From 76d4dfa11d83d9909fe1978d629c0e112af0bd92 Mon Sep 17 00:00:00 2001
From: Gleb Koval <gleb@koval.net>
Date: Mon, 9 Mar 2026 22:58:25 +0000
Subject: [PATCH] feat: replace firefly-iii with actual budget

---
 infra/finance/0003_firefly-iii_playbook.yaml | 57 +++-----------------
 infra/finance/0004_actual_playbook.yaml      | 27 ++++++++++
 infra/finance/actual/docker-compose.yml      | 22 ++++++++
 3 files changed, 55 insertions(+), 51 deletions(-)
 create mode 100644 infra/finance/0004_actual_playbook.yaml
 create mode 100644 infra/finance/actual/docker-compose.yml

diff --git a/infra/finance/0003_firefly-iii_playbook.yaml b/infra/finance/0003_firefly-iii_playbook.yaml
index 77de836..effa8e4 100644
--- a/infra/finance/0003_firefly-iii_playbook.yaml
+++ b/infra/finance/0003_firefly-iii_playbook.yaml
@@ -17,54 +17,9 @@
       community.docker.docker_compose_v2:
         project_src: "$HOME/{{ app }}"
         state: absent
-    - name: Copy project
-      ansible.builtin.copy:
-        src: "./{{ app }}"
-        dest: "$HOME"
-        mode: "0744"
-
-    - name: Replace APP_KEY secret
-      ansible.builtin.replace:
-        path: "$HOME/{{ app }}/.env"
-        regexp: "APP_KEY_VALUE"
-        replace: "{{ lookup('infisical.vault.read_secrets', project_id=infisical_project, env_slug='prod',
-                            path='/finance', secret_name='APP_KEY')['value'] }}"
-    - name: Replace DB secret
-      ansible.builtin.replace:
-        path: "$HOME/{{ app }}/.env"
-        regexp: "DB_PASSWORD_VALUE"
-        replace: "{{ lookup('infisical.vault.read_secrets', project_id=infisical_project, env_slug='prod',
-                            path='/finance', secret_name='DB_PASSWORD')['value'] }}"
-    - name: Replace cron token secret
-      ansible.builtin.replace:
-        path: "$HOME/{{ app }}/.env"
-        regexp: "STATIC_CRON_TOKEN_VALUE"
-        replace: "{{ lookup('infisical.vault.read_secrets', project_id=infisical_project, env_slug='prod',
-                            path='/finance', secret_name='STATIC_CRON_TOKEN')['value'] }}"
-    - name: Replace SMTP Password secret (app)
-      ansible.builtin.replace:
-        path: "$HOME/{{ app }}/.env"
-        regexp: "SMTP_PASSWORD_VALUE"
-        replace: "{{ lookup('ansible.builtin.env', 'SMTP_PASSWORD') }}"
-
-    - name: Replace Nordigen ID secret
-      ansible.builtin.replace:
-        path: "$HOME/{{ app }}/.importer.env"
-        regexp: "NORDIGEN_ID_VALUE"
-        replace: "{{ lookup('infisical.vault.read_secrets', project_id=infisical_project, env_slug='prod',
-                            path='/finance', secret_name='NORDIGEN_ID')['value'] }}"
-    - name: Replace Nordigen Key secret
-      ansible.builtin.replace:
-        path: "$HOME/{{ app }}/.importer.env"
-        regexp: "NORDIGEN_KEY_VALUE"
-        replace: "{{ lookup('infisical.vault.read_secrets', project_id=infisical_project, env_slug='prod',
-                            path='/finance', secret_name='NORDIGEN_KEY')['value'] }}"
-    - name: Replace SMTP Password secret (importer)
-      ansible.builtin.replace:
-        path: "$HOME/{{ app }}/.importer.env"
-        regexp: "SMTP_PASSWORD_VALUE"
-        replace: "{{ lookup('ansible.builtin.env', 'SMTP_PASSWORD') }}"
-
-    - name: Docker compose up
-      community.docker.docker_compose_v2:
-        project_src: "$HOME/{{ app }}"
+    - name: Remove project directory
+      when: project.stat.exists
+      ansible.builtin.file:
+        path: "$HOME/{{ app }}"
+        state: absent
+    # Note: we keep db data, just-in-case
diff --git a/infra/finance/0004_actual_playbook.yaml b/infra/finance/0004_actual_playbook.yaml
new file mode 100644
index 0000000..74b9d1b
--- /dev/null
+++ b/infra/finance/0004_actual_playbook.yaml
@@ -0,0 +1,27 @@
+- name: Deploy app
+  hosts: finance
+  gather_facts: false
+  vars:
+    app: actual
+  tasks:
+    - name: Wait for connection
+      ansible.builtin.wait_for_connection:
+        timeout: 300
+
+    - name: Check if project exists
+      ansible.builtin.stat:
+        path: "$HOME/{{ app }}"
+      register: project
+    - name: Docker compose down
+      when: project.stat.exists
+      community.docker.docker_compose_v2:
+        project_src: "$HOME/{{ app }}"
+        state: absent
+    - name: Copy project
+      ansible.builtin.copy:
+        src: "./{{ app }}"
+        dest: "$HOME"
+        mode: "0744"
+    - name: Docker compose up
+      community.docker.docker_compose_v2:
+        project_src: "$HOME/{{ app }}"
diff --git a/infra/finance/actual/docker-compose.yml b/infra/finance/actual/docker-compose.yml
new file mode 100644
index 0000000..9d5ef16
--- /dev/null
+++ b/infra/finance/actual/docker-compose.yml
@@ -0,0 +1,22 @@
+services:
+  actual_server:
+    image: docker.io/actualbudget/actual-server:latest
+    ports:
+      - 80:5006
+    environment:
+      # See all options and more details at https://actualbudget.org/docs/config/
+      - ACTUAL_UPLOAD_FILE_SYNC_SIZE_LIMIT_MB=100
+      - ACTUAL_UPLOAD_SYNC_ENCRYPTED_FILE_SYNC_SIZE_LIMIT_MB=200
+      - ACTUAL_UPLOAD_FILE_SIZE_LIMIT_MB=100
+    volumes:
+      - actual-data:/data
+    healthcheck:
+      test: ["CMD-SHELL", "node src/scripts/health-check.js"]
+      interval: 60s
+      timeout: 10s
+      retries: 3
+      start_period: 20s
+    restart: unless-stopped
+
+volumes:
+  actual-data: