mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-10 23:00:39 +02:00
Code Activity

feat: add firefly pico

Browse source
This commit is contained in:
oddlama 2025-04-26 14:39:43 +02:00
parent d7fbce7a1e
commit d7b79ab6e9
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
13 changed files with 587 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

1
config/users.nix
View file

@ -44,5 +44,6 @@
plugdev.gid = 967;
tss = uidGid 966;
firefly-iii = uidGid 965;
firefly-pico = uidGid 964;
};
}

3
hosts/kroma/default.nix
View file

@ -91,6 +91,9 @@
programs.nix-ld.enable = true;
topology.self.icon = "devices.desktop";
# Mainly for client-side formatting in websites like firefly-iii
i18n.supportedLocales = [ "de_DE.UTF-8/UTF-8" ];
hardware.nvidia-container-toolkit.enable = true;
virtualisation.containers.enable = true;
virtualisation.podman = {

45
hosts/ward/guests/firefly.nix
View file

@ -20,8 +20,20 @@ in
expectedBodyRegex = "Firefly III";
network = "home-lan.vlans.services";
};
globals.monitoring.http.firefly-pico = {
url = "https://${fireflyDomain}/pico";
expectedBodyRegex = "Pico";
network = "home-lan.vlans.services";
};
age.secrets.firefly-app-key = {
age.secrets.firefly-iii-app-key = {
generator.script = _: ''
echo "base64:$(head -c 32 /dev/urandom | base64)"
'';
owner = "firefly-iii";
};
age.secrets.firefly-pico-app-key = {
generator.script = _: ''
echo "base64:$(head -c 32 /dev/urandom | base64)"
'';
@ -33,21 +45,39 @@ in
directory = "/var/lib/firefly-iii";
user = "firefly-iii";
}
{
directory = "/var/lib/firefly-pico";
user = "firefly-pico";
}
];
i18n.supportedLocales = [ "all" ];
services.firefly-iii = {
enable = true;
enableNginx = true;
virtualHost = globals.services.firefly.domain;
settings = {
AUDIT_LOG_LEVEL = "emergency"; # disable audit logs
LOG_CHANNEL = "stdout";
LOG_CHANNEL = "syslog";
APP_URL = "https://${globals.services.firefly.domain}";
TZ = "Europe/Berlin";
TRUSTED_PROXIES = wardWebProxyCfg.wireguard.proxy-home.ipv4;
SITE_OWNER = "admin@${globals.domains.me}";
APP_KEY_FILE = config.age.secrets.firefly-app-key.path;
APP_KEY_FILE = config.age.secrets.firefly-iii-app-key.path;
};
};
services.firefly-pico = {
enable = true;
enableNginx = true;
virtualHost = "pico.internal";
settings = {
LOG_CHANNEL = "syslog";
APP_URL = "https://${globals.services.firefly.domain}/pico";
TZ = "Europe/Berlin";
FIREFLY_URL = config.services.firefly-iii.settings.APP_URL;
TRUSTED_PROXIES = wardWebProxyCfg.wireguard.proxy-home.ipv4;
SITE_OWNER = "admin@${globals.domains.me}";
APP_KEY_FILE = config.age.secrets.firefly-pico-app-key.path;
};
};
@ -71,6 +101,13 @@ in
proxyPass = "http://firefly";
proxyWebsockets = true;
};
locations."/pico" = {
proxyPass = "http://firefly/"; # Trailing slash matters! (remove location suffix)
proxyWebsockets = true;
extraConfig = ''
proxy_set_header Host pico.internal;
'';
};
extraConfig = ''
allow ${globals.net.home-lan.vlans.home.cidrv4};
allow ${globals.net.home-lan.vlans.home.cidrv6};

1
modules/default.nix
View file

@ -4,6 +4,7 @@
./backups.nix
./deterministic-ids.nix
./distributed-config.nix
./firefly-pico.nix
./globals.nix
./meta.nix
./nginx-upstream-monitoring.nix

