feat: actual budget + claude-chill

Author: DieracDelta

custom_modules/actual.README.md

@@ -0,0 +1,61 @@
+# Actual Budget Setup
+
+Personal finance manager with SimpleFIN bank sync.
+
+## Auth Setup (Required Before First Deploy)
+
+Actual is protected by Caddy basic auth. You must create the auth file before enabling.
+
+### 1. Create directory
+```bash
+sudo mkdir -p /var/lib/actual
+```
+
+### 2. Generate password hash
+```bash
+caddy hash-password
+```
+Enter your password when prompted. Copy the output (starts with `$2a$14$...`).
+
+### 3. Create auth file
+```bash
+sudo tee /var/lib/caddy/actual-auth << 'EOF'
+basic_auth {
+    jrestivo $YOUR_HASH_HERE
+}
+EOF
+```
+
+### 4. Secure the file
+```bash
+sudo chown caddy:caddy /var/lib/caddy/actual-auth
+sudo chmod 640 /var/lib/caddy/actual-auth
+```
+
+## Access
+
+- URL: `https://office-desktop.tail5ca7.ts.net:5007/`
+- Auth: Caddy basic auth (credentials from above)
+- Budget password: Set on first run in Actual UI
+
+Note: Actual Budget doesn't support subpath mounting, so it runs on a separate port.
+
+## SimpleFIN Setup
+
+1. Go to https://beta-bridge.simplefin.org
+2. Sign up ($15/year)
+3. Link your banks: Chase, Discover, Bilt, Santander, Wells Fargo, Fidelity, Raisin
+4. Get your SimpleFIN access token
+5. In Actual: Settings → Show advanced settings → Link bank account with SimpleFIN
+6. Paste token and link accounts
+
+## Data Location
+
+- Budget files: `/var/lib/actual/user-files/`
+- Server data: `/var/lib/actual/server-files/`
+- Auth file: `/var/lib/caddy/actual-auth`
+
+## Ports
+
+- Internal: 5006
+- External: 5007 (via Caddy with TLS)

custom_modules/actual.nix

@@ -0,0 +1,73 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+with lib;
+let
+  cfg = config.custom_modules.actual;
+  port = 5006;
+  # Generate hash with: caddy hash-password
+  # Store in /var/lib/caddy/actual-auth containing:
+  # basic_auth {
+  #     username $2a$14$hashedpassword
+  # }
+  authFile = "/var/lib/caddy/actual-auth";
+in
+{
+  options.custom_modules.actual.enable = mkOption {
+    description = "Enable Actual Budget personal finance manager.";
+    type = with types; bool;
+    default = false;
+  };
+
+  config = mkIf cfg.enable {
+    services.actual = {
+      enable = true;
+      openFirewall = true;
+      settings = {
+        hostname = "0.0.0.0";
+        port = port;
+      };
+    };
+
+    # Set base path for subpath deployment
+    systemd.services.actual.environment.ACTUAL_BASE_PATH = "/actual";
+
+    # Caddy reverse proxy at /actual/ subpath
+    # Using 'handle' (not handle_path) because Actual server handles the /actual prefix itself
+    services.caddy.virtualHosts."office-desktop.tail5ca7.ts.net".extraConfig = mkAfter ''
+
+      handle /actual/* {
+        # Static assets (anything with a file extension) - no auth needed
+        # Workers can't send credentials, so bypass auth for all static files
+        @static path_regexp static \.[a-zA-Z0-9]+$
+        handle @static {
+          reverse_proxy 127.0.0.1:${toString port}
+        }
+        # Everything else (API endpoints, HTML pages) requires auth
+        handle {
+          import ${authFile}
+          reverse_proxy 127.0.0.1:${toString port}
+        }
+      }
+      redir /actual /actual/ permanent
+    '';
+
+    # Homepage dashboard entry
+    services.homepage-dashboard.services = mkAfter [
+      {
+        "Finance" = [
+          {
+            "Actual Budget" = {
+              icon = "actual-budget";
+              href = "/actual/";
+              description = "Personal Finance & Budgeting";
+            };
+          }
+        ];
+      }
+    ];
+  };
+}

custom_modules/workstation_services.nix

@@ -34,6 +34,7 @@ let
     heroic
     croc
     claude-code
+    claude-chill
     opencode
     lmstudio
     partclone

flake.lock

@@ -2,6 +2,11 @@
   description = "A highly awesome system configuration.";
 
   inputs = {
+    actual-src = {
+      url = "path:/home/jrestivo/dev/actual";
+      flake = false;
+    };
+
     hl.url = "github:pamburus/hl";
     darwin.url = "github:lnl7/nix-darwin/master";
     darwin.inputs.nixpkgs.follows = "nixpkgs-unpatched";

flake.nix

@@ -38,6 +38,7 @@
   custom_modules.monitoring.enableUps = true;
   custom_modules.monitoring.enableGpu = true;
   custom_modules.comfyui.enable = true;
+  custom_modules.actual.enable = true;
 
   # Koito scrobbler - integrates with Navidrome
   custom_modules.koito = {