feat: host ledger on ful

secrets.txt

@@ -24,6 +24,7 @@ secrets/kabsa-specus-privateKey.age
 secrets/kabsa-syncthing-cert.age
 secrets/kabsa-syncthing-key.age
 secrets/kfm-password.age
+secrets/ledger-basicAuth.age
 secrets/makanek-retiolum-privateKey-ed25519.age
 secrets/makanek-retiolum-privateKey-rsa.age
 secrets/makanek-specus-privateKey.age

systems/ful/configuration.nix

@@ -11,6 +11,7 @@ in {
     ./matomo.nix
     ./radio.nix
     ./panoptikon.nix
+    ./ledger.nix
     ../../configs/monitoring.nix
     ../../configs/tor.nix
     ../../configs/save-space.nix

systems/ful/ledger.nix

@@ -0,0 +1,54 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  services.hledger-web = {
+    enable = true;
+    capabilities = {
+      add = true;
+      view = true;
+      manage = false;
+    };
+    serveApi = false; # serve only the JSON API
+    baseUrl = "https://ledger.kmein.de";
+    journalFiles = [
+      "privat.journal"
+    ];
+  };
+
+  systemd.services.hledger-backup = {
+    enable = true;
+    startAt = "hourly";
+    wants = ["network-online.target"];
+    wantedBy = ["multi-user.target"];
+    script = ''
+      ${pkgs.git}/bin/git config user.name "hledger-web"
+      ${pkgs.git}/bin/git config user.email "hledger-web@${config.networking.hostName}"
+      ${pkgs.git}/bin/git commit -am $(date -Ih)
+      ${pkgs.git}/bin/git pull --rebase
+      ${pkgs.git}/bin/git push
+    '';
+    serviceConfig = {
+      User = "hledger";
+      Group = "hledger";
+      WorkingDirectory = config.services.hledger-web.stateDir;
+    };
+  };
+
+  age.secrets = {
+    ledger-basicAuth = {
+      file = ../../secrets/ledger-basicAuth.age;
+      owner = "nginx";
+      group = "nginx";
+      mode = "400";
+    };
+  };
+
+  services.nginx.virtualHosts."ledger.kmein.de" = {
+    enableACME = true;
+    basicAuthFile = config.age.secrets.ledger-basicAuth.path;
+    forceSSL = true;
+    locations."/".proxyPass = "http://127.0.0.1:${toString config.services.hledger-web.port}";
+  };
+}