410
modules/firefly-pico.nix Normal file
View file

@ -0,0 +1,410 @@
{
pkgs,
config,
lib,
...
}:
let
cfg = config.services.firefly-pico;
inherit (cfg) user;
inherit (cfg) group;
defaultUser = "firefly-pico";
defaultGroup = "firefly-pico";
artisan = "${cfg.package}/share/php/firefly-pico/artisan";
env-file-values = lib.attrsets.mapAttrs' (
n: v: lib.attrsets.nameValuePair (lib.strings.removeSuffix "_FILE" n) v
) (lib.attrsets.filterAttrs (n: _v: lib.strings.hasSuffix "_FILE" n) cfg.settings);
env-nonfile-values = lib.attrsets.filterAttrs (
n: _v: !lib.strings.hasSuffix "_FILE" n
) cfg.settings;
firefly-pico-maintenance = pkgs.writeShellScript "firefly-pico-maintenance.sh" ''
set -a
${lib.strings.toShellVars env-nonfile-values}
${lib.strings.concatLines (
lib.attrsets.mapAttrsToList (n: v: "${n}=\"$(< ${v})\"") env-file-values
)}
set +a
${lib.optionalString (
cfg.settings.DB_CONNECTION == "sqlite"
) "touch ${cfg.dataDir}/storage/database/database.sqlite"}
${artisan} migrate --isolated --force
${artisan} config:clear
${artisan} config:cache
${artisan} cache:clear
'';
commonServiceConfig = {
Type = "oneshot";
User = user;
Group = group;
StateDirectory = "firefly-pico";
ReadWritePaths = [ cfg.dataDir ];
WorkingDirectory = cfg.package;
PrivateTmp = true;
PrivateDevices = true;
CapabilityBoundingSet = "";
AmbientCapabilities = "";
ProtectSystem = "strict";
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
ProtectClock = true;
ProtectHostname = true;
ProtectHome = "tmpfs";
ProtectKernelLogs = true;
ProtectProc = "invisible";
ProcSubset = "pid";
PrivateNetwork = false;
RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX";
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service @resources"
"~@obsolete @privileged"
];
RestrictSUIDSGID = true;
RemoveIPC = true;
NoNewPrivileges = true;
RestrictRealtime = true;
RestrictNamespaces = true;
LockPersonality = true;
PrivateUsers = true;
};
in
{
options.services.firefly-pico = {
enable = lib.mkEnableOption "Firefly-Pico: A delightful Firefly III companion web app for effortless transaction tracking";
user = lib.mkOption {
type = lib.types.str;
default = defaultUser;
description = "User account under which firefly-pico runs.";
};
group = lib.mkOption {
type = lib.types.str;
default = if cfg.enableNginx then "nginx" else defaultGroup;
defaultText = "If `services.firefly-pico.enableNginx` is true then `nginx` else ${defaultGroup}";
description = ''
Group under which firefly-pico runs. It is best to set this to the group
of whatever webserver is being used as the frontend.
'';
};
dataDir = lib.mkOption {
type = lib.types.path;
default = "/var/lib/firefly-pico";
description = ''
The place where firefly-pico stores its state.
'';
};
package =
lib.mkPackageOption pkgs "firefly-pico" { }
// lib.mkOption {
apply =
firefly-pico:
firefly-pico.override {
inherit (cfg) dataDir;
};
};
enableNginx = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Whether to enable nginx or not. If enabled, an nginx virtual host will
be created for access to firefly-pico. If not enabled, then you may use
`''${config.services.firefly-pico.package}` as your document root in
whichever webserver you wish to setup.
'';
};
virtualHost = lib.mkOption {
type = lib.types.str;
default = "localhost";
description = ''
The hostname at which you wish firefly-pico to be served. If you have
enabled nginx using `services.firefly-pico.enableNginx` then this will
be used.
'';
};
poolConfig = lib.mkOption {
type = lib.types.attrsOf (
lib.types.oneOf [
lib.types.str
lib.types.int
lib.types.bool
]
);
default = { };
defaultText = ''
{
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 4;
"pm.max_requests" = 500;
}
'';
description = ''
Options for the Firefly III PHP pool. See the documentation on <literal>php-fpm.conf</literal>
for details on configuration directives.
'';
};
settings = lib.mkOption {
default = { };
description = ''
Options for firefly-iii configuration. Refer to
<https://github.com/firefly-iii/firefly-iii/blob/main/.env.example> for
details on supported values. All <option>_FILE values supported by
upstream are supported here.
APP_URL will be the same as `services.firefly-iii.virtualHost` if the
former is unset in `services.firefly-iii.settings`.
'';
example = lib.literalExpression ''
{
APP_ENV = "production";
APP_KEY_FILE = "/var/secrets/firefly-pico-app-key.txt";
SITE_OWNER = "mail@example.com";
DB_CONNECTION = "mysql";
DB_HOST = "db";
DB_PORT = 3306;
DB_DATABASE = "firefly";
DB_USERNAME = "firefly";
DB_PASSWORD_FILE = "/var/secrets/firefly-pico-mysql-password.txt";
}
'';
type = lib.types.submodule {
freeformType = lib.types.attrsOf (
lib.types.oneOf [
lib.types.str
lib.types.int
lib.types.bool
]
);
options = {
DB_CONNECTION = lib.mkOption {
type = lib.types.enum [
"sqlite"
"pgsql"
"mysql"
];
default = "sqlite";
example = "pgsql";
description = ''
The type of database you wish to use. Can be one of "sqlite",
"mysql" or "pgsql".
'';
};
