew2
zWeR3*GBz}IIB#}YYcxrBb9i$%MrcHNH8FQdY-uY^Pf%<yOIATeSW0;_HfKgFXm&wk
zd2KRHNqAFQc|liGGHeQVK}}-{EiEk|Y)CaqMKW?TPGeRuM`18eOJp^6Q$<-?c`|iT
zaC3NWZ8%nEYi%n}Wo9r6fJP5KqNMk&#(3gcFYxlw9r#n?(`p8A06EWw;$-}~^GK-v
z8;|Zp3mIX%xjM5XE1j8fig;wfoaB8crdYR`qc(fx9qZ%MgYh?y;d<Vw&?+~C+|h&)

literal 0
HcmV?d00001