End-to-end FinTS pipeline against Sparda Südwest is wired up but
disabled — aqbanking 6.8.2's `-P pinfile` flag does not consume the
file content correctly on this build (verified: pinfile bytes match
the manually-typed PIN exactly, yet the bank receives a wrong PIN).
Three rejected attempts locked the access at Sparda; do not re-arm
the timer until the auth path is replaced (likely python-fints).
What works:
- aqbanking config and FinTS dialog (manual PIN entry)
- getaccsepa workaround for HKCAZ "Mussfeld 9160" rejection
- custom CSV profile (decimal amounts + IBAN columns) wired in
- Firefly importer auto-upload settings + sops secret slot
- inbox + profile-symlink tmpfiles
What's broken:
- Headless PIN delivery via aqbanking-cli -P
- Timer left wantedBy=[] so it cannot fire post-deploy
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Add a `metacfg.tools.wezterm` home-manager module so wezterm.lua
configuration can be reused across hosts instead of being duplicated
inline. Migrate halo and amd to the new module and enable it on rialo
(font size 14, term = xterm-256color).
Lays the groundwork for Sparda-Bank Südwest transaction sync via
direct FinTS (no third-party data proxy). aqbanking-cli in the system
PATH, persistent state at /var/lib/firefly-aqbanking, sops slot for
the online-banking PIN. Initial enrollment must be done interactively
on the host; systemd timer for automated fetches comes in a follow-up.
Share the check script via a parameterized mkDiskCheck function over
{ name, mountPoint, label } and iterate an attrset to emit the boot
and root services plus their daily timers.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Added `StartLimitIntervalSec` and `StartLimitBurst` for `ntfy-failure@` unit.
- Refactored `ExecStart` into `script` for improved readability.
- Adjusted `scriptArgs` from `%I` to `%i`.
%i passes the escaped unit name which systemctl status cannot resolve,
causing "Failed to mangle name" errors.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Files vanishing during transfer is expected for mail directories
where messages are constantly moved.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Added `blackhole-2ch` to casks and `darktable` to system packages.
- Disabled `wezterm` and kept `direnv` and `alacritty` enabled in tools.
- Improves utility and functionality by refining the configuration.
Replace broken proxy_cache_bypass (was bypassing every request) with
proxy_cache_lock to coalesce concurrent requests for the same path.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Allow TCP ports 80 and 443 in the firewall for HTTP and HTTPS traffic.
- Enable Nginx with ACME integration for automatic SSL certificate management.
- Configure a virtual host with proxy settings and support for WebSocket traffic.
- Wrap `config.onFailure` in `mkIf cfg.enable` to ensure units are conditionally applied based on the service's `enable` configuration.
- Prevents unnecessary configuration of failure units when the service is disabled.
- Rename `attic` database to `atticd` and set `atticd` user as the owner directly.
- Remove redundant `postStart` script for altering database ownership.
- Update `database.url` to match the renamed database.
- Set `libvirtd.enable` to `false` in `default.nix` to align with the current virtualization setup.
- Prevents unnecessary service activation and reduces resource usage.
- Update `psql` command in the `postStart` script to explicitly connect to the `postgres` database before altering ownership of the `attic` database.
- Ensures the command runs without issues in environments with restricted default database access.