APP_ENV = lib.mkOption {
type = lib.types.enum [
"local"
"production"
"testing"
];
default = "local";
example = "production";
description = ''
The app environment. It is recommended to keep this at "local".
Possible values are "local", "production" and "testing"
'';
};
DB_DATABASE = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default =
if cfg.settings.DB_CONNECTION == "pgsql" then
"firefly-pico"
else if cfg.settings.DB_CONNECTION == "mysql" then
"firefly-pico"
else
cfg.dataDir + "storage/database/database.sqlite";
defaultText = ''
`cfg.dataDir + "storage/database/database.sqlite` if DB_CONNECTION is "sqlite", `firefly-pico` if "mysql" or "pgsql"
'';
description = ''
The absolute path or name of your firefly-pico database.
'';
};
DB_PORT = lib.mkOption {
type = lib.types.nullOr lib.types.int;
default =
if cfg.settings.DB_CONNECTION == "pgsql" then
5432
else if cfg.settings.DB_CONNECTION == "mysql" then
3306
else
null;
defaultText = ''
`null` if DB_CONNECTION is "sqlite", `3306` if "mysql", `5432` if "pgsql"
'';
description = ''
The port your database is listening at. sqlite does not require
this value to be filled.
'';
};
DB_HOST = lib.mkOption {
type = lib.types.str;
default = if cfg.settings.DB_CONNECTION == "pgsql" then "/run/postgresql" else "localhost";
defaultText = ''
"localhost" if DB_CONNECTION is "sqlite" or "mysql", "/run/postgresql" if "pgsql".
'';
description = ''
The machine which hosts your database. This is left at the
default value for "mysql" because we use the "DB_SOCKET" option
to connect to a unix socket instead. "pgsql" requires that the
unix socket location be specified here instead of at "DB_SOCKET".
This option does not affect "sqlite".
'';
};
APP_KEY_FILE = lib.mkOption {
type = lib.types.path;
description = ''
The path to your appkey. The file should contain a 32 character
random app key. This may be set using `echo "base64:$(head -c 32
/dev/urandom | base64)" > /path/to/key-file`.
'';
};
APP_URL = lib.mkOption {
type = lib.types.str;
default =
if cfg.virtualHost == "localhost" then
"http://${cfg.virtualHost}"
else
"https://${cfg.virtualHost}";
defaultText = ''
http(s)://''${config.services.firefly-pico.virtualHost}
'';
description = ''
The APP_URL used by firefly-pico internally. Please make sure this
URL matches the external URL of your Firefly pico installation.
'';
};
FIREFLY_URL = lib.mkOption {
type = lib.types.str;
example = ''
https://firefly.example
'';
description = '''';
};
};
};
};
};
config = lib.mkIf cfg.enable {
services.phpfpm.pools.firefly-pico = {
inherit user group;
inherit (cfg.package) phpPackage;
phpOptions = ''
log_errors = on
'';
settings = {
"listen.mode" = lib.mkDefault "0660";
"listen.owner" = lib.mkDefault user;
"listen.group" = lib.mkDefault group;
"pm" = lib.mkDefault "dynamic";
"pm.max_children" = lib.mkDefault 32;
"pm.start_servers" = lib.mkDefault 2;
"pm.min_spare_servers" = lib.mkDefault 2;
"pm.max_spare_servers" = lib.mkDefault 4;
"pm.max_requests" = lib.mkDefault 500;
} // cfg.poolConfig;
};
systemd.services.firefly-pico-setup = {
after = [
"postgresql.service"
"mysql.service"
];
requiredBy = [ "phpfpm-firefly-pico.service" ];
before = [ "phpfpm-firefly-pico.service" ];
serviceConfig = {
ExecStart = firefly-pico-maintenance;
RemainAfterExit = true;
} // commonServiceConfig;
unitConfig.JoinsNamespaceOf = "phpfpm-firefly-pico.service";
restartTriggers = [ cfg.package ];
partOf = [ "phpfpm-firefly-pico.service" ];
};
services.nginx = lib.mkIf cfg.enableNginx {
enable = true;
recommendedTlsSettings = lib.mkDefault true;
recommendedOptimisation = lib.mkDefault true;
recommendedGzipSettings = lib.mkDefault true;
virtualHosts.${cfg.virtualHost} = {
root = "${cfg.package.frontend}/share/firefly-pico/public";
locations = {
"/api" = {
root = "${cfg.package}/share/php/firefly-pico/public";
tryFiles = "$uri $uri/ /index.php?$query_string";
index = "index.php";
};
"~ \\.php$" = {
root = "${cfg.package}/share/php/firefly-pico/public";
extraConfig = ''
include ${config.services.nginx.package}/conf/fastcgi_params ;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
fastcgi_pass unix:${config.services.phpfpm.pools.firefly-pico.socket};
'';
};
};
};
};
systemd.tmpfiles.settings."10-firefly-pico" =
lib.attrsets.genAttrs
[
"${cfg.dataDir}/storage"
"${cfg.dataDir}/storage/app"
"${cfg.dataDir}/storage/database"
"${cfg.dataDir}/storage/framework"
"${cfg.dataDir}/storage/framework/cache"
"${cfg.dataDir}/storage/framework/sessions"
"${cfg.dataDir}/storage/framework/views"
"${cfg.dataDir}/storage/logs"
"${cfg.dataDir}/cache"
]
(_n: {
d = {
inherit group;
mode = "0700";
inherit user;
};
})
// {
"${cfg.dataDir}".d = {
inherit group;
mode = "0710";
inherit user;
};
};
users = {
users = lib.mkIf (user == defaultUser) {
${defaultUser} = {
description = "Firefly-pico service user";
inherit group;
isSystemUser = true;
home = cfg.dataDir;
};
};
groups = lib.mkIf (group == defaultGroup) { ${defaultGroup} = { }; };
};
};
}

