# that name actually sucks ass
# but it manages my money pretty well
#
# see https://github.com/miniluz/nixos-config/blob/8f0e417e34fa5bbb97b13215ee4843f85c6033be/modules/nixos/selfhosting/actual.nix#L13
# for a good config
# and https://github.com/Jonas-Sander/actual-backup for backups
{ lib, config, ... }:
{
  options.actual.enable = lib.mkEnableOption "enable money management";
  config = lib.mkIf config.actual.enable {
    services.gatus.settings.endpoints = [
      {
        name = "actual";
        group = "local";
        url = "https://localhost:3000/";
        interval = "30s";
        client.insecure = true;
        conditions = [
          "[connected] == true"
          "[CERTIFICATE_EXPIRATION] > 48h"
        ];
      }
    ];

    users.users.actual = {
      isSystemUser = true;
      group = "actual";
    };
    users.groups.actual = {};

    sops.secrets."actual/key".owner = config.users.users.actual.name;
    sops.secrets."actual/cert".owner = config.users.users.actual.name;

    services.actual = {
      enable = true;
      openFirewall = true;
      settings = {
        https = {
          # for people trying to re-create my setup the key and cert were
          # generated using the following command:
          # openssl req -newkey rsa:4096 -x509 -days 36500 -sha512 -nodes -out certificate.pem -keyout privatekey.pem
          # I've set the days to 36500 because I don't intend on being around
          # after November 2125, and renewing certs is a pain in the ass on a
          # local (and trusted) network
          key = config.sops.secrets."actual/key".path;
          cert = config.sops.secrets."actual/cert".path;
        };
      };
    };
  };
}