diff --git a/README.md b/README.md index c6709ff..dc0e746 100644 --- a/README.md +++ b/README.md @@ -86,6 +86,7 @@ If you would like to add a new config, you can use the [service-template](templa | 💼 Service | 📝 Description | 🔗 Link | | ------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------- | +| 💰 **Actual Budget** | A self-hosted personal finance and budgeting app focused on privacy and full data ownership. | [Details](services/actual-budget) | | ✂️ **ClipCascade** | A self-hosted clipboard manager for syncing and organizing clipboard history. | [Details](services/clipcascade) | | 🗂️ **Copyparty** | A self-hosted file server with accelerated resumable uploads. | [Details](services/copyparty) | | ✅ **Donetick** | A self-hosted task and checklist manager for productivity. | [Details](services/donetick) | diff --git a/services/actual-budget/.env b/services/actual-budget/.env new file mode 100644 index 0000000..89b0a9c --- /dev/null +++ b/services/actual-budget/.env @@ -0,0 +1,17 @@ +#version=1.1 +#URL=https://github.com/tailscale-dev/ScaleTail +#COMPOSE_PROJECT_NAME= # Optional: only use when running multiple deployments on the same infrastructure. + +# Service Configuration +SERVICE=actual-budget # Service name (e.g., adguard). Used as hostname in Tailscale and for container naming (app-${SERVICE}). +IMAGE_URL=docker.io/actualbudget/actual-server:latest # Docker image URL from container registry (e.g., adguard/adguard-home). + +# Network Configuration +SERVICEPORT=5006 # Port to expose to local network. Uncomment the "ports:" section in compose.yaml to enable. +DNS_SERVER=9.9.9.9 # Preferred DNS server for Tailscale. Uncomment the "dns:" section in compose.yaml to enable. + +# Tailscale Configuration +TS_AUTHKEY= # Auth key from https://tailscale.com/admin/authkeys. See: https://tailscale.com/kb/1085/auth-keys#generate-an-auth-key for instructions. + +# Optional Service variables +# PUID=1000 \ No newline at end of file diff --git a/services/actual-budget/README.md b/services/actual-budget/README.md new file mode 100644 index 0000000..535aadd --- /dev/null +++ b/services/actual-budget/README.md @@ -0,0 +1,28 @@ +# Actual Budget with Tailscale Sidecar Configuration + +This Docker Compose configuration sets up **Actual Budget** with a Tailscale sidecar container, enabling secure and private access to your personal finance app over your Tailnet. With this setup, your budgeting data stays fully private and is only accessible from trusted devices, without exposing anything to the public internet. + +## Actual Budget + +[Actual Budget](https://github.com/actualbudget/actual) is an open-source, self-hosted personal finance and budgeting app focused on privacy and control. It serves as a modern alternative to tools like YNAB, allowing you to track spending, manage accounts, and plan budgets while retaining full ownership of your financial data. + +When paired with Tailscale, Actual Budget becomes accessible across your devices through your secure Tailnet, eliminating the need for public exposure or complex reverse proxy configurations. + +## Configuration Overview + +In this setup, the `tailscale-actual` service runs Tailscale, which manages secure networking for Actual Budget. The `actual` service uses the Tailscale network stack via Docker's `network_mode: service:` configuration. This ensures the application is only reachable over your Tailnet unless you explicitly expose ports. + +## Key Features + +- Self-hosted personal budgeting platform +- Privacy-first approach with full data ownership +- Sync across devices without relying on third-party cloud services +- Transaction tracking, budgeting, and reporting +- Secure Tailnet-only access via Tailscale + +## Files to check + +Please check the following contents for validity as some variables need to be defined upfront. + +- `.env` + - Required: `TS_AUTHKEY` diff --git a/services/actual-budget/compose.yaml b/services/actual-budget/compose.yaml new file mode 100644 index 0000000..a9563ae --- /dev/null +++ b/services/actual-budget/compose.yaml @@ -0,0 +1,80 @@ +configs: + ts-serve: + content: | + {"TCP":{"443":{"HTTPS":true}}, + "Web":{"$${TS_CERT_DOMAIN}:443": + {"Handlers":{"/": + {"Proxy":"http://127.0.0.1:5006"}}}}, + "AllowFunnel":{"$${TS_CERT_DOMAIN}:443":false}} + +services: +# Make sure you have updated/checked the .env file with the correct variables. +# All the ${ xx } need to be defined there. + # Tailscale Sidecar Configuration + tailscale: + image: tailscale/tailscale:latest # Image to be used + container_name: tailscale-${SERVICE} # Name for local container management + hostname: ${SERVICE} # Name used within your Tailscale environment + environment: + - TS_AUTHKEY=${TS_AUTHKEY} + - TS_STATE_DIR=/var/lib/tailscale + - TS_SERVE_CONFIG=/config/serve.json # Tailscale Serve configuration to expose the web interface on your local Tailnet - remove this line if not required + - TS_USERSPACE=false + - TS_ENABLE_HEALTH_CHECK=true # Enable healthcheck endpoint: "/healthz" + - TS_LOCAL_ADDR_PORT=127.0.0.1:41234 # The : for the healthz endpoint + #- TS_ACCEPT_DNS=true # Uncomment when using MagicDNS + - TS_AUTH_ONCE=true + configs: + - source: ts-serve + target: /config/serve.json + volumes: + - ./config:/config # Config folder used to store Tailscale files - you may need to change the path + - ./ts/state:/var/lib/tailscale # Tailscale requirement - you may need to change the path + devices: + - /dev/net/tun:/dev/net/tun # Network configuration for Tailscale to work + cap_add: + - net_admin # Tailscale requirement + #ports: + # - 0.0.0.0:${SERVICEPORT}:${SERVICEPORT} # Binding port ${SERVICE}PORT to the local network - may be removed if only exposure to your Tailnet is required + # If any DNS issues arise, use your preferred DNS provider by uncommenting the config below + #dns: + # - ${DNS_SERVER} + healthcheck: + test: ["CMD", "wget", "--spider", "-q", "http://127.0.0.1:41234/healthz"] # Check Tailscale has a Tailnet IP and is operational + interval: 1m # How often to perform the check + timeout: 10s # Time to wait for the check to succeed + retries: 3 # Number of retries before marking as unhealthy + start_period: 10s # Time to wait before starting health checks + restart: always + + # ${SERVICE} + application: + image: ${IMAGE_URL} # Image to be used + network_mode: service:tailscale # Sidecar configuration to route ${SERVICE} through Tailscale + container_name: app-${SERVICE} # Name for local container management + environment: + - PUID=1000 + - PGID=1000 + - TZ=Europe/Amsterdam + # Uncomment any of the lines below to set configuration options. + # - ACTUAL_HTTPS_KEY=/data/selfhost.key + # - ACTUAL_HTTPS_CERT=/data/selfhost.crt + # - ACTUAL_PORT=5006 + # - ACTUAL_UPLOAD_FILE_SYNC_SIZE_LIMIT_MB=20 + # - ACTUAL_UPLOAD_SYNC_ENCRYPTED_FILE_SYNC_SIZE_LIMIT_MB=50 + # - ACTUAL_UPLOAD_FILE_SIZE_LIMIT_MB=20 + # See all options and more details at https://actualbudget.org/docs/config/ + # !! If you are not using any of these options, remove the 'environment:' tag entirely. + volumes: + - ./${SERVICE}-data:/data + depends_on: + tailscale: + condition: service_healthy + healthcheck: + # Enable health check for the instance + test: ['CMD-SHELL', 'node src/scripts/health-check.js'] + interval: 60s + timeout: 10s + retries: 3 + start_period: 20s + restart: always \ No newline at end of file