1
pkgs/default.nix
View file

@ -19,6 +19,7 @@ _inputs: [
# ];
mdns-repeater = prev.callPackage ./mdns-repeater.nix { };
firefly-pico = prev.callPackage ./firefly-pico.nix { };
formats = prev.formats // {
ron = import ./ron.nix { inherit (prev) lib pkgs; };

50
pkgs/firefly-pico-frontend.nix Normal file
View file

@ -0,0 +1,50 @@
{
src,
version,
stdenvNoCC,
nodejs,
fetchNpmDeps,
buildPackages,
php84,
nixosTests,
nix-update-script,
meta,
}:
stdenvNoCC.mkDerivation (finalAttrs: {
pname = "firefly-pico-frontend";
inherit version src;
sourceRoot = "source/front";
nativeBuildInputs = [
nodejs
nodejs.python
buildPackages.npmHooks.npmConfigHook
];
npmDeps = fetchNpmDeps {
inherit (finalAttrs) src;
sourceRoot = "source/front";
name = "${finalAttrs.pname}-npm-deps";
hash = "sha256-+YpWPp0ufPuuSkTn0WDD2E80S9bs5ZTQ8TzFFtgfTqU=";
};
passthru = {
phpPackage = php84;
tests = nixosTests.firefly-pico;
updateScript = nix-update-script { };
};
env.NUXT_TELEMETRY_DISABLED = 1;
buildPhase = ''
runHook preBuild
npm run generate
runHook postBuild
'';
postInstall = ''
mkdir -p $out/share/firefly-pico
cp -r .output/public $out/share/firefly-pico/
'';
inherit meta;
})

