From e4f47ef2b231a11b106ea94154426a2ad58465ab Mon Sep 17 00:00:00 2001
From: Nick <nickjhiebert@proton.me>
Date: Thu, 9 Oct 2025 05:41:34 -0500
Subject: [PATCH] feat: added firefly-iii

---
 .../nixos/services/firefly-iii/default.nix    | 41 ++++++++-----------
 1 file changed, 17 insertions(+), 24 deletions(-)

diff --git a/modules/nixos/services/firefly-iii/default.nix b/modules/nixos/services/firefly-iii/default.nix
index dda4c5c..9d37b29 100755
--- a/modules/nixos/services/firefly-iii/default.nix
+++ b/modules/nixos/services/firefly-iii/default.nix
@@ -2,9 +2,6 @@
 let
   inherit (flake.config.services.instances) firefly-iii;
   inherit (flake.config.machines.devices) ceres;
-  inherit (flake.config.people) user0;
-  inherit (flake.config.people.users.${user0}) email;
-  # localhost = "${ceres.ip.addess0}:${service.ports.port0}";
   host = service.domains.url0;
   service = firefly-iii;
 in
@@ -13,10 +10,8 @@ in
     firefly-iii = {
       enable = true;
       dataDir = service.paths.path0;
-      virtualHost = host;
       poolConfig = {
         "listen.owner" = config.services.caddy.user;
-        "listen.group" = config.services.caddy.group;
         "pm" = "dynamic";
         "pm.max_children" = 32;
         "pm.start_servers" = 2;
@@ -25,10 +20,10 @@ in
         "pm.max_requests" = 500;
       };
       settings = {
-        DB_CONNECTION = "sqlite";
+        DB_CONNECTION = "pgsql";
         APP_URL = "https://${host}";
         APP_KEY_FILE = config.sops.secrets."${service.name}-pass".path;
-        SITE_OWNER = email.address0;
+        DB_PASSWORD_FILE = config.sops.secrets."${service.name}-data".path;
       };
     };
     firefly-iii-data-importer = {
@@ -39,9 +34,12 @@ in
         ${host} = {
           extraConfig = ''
             root * ${config.services.firefly-iii.package}/public
-            file_server
             encode gzip
-            php_fastcgi unix//run/phpfpm/firefly-iii.sock
+            php_fastcgi unix/run/phpfpm/firefly-iii.sock {
+              try_files {path} /index.php?{query}
+              trusted_proxies private_ranges
+            }
+            file_server
             tls ${service.ssl.cert} ${service.ssl.key}
           '';
         };
@@ -70,20 +68,16 @@ in
       );
     };
 
-  # fileSystems."/var/lib/${service.name}" = {
-  #   device = service.paths.path0;
-  #   fsType = "none";
-  #   options = [
-  #     "bind"
-  #   ];
-  #   depends = [
-  #     ceres.storage0.mount
-  #   ];
-  # };
-  #
-  users.users.${service.name}.extraGroups = [
-    "caddy"
-  ];
+  fileSystems."/var/lib/${service.name}" = {
+    device = service.paths.path0;
+    fsType = "none";
+    options = [
+      "bind"
+    ];
+    depends = [
+      ceres.storage0.mount
+    ];
+  };
 
   systemd.tmpfiles.rules = [
     "Z ${service.paths.path0} 755 ${service.name} ${service.name} -"
@@ -94,7 +88,6 @@ in
     firewall.allowedTCPPorts = [
       8080
       8081
-      5432
     ];
   };
 }