Update flake.lock

Makefile

@@ -0,0 +1,15 @@
+# Lockfile utils
+update-lockfile:
+	nix flake update --commit-lock-file
+update-lockfile-without-commit:
+	nix flake update
+
+# Agenix utils
+edit-secret:
+	cd secrets && agenix -e $(filter-out $@,$(MAKECMDGOALS))
+rekey-secrets:
+	cd secrets && agenix -r
+
+# NixOS utils
+clean-old-nixos-profiles:
+	doas nix-collect-garbage -d

common/boot/bios.nix

@@ -10,6 +10,10 @@ in
     device = mkOption {
       type = types.str;
     };
+    configurationLimit = mkOption {
+      default = 20;
+      type = types.int;
+    };
   };
 
   config = mkIf cfg.enable {
@@ -19,7 +23,7 @@ in
         enable = true;
         device = cfg.device;
         useOSProber = true;
-        configurationLimit = 20;
+        configurationLimit = cfg.configurationLimit;
         theme = pkgs.nixos-grub2-theme;
       };
     };

common/boot/efi.nix

@@ -7,6 +7,10 @@ in
 {
   options.efi = {
     enable = mkEnableOption "enable efi boot";
+    configurationLimit = mkOption {
+      default = 20;
+      type = types.int;
+    };
   };
 
   config = mkIf cfg.enable {
@@ -19,7 +23,7 @@ in
         efiSupport = true;
         useOSProber = true;
         #       memtest86.enable = true;
-        configurationLimit = 20;
+        configurationLimit = cfg.configurationLimit;
         theme = pkgs.nixos-grub2-theme;
       };
     };

common/default.nix

@@ -61,6 +61,8 @@
     lm_sensors
     picocom
     lf
+    gnumake
+    tree
   ];
 
   nixpkgs.config.allowUnfree = true;

common/server/actualbudget.nix

@@ -0,0 +1,87 @@
+# Starting point:
+# https://github.com/aldoborrero/mynixpkgs/commit/c501c1e32dba8f4462dcecb57eee4b9e52038e27
+
+{ config, pkgs, lib, ... }:
+
+let
+  cfg = config.services.actual-server;
+  stateDir = "/var/lib/${cfg.stateDirName}";
+in
+{
+  options.services.actual-server = {
+    enable = lib.mkEnableOption "Actual Server";
+
+    hostname = lib.mkOption {
+      type = lib.types.str;
+      default = "localhost";
+      description = "Hostname for the Actual Server.";
+    };
+
+    port = lib.mkOption {
+      type = lib.types.int;
+      default = 25448;
+      description = "Port on which the Actual Server should listen.";
+    };
+
+    stateDirName = lib.mkOption {
+      type = lib.types.str;
+      default = "actual-server";
+      description = "Name of the directory under /var/lib holding the server's data.";
+    };
+
+    upload = {
+      fileSizeSyncLimitMB = lib.mkOption {
+        type = lib.types.nullOr lib.types.int;
+        default = null;
+        description = "File size limit in MB for synchronized files.";
+      };
+
+      syncEncryptedFileSizeLimitMB = lib.mkOption {
+        type = lib.types.nullOr lib.types.int;
+        default = null;
+        description = "File size limit in MB for synchronized encrypted files.";
+      };
+
+      fileSizeLimitMB = lib.mkOption {
+        type = lib.types.nullOr lib.types.int;
+        default = null;
+        description = "File size limit in MB for file uploads.";
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.actual-server = {
+      description = "Actual Server";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        ExecStart = "${pkgs.actual-server}/bin/actual-server";
+        Restart = "always";
+        StateDirectory = cfg.stateDirName;
+        WorkingDirectory = stateDir;
+        DynamicUser = true;
+        UMask = "0007";
+      };
+      environment = {
+        NODE_ENV = "production";
+        ACTUAL_PORT = toString cfg.port;
+
+        # Actual is actually very bad at configuring it's own paths despite that information being readily available
+        ACTUAL_USER_FILES = "${stateDir}/user-files";
+        ACTUAL_SERVER_FILES = "${stateDir}/server-files";
+        ACTUAL_DATA_DIR = stateDir;
+
+        ACTUAL_UPLOAD_FILE_SYNC_SIZE_LIMIT_MB = toString (cfg.upload.fileSizeSyncLimitMB or "");
+        ACTUAL_UPLOAD_SYNC_ENCRYPTED_FILE_SIZE_LIMIT_MB = toString (cfg.upload.syncEncryptedFileSizeLimitMB or "");
+        ACTUAL_UPLOAD_FILE_SIZE_LIMIT_MB = toString (cfg.upload.fileSizeLimitMB or "");
+      };
+    };
+
+    services.nginx.virtualHosts.${cfg.hostname} = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/".proxyPass = "http://localhost:${toString cfg.port}";
+    };
+  };
+}

common/server/default.nix

@@ -20,5 +20,7 @@
     ./searx.nix
     ./gitea-actions-runner.nix
     ./dashy.nix
+    ./librechat.nix
+    ./actualbudget.nix
   ];
 }

