diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index b429d8709b7a..38b51ee133e1 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -1401,6 +1401,7 @@
./services/web-apps/ethercalc.nix
./services/web-apps/filesender.nix
./services/web-apps/firefly-iii.nix
+ ./services/web-apps/firefly-iii-data-importer.nix
./services/web-apps/flarum.nix
./services/web-apps/fluidd.nix
./services/web-apps/freshrss.nix
diff --git a/nixos/modules/services/web-apps/firefly-iii-data-importer.nix b/nixos/modules/services/web-apps/firefly-iii-data-importer.nix
new file mode 100644
index 000000000000..5d1712a506d8
--- /dev/null
+++ b/nixos/modules/services/web-apps/firefly-iii-data-importer.nix
@@ -0,0 +1,301 @@
+{
+ pkgs,
+ config,
+ lib,
+ ...
+}:
+
+let
+ cfg = config.services.firefly-iii-data-importer;
+
+ user = cfg.user;
+ group = cfg.group;
+
+ defaultUser = "firefly-iii-data-importer";
+ defaultGroup = "firefly-iii-data-importer";
+
+ artisan = "${cfg.package}/artisan";
+
+ env-file-values = lib.attrsets.mapAttrs' (
+ n: v: lib.attrsets.nameValuePair (lib.strings.removeSuffix "_FILE" n) v
+ ) (lib.attrsets.filterAttrs (n: v: lib.strings.hasSuffix "_FILE" n) cfg.settings);
+ env-nonfile-values = lib.attrsets.filterAttrs (n: v: !lib.strings.hasSuffix "_FILE" n) cfg.settings;
+
+ data-importer-maintenance = pkgs.writeShellScript "data-importer-maintenance.sh" ''
+ set -a
+ ${lib.strings.toShellVars env-nonfile-values}
+ ${lib.strings.concatLines (
+ lib.attrsets.mapAttrsToList (n: v: "${n}=\"$(< ${v})\"") env-file-values
+ )}
+ set +a
+ ${artisan} package:discover
+ ${artisan} cache:clear
+ ${artisan} config:cache
+ '';
+
+ commonServiceConfig = {
+ Type = "oneshot";
+ User = user;
+ Group = group;
+ StateDirectory = "firefly-iii-data-importer";
+ ReadWritePaths = [ cfg.dataDir ];
+ WorkingDirectory = cfg.package;
+ PrivateTmp = true;
+ PrivateDevices = true;
+ CapabilityBoundingSet = "";
+ AmbientCapabilities = "";
+ ProtectSystem = "strict";
+ ProtectKernelTunables = true;
+ ProtectKernelModules = true;
+ ProtectControlGroups = true;
+ ProtectClock = true;
+ ProtectHostname = true;
+ ProtectHome = "tmpfs";
+ ProtectKernelLogs = true;
+ ProtectProc = "invisible";
+ ProcSubset = "pid";
+ PrivateNetwork = false;
+ RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX";
+ SystemCallArchitectures = "native";
+ SystemCallFilter = [
+ "@system-service @resources"
+ "~@obsolete @privileged"
+ ];
+ RestrictSUIDSGID = true;
+ RemoveIPC = true;
+ NoNewPrivileges = true;
+ RestrictRealtime = true;
+ RestrictNamespaces = true;
+ LockPersonality = true;
+ PrivateUsers = true;
+ };
+
+in
+{
+
+ options.services.firefly-iii-data-importer = {
+ enable = lib.mkEnableOption "Firefly III Data Importer";
+
+ user = lib.mkOption {
+ type = lib.types.str;
+ default = defaultUser;
+ description = "User account under which firefly-iii-data-importer runs.";
+ };
+
+ group = lib.mkOption {
+ type = lib.types.str;
+ default = if cfg.enableNginx then "nginx" else defaultGroup;
+ defaultText = "If `services.firefly-iii-data-importer.enableNginx` is true then `nginx` else ${defaultGroup}";
+ description = ''
+ Group under which firefly-iii-data-importer runs. It is best to set this to the group
+ of whatever webserver is being used as the frontend.
+ '';
+ };
+
+ dataDir = lib.mkOption {
+ type = lib.types.path;
+ default = "/var/lib/firefly-iii-data-importer";
+ description = ''
+ The place where firefly-iii data importer stores its state.
+ '';
+ };
+
+ package = lib.mkOption {
+ type = lib.types.package;
+ default = pkgs.firefly-iii-data-importer;
+ defaultText = lib.literalExpression "pkgs.firefly-iii-data-importer";
+ description = ''
+ The firefly-iii-data-importer package served by php-fpm and the webserver of choice.
+ This option can be used to point the webserver to the correct root. It
+ may also be used to set the package to a different version, say a
+ development version.
+ '';
+ apply =
+ firefly-iii-data-importer:
+ firefly-iii-data-importer.override (prev: {
+ dataDir = cfg.dataDir;
+ });
+ };
+
+ enableNginx = lib.mkOption {
+ type = lib.types.bool;
+ default = false;
+ description = ''
+ Whether to enable nginx or not. If enabled, an nginx virtual host will
+ be created for access to firefly-iii data importer. If not enabled, then you may use
+ `''${config.services.firefly-iii-data-importer.package}` as your document root in
+ whichever webserver you wish to setup.
+ '';
+ };
+
+ virtualHost = lib.mkOption {
+ type = lib.types.str;
+ default = "localhost";
+ description = ''
+ The hostname at which you wish firefly-iii-data-importer to be served. If you have
+ enabled nginx using `services.firefly-iii-data-importer.enableNginx` then this will
+ be used.
+ '';
+ };
+
+ poolConfig = lib.mkOption {
+ type = lib.types.attrsOf (
+ lib.types.oneOf [
+ lib.types.str
+ lib.types.int
+ lib.types.bool
+ ]
+ );
+ default = { };
+ defaultText = lib.literalExpression ''
+ {
+ "pm" = "dynamic";
+ "pm.max_children" = 32;
+ "pm.start_servers" = 2;
+ "pm.min_spare_servers" = 2;
+ "pm.max_spare_servers" = 4;
+ "pm.max_requests" = 500;
+ }
+ '';
+ description = ''
+ Options for the Firefly III Data Importer PHP pool. See the documentation on php-fpm.conf
+ for details on configuration directives.
+ '';
+ };
+
+ settings = lib.mkOption {
+ default = { };
+ description = ''
+ Options for firefly-iii data importer configuration. Refer to
+ for
+ details on supported values. All