Forgot to use branches, remember kids: use protection

I'd like less generations please side note:
it's a bit weird that you can't specify how many generations you'd like
to keep, like what if I want 3 generations to stay available?

hosts/blob/actual.nix

@@ -0,0 +1,51 @@
+# that name actually sucks ass
+# but it manages my money pretty well
+#
+# see https://github.com/miniluz/nixos-config/blob/8f0e417e34fa5bbb97b13215ee4843f85c6033be/modules/nixos/selfhosting/actual.nix#L13
+# for a good config
+# and https://github.com/Jonas-Sander/actual-backup for backups
+{ lib, config, ... }:
+{
+  options.actual.enable = lib.mkEnableOption "enable money management";
+  config = lib.mkIf config.actual.enable {
+    services.gatus.settings.endpoints = [
+      {
+        name = "actual";
+        group = "local";
+        url = "https://localhost:3000/";
+        interval = "30s";
+        client.insecure = true;
+        conditions = [
+          "[connected] == true"
+          "[CERTIFICATE_EXPIRATION] > 48h"
+        ];
+      }
+    ];
+
+    users.users.actual = {
+      isSystemUser = true;
+      group = "actual";
+    };
+    users.groups.actual = {};
+
+    sops.secrets."actual/key".owner = config.users.users.actual.name;
+    sops.secrets."actual/cert".owner = config.users.users.actual.name;
+
+    services.actual = {
+      enable = true;
+      openFirewall = true;
+      settings = {
+        https = {
+          # for people trying to re-create my setup the key and cert were
+          # generated using the following command:
+          # openssl req -newkey rsa:4096 -x509 -days 36500 -sha512 -nodes -out certificate.pem -keyout privatekey.pem
+          # I've set the days to 36500 because I don't intend on being around
+          # after November 2125, and renewing certs is a pain in the ass on a
+          # local (and trusted) network
+          key = config.sops.secrets."actual/key".path;
+          cert = config.sops.secrets."actual/cert".path;
+        };
+      };
+    };
+  };
+}