chore: maintain

system/dev/dn-server/services/actual-budget.nix

@@ -1,7 +1,37 @@
+{ config, ... }:
+let
+  inherit (config.networking) domain;
+  inherit (config.sops) secrets;
+
+  hostname = "actual.${domain}";
+  oidcURL = "https://${config.services.keycloak.settings.hostname}/realms/master";
+in
 {
+  sops.secrets."actual/clientSecret" = {
+    owner = "actual";
+    group = "actual";
+    mode = "640";
+  };
+
   imports = [
     (import ../../../modules/actual {
-      fqdn = "actual.net.dn";
+      fqdn = hostname;
     })
   ];
+
+  services.nginx.virtualHosts."${hostname}" = {
+    useACMEHost = domain;
+  };
+
+  services.actual.settings = {
+    loginMethod = "openid";
+    allowedLoginMethods = [ "openid" ];
+    openId = {
+      discoveryURL = "${oidcURL}/.well-known/openid-configuration";
+      client_id = "actual";
+      client_secret._secret = secrets."actual/clientSecret".path;
+      server_hostname = "https://${hostname}";
+      authMethod = "openid";
+    };
+  };
 }