common/server/librechat.nix

@@ -0,0 +1,62 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.librechat;
+in
+{
+  options.services.librechat = {
+    enable = mkEnableOption "librechat";
+    port = mkOption {
+      type = types.int;
+      default = 3080;
+    };
+    host = lib.mkOption {
+      type = lib.types.str;
+      example = "example.com";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    virtualisation.oci-containers.containers = {
+      librechat = {
+        image = "ghcr.io/danny-avila/librechat:v0.6.6";
+        environment = {
+          HOST = "0.0.0.0";
+          MONGO_URI = "mongodb://host.containers.internal:27017/LibreChat";
+          ENDPOINTS = "openAI,google,bingAI,gptPlugins";
+        };
+        environmentFiles = [
+          "/run/agenix/librechat-env-file"
+        ];
+        ports = [
+          "${toString cfg.port}:3080"
+        ];
+      };
+    };
+    age.secrets.librechat-env-file.file = ../../secrets/librechat-env-file.age;
+
+    services.mongodb.enable = true;
+    services.mongodb.bind_ip = "0.0.0.0";
+
+    # easier podman maintenance
+    virtualisation.oci-containers.backend = "podman";
+    virtualisation.podman.dockerSocket.enable = true;
+    virtualisation.podman.dockerCompat = true;
+
+    # For mongodb access
+    networking.firewall.trustedInterfaces = [
+      "podman0" # for librechat
+    ];
+
+    services.nginx.virtualHosts.${cfg.host} = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://localhost:${toString cfg.port}";
+        proxyWebsockets = true;
+      };
+    };
+  };
+}

common/server/mailserver.nix

@@ -55,6 +55,7 @@ in
         "joslyn@runyan.org"
         "damon@runyan.org"
         "jonas@runyan.org"
+        "simon@neet.dev"
       ];
       forwards = {
         "amazon@runyan.org" = [

flake.lock

@@ -10,11 +10,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1703433843,
-        "narHash": "sha256-nmtA4KqFboWxxoOAA6Y1okHbZh+HsXaMPFkYHsoDRDw=",
+        "lastModified": 1707830867,
+        "narHash": "sha256-PAdwm5QqdlwIqGrfzzvzZubM+FXtilekQ/FA0cI49/o=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "417caa847f9383e111d1397039c9d4337d024bf0",
+        "rev": "8cb01a0e717311680e0cbca06a76cbceba6f3ed6",
         "type": "github"
       },
       "original": {
@@ -96,11 +96,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1704875591,
-        "narHash": "sha256-eWRLbqRcrILgztU/m/k7CYLzETKNbv0OsT2GjkaNm8A=",
+        "lastModified": 1708091384,
+        "narHash": "sha256-dTGGw2y8wvfjr+J9CjQbfdulOq72hUG17HXVNxpH1yE=",
         "owner": "serokell",
         "repo": "deploy-rs",
-        "rev": "1776009f1f3fb2b5d236b84d9815f2edee463a9b",
+        "rev": "0a0187794ac7f7a1e62cda3dabf8dc041f868790",
         "type": "github"
       },
       "original": {
@@ -142,11 +142,11 @@
         "systems": "systems_2"
       },
       "locked": {
-        "lastModified": 1705309234,
-        "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
+        "lastModified": 1710146030,
+        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
+        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
         "type": "github"
       },
       "original": {
@@ -183,11 +183,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1707016097,
-        "narHash": "sha256-V4lHr6hFQ3rK650dh64Xffxsf4kse9vUYWsM+ldjkco=",
+        "lastModified": 1710120787,
+        "narHash": "sha256-tlLuB73OCOKtU2j83bQzSYFyzjJo3rjpITZE5MoofG8=",
         "owner": "Mic92",
         "repo": "nix-index-database",
-        "rev": "3e3dad2808379c522138e2e8b0eb73500721a237",
+        "rev": "e76ff2df6bfd2abe06abd8e7b9f217df941c1b07",
         "type": "github"
       },
       "original": {
@@ -198,11 +198,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1706826059,
-        "narHash": "sha256-N69Oab+cbt3flLvYv8fYnEHlBsWwdKciNZHUbynVEOA=",
+        "lastModified": 1710420202,
+        "narHash": "sha256-MvFKESbq4rUWuaf2RKPNYENaSZEw/jaCLo2gU6oREcM=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "25e3d4c0d3591c99929b1ec07883177f6ea70c9d",
+        "rev": "878ef7d9721bee9f81f8a80819f9211ad1f993da",
         "type": "github"
       },
       "original": {

lockfile-update.sh

@@ -1,4 +0,0 @@
-#! /usr/bin/env nix-shell
-#! nix-shell -i bash -p bash
-
-nix flake update --commit-lock-file

machines/ponyo/default.nix

@@ -151,4 +151,11 @@
   # owncast live streaming
   services.owncast.enable = true;
   services.owncast.hostname = "live.neet.dev";
+
+  # librechat
+  services.librechat.enable = true;
+  services.librechat.host = "chat.neet.dev";
+
+  services.actual-server.enable = true;
+  services.actual-server.hostname = "actual.runyan.org";
 }

