actualbudget
| Field |
Value |
| Service |
actualbudget |
| Purpose |
Personal budgeting and finance tracking application |
| Criticality |
Tier 3 |
| Owner |
Application / platform owner |
| Clusters |
local |
| Namespace |
actualbudget |
| Exposure |
internet |
| Stateful |
yes |
| Backup class |
snapshot |
| RPO / RTO |
Daily snapshot target, 1 to 4 hours to recover |
| Last reviewed |
2026-05-20 |
1. Service Overview
Actual Budget provides a self-hosted budgeting interface for personal finance workflows. It is a low-blast-radius user application, but it still carries persistent data and an external access path.
Summary
If this service fails, budgeting and historical finance data entry stop until the pod and PVC are restored.
Dependencies
| Dependency |
Type |
Why it matters |
| traefik |
ingress |
External HTTPS routing |
| authelia |
access control |
Optional authentication layer for the public route |
| PVC-backed storage |
storage |
Preserves the application database and uploaded state |
2. Architecture Diagram
[Browser]
-> [Traefik]
-> [actualbudget application]
-> [PVC-backed data directory]
3. Deployment Specifications
| Item |
Value |
| Source path |
actualbudget/base and actualbudget/overlays/local |
| Deployment model |
Kustomize plus Fleet bundle |
| Namespace |
actualbudget |
| Workload kind |
Deployment |
| Chart or image version |
See manifests in actualbudget/base |
| Config files |
base/kustomization.yaml, overlays/local/kustomization.yaml, fleet.yaml |
Cluster mapping
| Cluster |
Overlay path |
Notes |
| local |
actualbudget/overlays/local |
Primary local-cluster deployment |
4. Configuration Guide
Environment variables
| Variable |
Source |
Purpose |
Secret? |
| Application runtime env vars |
Overlay manifests and generated Secrets |
Configure Actual Budget runtime and credentials |
mixed |
ConfigMaps
| Resource |
Path |
Purpose |
| No dedicated static ConfigMap |
actualbudget/overlays/local |
Configuration is carried directly in manifests and Secrets |
Secrets management
- Secret names: overlay-generated Secrets in the actualbudget namespace
- Source of truth: local secret material injected by Kustomize or external bootstrap steps
- Rotation trigger: credential changes or access-path changes
- Recovery note: restore secret inputs before redeploying the overlay
5. Access Protocols
| Path |
URL or endpoint |
Audience |
Auth |
TLS terminates at |
| Internal |
Service inside the actualbudget namespace |
Cluster workloads |
namespace RBAC |
Traefik or application |
| External |
https://actualbudget.mutana.fr |
End users |
Authelia when enabled |
Traefik |
6. Operations and Observability
- Primary health indicators: Deployment available, pod Ready, PVC mounted, and successful HTTPS access.
- Dashboards or alerts: shared Grafana and cluster metrics if present.
- Log locations: application pod logs in the actualbudget namespace.
- Known failure modes: PVC attach failure, ingress misrouting, missing secrets, or application startup issues after image updates.
7. Backup and Recovery Notes
- Backup method: PVC snapshots or storage-class level backup.
- Restore prerequisites: restored persistent volume content and valid secret inputs.
- Related runbook: not required for this lower-blast-radius service.
8. Release and Change Notes
- Current deployed app version: see container image tag in actualbudget/base.
- Current chart version: N/A.
- Last significant change: service introduced and aligned with the standardized overlays/local layout.
- Rollback reference: previous overlay revision in Git.