73
pkgs/firefly-pico.nix Normal file
View file

@ -0,0 +1,73 @@
{
lib,
fetchFromGitHub,
stdenvNoCC,
nodejs,
callPackage,
php84,
nixosTests,
nix-update-script,
dataDir ? "/var/lib/firefly-pico",
}:
stdenvNoCC.mkDerivation (finalAttrs: {
pname = "firefly-pico";
version = "1.7.0";
src = fetchFromGitHub {
owner = "cioraneanu";
repo = "firefly-pico";
tag = "${finalAttrs.version}";
hash = "sha256-Ef64WZYAtViW5lCSCtTzjs6KJL7BxW9innqLSy0N2xQ=";
};
sourceRoot = "source/back";
buildInputs = [ php84 ];
nativeBuildInputs = [
nodejs
nodejs.python
php84.composerHooks2.composerInstallHook
];
composerVendor = php84.mkComposerVendor {
inherit (finalAttrs) pname src version;
sourceRoot = "source/back";
composerNoDev = true;
composerNoPlugins = true;
composerNoScripts = true;
composerStrictValidation = true;
strictDeps = true;
vendorHash = "sha256-hwbmsvD91lX/vYa1Xk1WEo8pB6b+DTRDVd2DJ7TjocI=";
};
passthru = {
phpPackage = php84;
tests = nixosTests.firefly-pico;
updateScript = nix-update-script { };
frontend = callPackage ./firefly-pico-frontend.nix {
inherit (finalAttrs)
src
version
meta
;
};
};
postInstall = ''
chmod +x $out/share/php/firefly-pico/artisan
rm -R $out/share/php/firefly-pico/{storage,bootstrap/cache}
ln -s ${dataDir}/storage $out/share/php/firefly-pico/storage
ln -s ${dataDir}/cache $out/share/php/firefly-pico/bootstrap/cache
'';
meta = {
changelog = "https://github.com/cioraneanu/firefly-pico/releases/tag/${finalAttrs.version}";
description = "Firefly III: a personal finances manager";
homepage = "https://github.com/cioraneanu/firefly-pico";
license = lib.licenses.agpl3Only;
maintainers = [
lib.maintainers.patrickdag
];
hydraPlatforms = lib.platforms.linux; # build hangs on both Darwin platforms, needs investigation
};
})

0
secrets/generated/ward-firefly/firefly-app-key.age → secrets/generated/ward-firefly/firefly-iii-app-key.age
View file

BIN
secrets/generated/ward-firefly/firefly-pico-app-key.age Normal file
View file

Binary file not shown.

7
secrets/rekeyed/ward-firefly/0c03e82003735b0e868a44f8f70bd383-firefly-pico-app-key.age Normal file
View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 YHfciQ OTxzJ803Chy1q2nC4XEJmOHZBxSsYel7zVI4nGXgfUY
hJcjU/zS7vR8p1FvS7PPSIcPIDTyglxu/F2/za4s3L8
-> -4-grease A{W40{E T6yR<jP- h:Fc
H2VZUOUBsHsujyI
--- o9+YE4wWtvRYfwOEiQjZgU3a/RBrMRBg2MZGc5JO+4I
{lKGEøâ’½Ó…,7…†,¬rCt£ÀÆÆ·:ߨ‹C´æ)h¨æ\Ü®*˜÷Û{j, â|=³ÍùŸ9ϲ+k !fTè¹/~9

7
secrets/rekeyed/ward-firefly/3e9f3cf2a49cc7bd4199c9db79d103de-firefly-app-key.age
View file

@ -1,7 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 YHfciQ tSPGTfN5guIVsigbe6reAAmmxMjShWyVmYM6IhjIcnM
WptTdTvgew6XKekrXwCNwKHoR7L/Viwi7Os6yqXtLLg
-> v-grease O\Q#e_5v @x>mv0D
cxlA8RpxtXGuq0F9zq+xNtYTgLOH8rjX
--- InsyRLxK5htVkz/aKjlWGiF5X0lM6bXYzM3tZbOheo8
�õ~��.Cw\C~Ö< 6ä6|ÜOÃð8}1(oû¥Ã]x÷I�Œë’×Ì]œ‰àŒ œ!wÚšrˆPÿŸg¨6D 1Äì=ƶ[ºXü

BIN
secrets/rekeyed/ward-firefly/3e9f3cf2a49cc7bd4199c9db79d103de-firefly-iii-app-key.age Normal file
View file

Binary file not shown.