machines/ponyo/hardware-configuration.nix

@@ -16,6 +16,7 @@
   bios = {
     enable = true;
     device = "/dev/sda";
+    configurationLimit = 3; # Save room in /nix/store
   };
 
   remoteLuksUnlock.enable = true;

machines/ponyo/properties.nix

@@ -15,6 +15,7 @@
     "nextcloud"
     "dailybot"
     "gitea"
+    "librechat"
   ];
 
   hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMBBlTAIp38RhErU1wNNV5MBeb+WGH0mhF/dxh5RsAXN";

overlays/actualbudget/default.nix

@@ -0,0 +1,39 @@
+{ lib
+, buildNpmPackage
+, fetchFromGitHub
+, python3
+, nodejs
+, runtimeShell
+}:
+buildNpmPackage rec {
+  pname = "actual-server";
+  version = "24.3.0";
+
+  src = fetchFromGitHub {
+    owner = "actualbudget";
+    repo = pname;
+    rev = "refs/tags/v${version}";
+    hash = "sha256-y51Dhdn84AWR/gM4LnAzvBIBpvKwUiclnPnwzkRoJ0I=";
+  };
+
+  npmDepsHash = "sha256-/UM2Tz8t4hi621HtXSu0LTDIzZ9SWMqKXqKfPwkdpE8=";
+
+  patches = [
+    ./migrations-should-use-pkg-path.patch
+  ];
+
+  postPatch = ''
+    cp ${./package-lock.json} package-lock.json
+  '';
+
+  dontNpmBuild = true;
+
+  postInstall = ''
+    mkdir -p $out/bin
+    cat <<EOF > $out/bin/actual-server
+    #!${runtimeShell}
+    exec ${nodejs}/bin/node $out/lib/node_modules/actual-sync/app.js "\$@"
+    EOF
+    chmod +x $out/bin/actual-server
+  '';
+}

overlays/actualbudget/migrations-should-use-pkg-path.patch

@@ -0,0 +1,47 @@
+diff --git a/src/load-config.js b/src/load-config.js
+index d3cc5dd..cfcad8a 100644
+--- a/src/load-config.js
++++ b/src/load-config.js
+@@ -3,7 +3,8 @@ import path from 'node:path';
+ import { fileURLToPath } from 'node:url';
+ import createDebug from 'debug';
+ 
+-const debug = createDebug('actual:config');
++// const debug = createDebug('actual:config');
++const debug = console.log;
+ const debugSensitive = createDebug('actual-sensitive:config');
+ 
+ const projectRoot = path.dirname(path.dirname(fileURLToPath(import.meta.url)));
+@@ -90,6 +91,7 @@ const finalConfig = {
+   serverFiles: process.env.ACTUAL_SERVER_FILES || config.serverFiles,
+   userFiles: process.env.ACTUAL_USER_FILES || config.userFiles,
+   webRoot: process.env.ACTUAL_WEB_ROOT || config.webRoot,
++  dataDir: process.env.ACTUAL_DATA_DIR || config.dataDir,
+   https:
+     process.env.ACTUAL_HTTPS_KEY && process.env.ACTUAL_HTTPS_CERT
+       ? {
+diff --git a/src/migrations.js b/src/migrations.js
+index 964e1f2..3a341d7 100644
+--- a/src/migrations.js
++++ b/src/migrations.js
+@@ -1,6 +1,12 @@
+ import migrate from 'migrate';
+ import path from 'node:path';
+ import config from './load-config.js';
++import { fileURLToPath } from 'url';
++
++const __filename = fileURLToPath(import.meta.url);
++const __dirname = path.dirname(__filename);
++const appRoot = path.dirname(__dirname);
++const migrationsDirectory = path.join(appRoot, "migrations");
+ 
+ export default function run(direction = 'up') {
+   console.log(
+@@ -13,6 +19,7 @@ export default function run(direction = 'up') {
+         stateStore: `${path.join(config.dataDir, '.migrate')}${
+           config.mode === 'test' ? '-test' : ''
+         }`,
++        migrationsDirectory,
+       },
+       (err, set) => {
+         if (err) {

overlays/default.nix

@@ -2,4 +2,5 @@ final: prev:
 
 {
   libedgetpu = prev.callPackage ./libedgetpu { };
+  actual-server = prev.callPackage ./actualbudget { };
 }

secrets/rekey.sh

@@ -1,5 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-agenix -r
-git commit . -m "Rekey secrets"

secrets/secrets.nix

@@ -49,4 +49,7 @@ with roles;
 
   # gitea actions runner
   "gitea-actions-runner-token.age".publicKeys = gitea-actions-runner;
+
+  # Librechat
+  "librechat-env-file.age".publicKeys = librechat;
 }

update.sh

@@ -1,6 +0,0 @@
-#! /usr/bin/env nix-shell
-#! nix-shell -i bash -p bash
-
-git pull
-nix flake update # intentionally ignore the lockfile
-sudo nixos-rebuild switch --flake .