devantler-tech · devantler · May 5, 2026
@@ -1,3 +1,4 @@
+127.0.0.1 budget.platform.lan
 127.0.0.1 dex.platform.lan
 127.0.0.1 fleetdm.platform.lan
 127.0.0.1 flux.platform.lan

@@ -0,0 +1,65 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: actual-budget
+  namespace: actual-budget
+  labels:
+    helm.toolkit.fluxcd.io/remediation: enabled
+spec:
+  interval: 2m
+  install:
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
+      remediateLastFailure: true
+  chart:
+    spec:
+      chart: actualbudget
+      version: 1.8.7
+      sourceRef:
+        kind: HelmRepository
+        name: actual-budget
+  postRenderers:
+    - kustomize:
+        patches:
+          - target:
+              kind: Deployment
+              name: actual-budget-actualbudget
+            patch: |
+              - op: add
+                path: /spec/strategy
+                value:
+                  type: RollingUpdate
+                  rollingUpdate:
+                    maxSurge: 1
+                    maxUnavailable: 0
+              - op: add
+                path: /spec/template/spec/topologySpreadConstraints
+                value:
+                  - maxSkew: 1
+                    topologyKey: kubernetes.io/hostname
+                    whenUnsatisfiable: ScheduleAnyway
+                    labelSelector:
+                      matchLabels:
+                        app.kubernetes.io/name: actualbudget
+                        app.kubernetes.io/instance: actual-budget
+  # https://github.com/community-charts/helm-charts/blob/main/charts/actualbudget/values.yaml
+  values:
+    replicaCount: ${actual_budget_replicas:=1}
+    ingress:
+      enabled: false
+    persistence:
+      enabled: true
+      size: 10Gi
+    login:
+      method: "openid"
+      openid:
+        enforce: true
+        providerName: "Dex"
+        discoveryUrl: "https://dex.${domain}/.well-known/openid-configuration"
+        clientId: "public-client"
+        clientSecret: "${dex_client_secret}"
+        authMethod: "openid"
+        tokenExpiration: "never"
@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: actual-budget
+  namespace: actual-budget
+spec:
+  url: https://community-charts.github.io/helm-charts
+  interval: 60m
@@ -0,0 +1,22 @@
+---
+apiVersion: http.keda.sh/v1alpha1
+kind: HTTPScaledObject
+metadata:
+  name: actual-budget
+  namespace: actual-budget
+spec:
+  hosts:
+    - budget.${domain}
+  scaleTargetRef:
+    name: actual-budget-actualbudget
+    service: actual-budget-actualbudget
+    port: 5006
+  replicas:
+    min: 0
+    max: 1
+  scaledownPeriod: 300
+  scalingMetric:
+    requestRate:
+      granularity: 1s
+      targetValue: 100
+      window: 1m
@@ -0,0 +1,25 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: actual-budget
+  namespace: actual-budget
+  annotations:
+    gethomepage.dev/enabled: "true"
+    gethomepage.dev/name: Actual Budget
+    gethomepage.dev/description: Local-first personal finance and budgeting.
+    gethomepage.dev/group: Finance
+    gethomepage.dev/icon: si-actualbudget
+    gethomepage.dev/href: https://budget.${domain}
+    gethomepage.dev/pod-selector: app.kubernetes.io/name=actualbudget
+spec:
+  parentRefs:
+    - name: platform
+      namespace: kube-system
+      sectionName: https
+  hostnames:
+    - budget.${domain}
+  rules:
+    - backendRefs:
+        - name: keda-add-ons-http-interceptor-proxy
+          namespace: keda
+          port: 8080
@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - helm-release.yaml
+  - helm-repository.yaml
+  - httproute.yaml
+  - http-scaled-object.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: actual-budget
@@ -1,6 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+- actual-budget/
 - fleetdm/
 - headlamp/
 - homepage/

@@ -60,6 +60,7 @@ spec:
           redirectURIs:
             - "https://oauth2-proxy.${domain}/oauth2/callback"
             - "https://headlamp.${domain}/oidc-callback"
+            - "https://budget.${domain}/oidc/callback"
           trustedPeers:
             - kubectl
         - name: kubectl

@@ -36,9 +36,11 @@ data:
   # saves memory until the first KEDA reconciliation.
   # headlamp: min 0, max 1 (OIDC state in-memory — must stay single-pod)
   # whoami/fleetdm: min 0, max 2
+  # actual-budget: min 0, max 1 (SQLite — single-pod only)
   headlamp_replicas: "1"
   whoami_replicas: "1"
   fleetdm_replicas: "1"
+  actual_budget_replicas: "1"
   # Auth chain: single replica is sufficient on cx23 nodes; prevents OOM
   # cascade that makes both replicas flap simultaneously.
   dex_replicas: "1"

@@ -0,0 +1,9 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: actual-budget
+  namespace: actual-budget
+spec:
+  values:
+    persistence:
+      size: 2Gi
@@ -4,6 +4,11 @@ kind: Kustomization
 resources:
   - ../../../bases/apps/
 patches:
+  - target:
+      kind: HelmRelease
+      name: actual-budget
+      namespace: actual-budget
+    path: actual-budget/patches/helm-release-patch.yaml
   - target:
       kind: HelmRelease
       name: headlamp