actual: add config

roles/actual-web/meta/main.yml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: caddy

roles/actual-web/tasks/main.yml

@@ -0,0 +1,9 @@
+---
+- name: Ensure Caddyfile is present
+  template:
+    src: 'actual.Caddyfile.j2'
+    dest: '/etc/caddy/actual.Caddyfile'
+    owner: root
+    group: root
+    mode: '0644'
+  notify: caddy-reload

roles/actual-web/templates/actual.Caddyfile.j2

@@ -0,0 +1,3 @@
+actual.roosens.me {
+    reverse_proxy {{ hostvars[groups['actual'][0]].static_ip }}:8014
+}

roles/actual/files/actual.data.backup.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+data_dir='/mnt/data1/actual/data'
+snapshot_dir="${data_dir}.snapshot"
+
+# Read-only snapshot for atomic backup
+btrfs subvolume snapshot -r "$data_dir" "$snapshot_dir" || exit $?
+
+/usr/local/bin/restic backup "$snapshot_dir"
+
+# Always remove snapshot subvolume, even if restic fails
+btrfs subvolume delete "$snapshot_dir"

roles/actual/files/actual.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=A local-first personal finance app 
+After=docker.service
+Requires=docker.service
+
+[Service]
+Type=exec
+WorkingDirectory=/etc/actual
+ExecStart=/usr/bin/docker compose up
+ExecStop=/usr/bin/docker compose down
+
+[Install]
+WantedBy=multi-user.target

roles/actual/files/compose.yml

@@ -0,0 +1,8 @@
+services:
+  app:
+    image: 'actualbudget/actual-server:latest-alpine'
+
+    ports:
+      - '8014:5006'
+    volumes:
+      - '/mnt/data1/actual/data:/data'

roles/actual/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: 'restart actual'
+  ansible.builtin.service:
+    name: 'actual'
+    state: 'restarted'

roles/actual/tasks/main.yml

@@ -0,0 +1,68 @@
+---
+- name: Ensure data directory is present
+  ansible.builtin.file:
+    path: '/mnt/data1/actual'
+    state: directory
+    mode: '0755'
+    owner: 'root'
+    group: 'root'
+
+- name: Ensure data subvolumes are present
+  community.general.btrfs_subvolume:
+    name: '/actual/{{ item }}'
+  loop:
+    - 'data'
+
+- name: Ensure subvolume permissions are correct
+  ansible.builtin.file:
+    path: "/mnt/data1/actual/{{ item }}"
+    state: directory
+    mode: '0755'
+    owner: '1001'
+    group: '1001'
+  loop:
+    - 'data'
+
+- name: Ensure configuration directory is present
+  ansible.builtin.file:
+    path: '/etc/actual'
+    state: directory
+    mode: '0755'
+
+- name: Ensure compose file is present
+  ansible.builtin.copy:
+    src: 'compose.yml'
+    dest: '/etc/actual/compose.yml'
+    mode: '0644'
+    owner: 'root'
+    group: 'root'
+  notify: 'restart actual'
+
+- name: Ensure backup scripts are present
+  ansible.builtin.copy:
+    src: "actual.{{ item }}.backup.sh"
+    dest: "/etc/backups/actual.{{ item }}.backup.sh"
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  loop:
+    - 'data'
+
+- name: Ensure service file is present
+  ansible.builtin.copy:
+    src: 'actual.service'
+    dest: '/lib/systemd/system/actual.service'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  register: res
+
+- name: systemd-reload
+  ansible.builtin.systemd_service:
+    daemon_reload: true
+  when: 'res.changed'
+
+- name: Ensure actual service is enabled
+  ansible.builtin.service:
+    name: 'actual'
+    enabled: true