feat(sgx): add aqbanking + sparda PIN slot for FinTS bank sync

Lays the groundwork for Sparda-Bank Südwest transaction sync via direct FinTS (no third-party data proxy). aqbanking-cli in the system PATH, persistent state at /var/lib/firefly-aqbanking, sops slot for the online-banking PIN. Initial enrollment must be done interactively on the host; systemd timer for automated fetches comes in a follow-up.
2026-04-26 16:36:52 +02:00 · 2026-04-26 16:36:52 +02:00 · 06d26311fd
commit 06d26311fd
parent 4833551a3b
1 changed files with 19 additions and 4 deletions
--- a/systems/x86_64-linux/sgx/firefly.nix
+++ b/systems/x86_64-linux/sgx/firefly.nix
@ -1,7 +1,9 @@
-{ config, ... }:
+{ config, pkgs, ... }:
 let
  domain = "firefly.hoyer.world";
  importDomain = "firefly-import.hoyer.world";
+  aqHome = "/var/lib/firefly-aqbanking";
+  inbox = "/var/lib/firefly-iii-data-importer/inbox";
  vhostBase = {
    enableACME = false;
    useACMEHost = "internal.hoyer.world";
@ -9,10 +11,23 @@ let
  };
 in
 {
-  sops.secrets."firefly/app_key" = {
+  sops.secrets = {
+    "firefly/app_key" = {
      sopsFile = ../../../.secrets/sgx/firefly.yaml;
      owner = "firefly-iii";
    };
+    "firefly/sparda_pin" = {
+      sopsFile = ../../../.secrets/sgx/firefly.yaml;
+      owner = "firefly-iii-data-importer";
+    };
+  };
+
+  environment.systemPackages = [ pkgs.aqbanking ];
+
+  systemd.tmpfiles.rules = [
+    "d ${aqHome} 0700 firefly-iii-data-importer firefly-iii-data-importer -"
+    "d ${inbox}  0700 firefly-iii-data-importer firefly-iii-data-importer -"
+  ];

  services = {
    firefly-iii = {