feat: add firefly-iii

deedee-ops · Oct 27, 2024 · b1528ae · b1528ae
1 parent 9d3b499
commit b1528ae
Show file tree

Hide file tree

Showing 4 changed files with 131 additions and 2 deletions.
diff --git a/machines/deedee/configuration.nix b/machines/deedee/configuration.nix
@@ -144,6 +144,7 @@ _: rec {
     authelia.enable = true;
     coredns.enable = true;
     firefoxsync.enable = true;
+    firefly-iii.enable = true;
     lldap.enable = true;
     maddy.enable = true;
     paperless-ngx.enable = true;

diff --git a/machines/deedee/secrets.sops.yaml b/machines/deedee/secrets.sops.yaml
@@ -24,6 +24,12 @@ system:
                 AUTHELIA_SESSION_SECRET: ENC[AES256_GCM,data:VpfpyvLT9GD7j9opJBRGoClYkW0msX+VmkZcRIX36vbyl7b2Xnc9mHNOcQBFQKbmzMXvpOigcE4dkAS0Sje4lQ==,iv:biHN12Qf4DaLtylUqBThfXUAvdnzzCYmiJAdk7Eyd3w=,tag:JpP4OXejR6SZGxrrHIyOng==,type:str]
                 AUTHELIA_STORAGE_ENCRYPTION_KEY: ENC[AES256_GCM,data:zbNkm26j8sLViarc5jFnKGolqGQZGkzYVjMtuxokJNVtBXOw1kL8d0hTmyZBCmIqxqe7AUwIGAE6zBB/TjRz6g==,iv:jBiyA5F5KuBRvk9zdstrqLTWjQJMgx7nJPbmfebfnxw=,tag:pXm28S/k7cO23GnSj4RG5w==,type:str]
                 AUTHELIA_STORAGE_POSTGRES_PASSWORD: ENC[AES256_GCM,data:6rFJAxj2e5dod4AlA2g6FoEJiIg8OMlx0i8/mBjvgnGR/DEaeWDQ5w==,iv:FGIwOjV2IiIxOTRzuEvmijIh+pLp3Aoxo8s7CLq9ky4=,tag:pXQHHHUWGQUAghxfuW3AXA==,type:str]
+        firefly-iii:
+            env:
+                APP_KEY: ENC[AES256_GCM,data:ks/31NYsRRo9SrEbRfeQhUxn9pRfvXYExhUY9y84TXA=,iv:vn8R/bJU2PFbQjOsKNRerj3uNAynjwInalWGCYjGVI0=,tag:ME3XtRW7EkpgiY/banycsQ==,type:str]
+                DB_PASSWORD: ENC[AES256_GCM,data:cTjz86AvlhssWmmmF2XpEsisCfAiIZgp6fitnQblYIV9gqh6sndgVg==,iv:hlfQLKkNNkLACazzRMZWqKomsUqH5/hOg1npbJaAayA=,tag:DQ/T364vG1a4rN8c4QC/BA==,type:str]
+                FIREFLY_III_TOKEN: ENC[AES256_GCM,data:yr+s0fvzYY+Rrx8HKbPYgOiYjeafLP9M+ohEse1CVfM=,iv:uNhTHVgNXB0kuiBZowNc7PA2iKtjqooFj6wFgEuoyKI=,tag:f0dXyaXPzOKLWTu/T/nRMw==,type:str]
+                REDIS_PASSWORD: null
         firefoxsync:
             env:
                 FIREFOXSYNC__POSTGRES_PASSWORD: ENC[AES256_GCM,data:JbwOPfE0OrfplFtGrZRTlWn7z5/YA9jKH22waNIGUduHnxFfut6gWA==,iv:lex3Z+6bQWTjcQcO89Hj/wndXA13UM+sTLaq0j8Wupc=,tag:sgqbma6rLOkWN5FrwXrMVg==,type:str]
@@ -91,8 +97,8 @@ sops:
             c3FoaFNzbjJubzlBckdDb2lNOUZtOGMKRbHxa1B3QAdredBMTd7W7g3kRz6l8uyV
             bBclsA8Gm7p+6ndV39sN+Daqm5MyggY1Prwv/Ukdd5Q+1C+XsEW6OQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-10-27T10:21:55Z"
-    mac: ENC[AES256_GCM,data:zF2fxyZ4X8E00xveCuAJQElhPRifbEwPP+VqW3z8DS+UJu55ZT+n8hjdX5LbPqQ/ZIXztgssqUMr5HYv0JZJCNgBsYe5fyKu2mulTAk1C6vItbpc3AkJo5lJakd5mVAlvqvIGN6qaz+oSuzY5UegN8FJZyF4VqDJxYVBEq9xmU0=,iv:T4XlgS83S7wrpH7OHE9ZqIVOzWagF4QYmht7zXXPrYc=,tag:CMlEbbbUgCWurESjENQPSA==,type:str]
+    lastmodified: "2024-10-27T12:48:55Z"
+    mac: ENC[AES256_GCM,data:HxVRmEpaNfxJ12R3D2nzLLNZxVMZnk3gL+AsXRSHcT1xnL+XueYS0y16XSPriMFv5XiFE9x5eHluKvnSA8AXMiP1M7K2Y9Goai/TescHRph35My75j7lnOA3bOjYfyJKj5WFYVb3/rdiAbinDSBafCQEtUIFNHH5KvZLB8aK6Cs=,iv:L6iZIEW61LD3MGD0dYypFKqAIioyHQeWxgm8ZOQdCWM=,tag:mCyFL3guwkazD2eNCD+idw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1
diff --git a/modules/system/containers/default.nix b/modules/system/containers/default.nix
@@ -2,6 +2,7 @@ _: {
   imports = [
     ./authelia
     ./coredns
+    ./firefly-iii
     ./firefoxsync
     ./lldap
     ./maddy

