From f4eb0c5939780529571aed9c91303bc22c37748e Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@hoyer.xyz>
Date: Sun, 26 Apr 2026 14:09:40 +0200
Subject: [PATCH] feat(sgx): add firefly-iii personal finance manager

Self-hosted Firefly III with data-importer, SQLite backend, behind
nginx with the existing internal.hoyer.world ACME cert.
---
 .secrets/sgx/firefly.yaml            | 35 +++++++++++++++++++
 systems/x86_64-linux/sgx/acme.nix    |  2 ++
 systems/x86_64-linux/sgx/default.nix |  1 +
 systems/x86_64-linux/sgx/firefly.nix | 50 ++++++++++++++++++++++++++++
 4 files changed, 88 insertions(+)
 create mode 100644 .secrets/sgx/firefly.yaml
 create mode 100644 systems/x86_64-linux/sgx/firefly.nix

diff --git a/.secrets/sgx/firefly.yaml b/.secrets/sgx/firefly.yaml
new file mode 100644
index 0000000..7e8a88c
--- /dev/null
+++ b/.secrets/sgx/firefly.yaml
@@ -0,0 +1,35 @@
+firefly:
+    app_key: ENC[AES256_GCM,data:0BHC54xXb7EJcFBuGWFiDfIh7ZBgVs1R+1GGztOwte4CeD4Olz31umq1At1aRFESLkoC,iv:e3On3x9eSKTo9+SEp/ujFZA0a6o2slqT+atPhd1PDMM=,tag:k2pjyvgM8AcElBBOR95dwg==,type:str]
+sops:
+    age:
+        - recipient: age149fqcw5jze00vd7jauylrp4j5xyv7amlu57jjfuzghkqtzlnxajs704uz3
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1Q0dETGx1eFhwTjJGbkxD
+            Q3lxbmxPQmh3azlWWGJ4enVWZ0RtRXVsSHhJCjhrSmVOakxCcVBUSmJpUkhlVWZH
+            dklGSzI2YjNZT2lmUTFSWWpFSFJyOXcKLS0tIExrYjRhSFNTUldVbGhlQ1d3LzFy
+            L2RoQVRWTStZS3AySmY5bklHeGZlaUkKFVhlgFUQ/QghOEyezCr3Bw/Gd4AfkGbN
+            kLOK5x/lil06ii1LiLe2s2OJd+jU0WH08MiTAjB8u3DdM/MIcApHBg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1dwcz3fmp29ju4svy0t0wz4ylhpwlqa8xpw4l7t4gmgqr0ev37qrsfn840l
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHN2dQK2laVWlXeHpUT0o0
+            eldJdEZ0RTFVWWYyVng4OXBjQ05ucEFMVEZVClYralUrTWJzam1DR3QrL1Azd05v
+            UlBhK1htK25JVWhPUnNVRDBvRWMwS0kKLS0tIEdlL09FK2NTUVNKa21TeFNQcUtE
+            VFF5YTNrV0FUL3NMK1RQbkEzbnc2Y3cKJCuahHlYCH13VRr9LDJRazQYvmS4LV5E
+            DJ3LfX1VU/46/qgMS66dmaEefbiEUkbUbpGJY99dDNIHsD9lGFjS6w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1cpm9xhgue7sjvq7zyeeaxwr96c93sfzxxxj76sxsq7s7kgnygvcq5jxren
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyODVnbHVxdTJJM3UrQ3BS
+            cVdlbENhM1MrRWJvL3hxWTJZSFFDdFAvUGlnCjFhb2JuNElVdjkvRm9tV3NNeW9o
+            b043STZyR0s4NnNDSTgyd0JhZzVST1EKLS0tIE0zR0J5MlFBVm1mYmVDRktDOEZP
+            SGRyL01ISlltVG5YdWw4dWV0RGpPNEEK855vVFGwxgBrl0scAla980fd3XSiUjfP
+            ULMGGQK06z1Oh6+bvPyfzbILjFkzlrel06yajpcvdSQgJZXpzQgJUA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-04-26T12:06:15Z"
+    mac: ENC[AES256_GCM,data:EEPwsBNOZQSgVuL/Ahz870bI01o6v+bdzbKOzAq6ZzXoLS5kmSvG3q384bL3fGcv1lDSHu4FKR+PoToKYYwxrZjR95ZAN1nYlro8rU42fF3cdpZRLS5bPeYz/ZmZud4XXFQX95ltgyWAScM0JqAyEPa3ji9DP33HAg3WiSV6dNM=,iv:3m7lL63aKh8O60gv/NzaewEnigm999w+HD2TbljmvlQ=,tag:0IHm7zeXOUFcNcq/smqpGA==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.12.1
diff --git a/systems/x86_64-linux/sgx/acme.nix b/systems/x86_64-linux/sgx/acme.nix
index 1bac05a..da5d5cc 100644
--- a/systems/x86_64-linux/sgx/acme.nix
+++ b/systems/x86_64-linux/sgx/acme.nix
@@ -16,6 +16,8 @@
         "syncthing.hoyer.world"
         "home.hoyer.world"
         "status.hoyer.world"
+        "firefly.hoyer.world"
+        "firefly-import.hoyer.world"
       ];
     };
   };
diff --git a/systems/x86_64-linux/sgx/default.nix b/systems/x86_64-linux/sgx/default.nix
index 003451f..cbc4ecb 100644
--- a/systems/x86_64-linux/sgx/default.nix
+++ b/systems/x86_64-linux/sgx/default.nix
@@ -12,6 +12,7 @@
     ./wyoming.nix
     ./searx.nix
     ./uptime-kuma.nix
+    ./firefly.nix
   ];
 
   boot.tmp.useTmpfs = false;
diff --git a/systems/x86_64-linux/sgx/firefly.nix b/systems/x86_64-linux/sgx/firefly.nix
new file mode 100644
index 0000000..4331f11
--- /dev/null
+++ b/systems/x86_64-linux/sgx/firefly.nix
@@ -0,0 +1,50 @@
+{ config, ... }:
+let
+  domain = "firefly.hoyer.world";
+  importDomain = "firefly-import.hoyer.world";
+  vhostBase = {
+    enableACME = false;
+    useACMEHost = "internal.hoyer.world";
+    forceSSL = true;
+  };
+in
+{
+  sops.secrets."firefly/app_key" = {
+    sopsFile = ../../../.secrets/sgx/firefly.yaml;
+    owner = "firefly-iii";
+  };
+
+  services = {
+    firefly-iii = {
+      enable = true;
+      enableNginx = true;
+      virtualHost = domain;
+      settings = {
+        APP_ENV = "production";
+        APP_KEY_FILE = config.sops.secrets."firefly/app_key".path;
+        SITE_OWNER = "harald.hoyer@gmail.com";
+        TZ = "Europe/Berlin";
+        DEFAULT_LANGUAGE = "de_DE";
+        DEFAULT_LOCALE = "de_DE";
+        TRUSTED_PROXIES = "**";
+        LOG_CHANNEL = "stack";
+      };
+    };
+
+    firefly-iii-data-importer = {
+      enable = true;
+      enableNginx = true;
+      virtualHost = importDomain;
+      settings = {
+        FIREFLY_III_URL = "https://${domain}";
+        VANITY_URL = "https://${importDomain}";
+        TZ = "Europe/Berlin";
+      };
+    };
+
+    nginx.virtualHosts = {
+      ${domain} = vhostBase;
+      ${importDomain} = vhostBase;
+    };
+  };
+}