diff --git a/modules/system/containers/firefly-iii/default.nix b/modules/system/containers/firefly-iii/default.nix
@@ -0,0 +1,121 @@
+{
+  config,
+  lib,
+  pkgs,
+  svc,
+  ...
+}:
+let
+  cfg = config.mySystemApps.firefly-iii;
+  secretEnvs = [
+    "APP_KEY"
+    "DB_PASSWORD"
+    "FIREFLY_III_TOKEN"
+  ];
+in
+{
+  options.mySystemApps.firefly-iii = {
+    enable = lib.mkEnableOption "firefly-iii container";
+    backup = lib.mkEnableOption "postgresql backup" // {
+      default = true;
+    };
+    sopsSecretPrefix = lib.mkOption {
+      type = lib.types.str;
+      description = "Prefix for sops secret, under which all ENVs will be appended.";
+      default = "system/apps/firefly-iii/env";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    warnings = [ (lib.mkIf (!cfg.backup) "WARNING: Backups for firefly-iii are disabled!") ];
+
+    sops.secrets = svc.mkContainerSecretsSops {
+      inherit (cfg) sopsSecretPrefix;
+      inherit secretEnvs;
+
+      containerName = "firefly-iii";
+    };
+
+    mySystemApps.postgresql.userDatabases = [
+      {
+        username = "firefly";
+        passwordFile = config.sops.secrets."${cfg.sopsSecretPrefix}/DB_PASSWORD".path;
+        databases = [ "firefly" ];
+      }
+    ];
+
+    virtualisation.oci-containers.containers.firefly-iii = svc.mkContainer {
+      cfg = {
+        image = "ghcr.io/deedee-ops/firefly-iii:6.1.21@sha256:c8c7135b7fb2e6dd3d1a065a27246acc0b729f09d87cf7483d39302d6e58585f";
+        environment = {
+          APP_URL = "https://firefly.${config.mySystem.rootDomain}";
+          AUTHENTICATION_GUARD = "remote_user_guard";
+          AUTHENTICATION_GUARD_EMAIL = "HTTP_REMOTE_EMAIL";
+          AUTHENTICATION_GUARD_HEADER = "HTTP_REMOTE_EMAIL";
+          DB_CONNECTION = "pgsql";
+          DB_DATABASE = "firefly";
+          DB_HOST = "host.docker.internal";
+          DB_PORT = "5432";
+          DB_USERNAME = "firefly";
+          MAIL_ENCRYPTION = "null";
+          MAIL_FROM = config.mySystem.notificationSender;
+          MAIL_HOST = "maddy";
+          MAIL_MAILER = "smtp";
+          MAIL_PORT = "25";
+          SEND_TELEMETRY = "false";
+          TRUSTED_PROXIES = "**";
+
+          CACHE_DRIVER = "redis";
+          SESSION_DRIVER = "redis";
+          REDIS_SCHEME = "tcp";
+          REDIS_HOST = "host.docker.internal";
+          REDIS_PORT = "6379";
+        }; # // svc.mkContainerSecretsEnv { inherit secretEnvs; };
+        extraOptions = [
+          "--mount"
+          "type=tmpfs,destination=/config,tmpfs-mode=1777"
+        ];
+        volumes =
+          svc.mkContainerSecretsVolumes {
+            inherit (cfg) sopsSecretPrefix;
+            inherit secretEnvs;
+          }
+          ++ [
+            "${
+              config.sops.secrets."${config.mySystemApps.redis.passFileSopsSecret}".path
+            }:/secrets/REDIS_PASSWORD:ro"
+          ];
+      };
+    };
+
+    services = {
+      nginx.virtualHosts.firefly-iii = svc.mkNginxVHost {
+        host = "firefly";
+        proxyPass = "http://firefly-iii.docker:8080";
+      };
+      postgresqlBackup = lib.mkIf cfg.backup { databases = [ "firefly-iii" ]; };
+    };
+
+    systemd = {
+      services.docker-firefly-iii-cron = {
+        description = "Trigger firefly iii cron.";
+        path = [ (pkgs.curlFull.override { c-aresSupport = true; }) ]; # c-aresSupport enables `--dns-servers` option
+        serviceConfig.Type = "simple";
+        script = ''
+          curl --silent --show-error --fail --dns-servers 127.0.0.1:5533 "http://firefly-iii.docker:8080/api/v1/cron/$(cat ${
+            config.sops.secrets."${cfg.sopsSecretPrefix}/FIREFLY_III_TOKEN".path
+          })"
+        '';
+      };
+
+      timers.docker-firefly-iii-cron = {
+        description = "Firefly III cron timer.";
+        wantedBy = [ "timers.target" ];
+        partOf = [ "docker-firefly-iii-cron.service" ];
+        timerConfig.OnCalendar = "0:00";
+        timerConfig.Persistent = "true";
+      };
+    };
+
+  };
+}