diff --git a/modules/kubernetes/actualbudget/main.tf b/modules/kubernetes/actualbudget/main.tf
new file mode 100644
index 00000000..36ef431a
--- /dev/null
+++ b/modules/kubernetes/actualbudget/main.tf
@@ -0,0 +1,128 @@
+variable "tls_secret_name" {}
+
+module "tls_secret" {
+  source          = "../setup_tls_secret"
+  namespace       = "actualbudget"
+  tls_secret_name = var.tls_secret_name
+}
+
+resource "kubernetes_namespace" "actualbudget" {
+  metadata {
+    name = "actualbudget"
+    labels = {
+      "istio-injection" : "disabled"
+    }
+  }
+}
+
+
+resource "kubernetes_deployment" "actualbudget" {
+  metadata {
+    name      = "actualbudget"
+    namespace = "actualbudget"
+    labels = {
+      app = "actualbudget"
+    }
+    annotations = {
+      "reloader.stakater.com/search" = "true"
+    }
+  }
+  spec {
+    replicas = 1
+    selector {
+      match_labels = {
+        app = "actualbudget"
+      }
+    }
+    template {
+      metadata {
+        annotations = {
+          "diun.enable" = "true"
+        }
+        labels = {
+          app = "actualbudget"
+        }
+      }
+      spec {
+        container {
+          image = "actualbudget/actual-server:latest"
+          name  = "actualbudget"
+
+          port {
+            container_port = 5006
+          }
+          volume_mount {
+            name       = "data"
+            mount_path = "/data"
+          }
+        }
+        volume {
+          name = "data"
+          nfs {
+            path   = "/mnt/main/actualbudget"
+            server = "10.0.10.15"
+          }
+        }
+      }
+    }
+  }
+}
+
+resource "kubernetes_service" "actualbudget" {
+  metadata {
+    name      = "actualbudget"
+    namespace = "actualbudget"
+    labels = {
+      app = "actualbudget"
+    }
+  }
+
+  spec {
+    selector = {
+      app = "actualbudget"
+    }
+    port {
+      name        = "http"
+      port        = 80
+      target_port = 5006
+    }
+  }
+}
+
+resource "kubernetes_ingress_v1" "actualbudget" {
+  metadata {
+    name      = "actualbudget-ingress"
+    namespace = "actualbudget"
+    annotations = {
+      "kubernetes.io/ingress.class" = "nginx"
+      "nginx.ingress.kubernetes.io/client-max-body-size" : "0"
+      "nginx.ingress.kubernetes.io/proxy-body-size" : "0",
+      # "nginx.ingress.kubernetes.io/auth-url" : "https://oauth2.viktorbarzin.me/oauth2/auth"
+      # "nginx.ingress.kubernetes.io/auth-signin" : "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri"
+    }
+  }
+
+  spec {
+    tls {
+      hosts       = ["budget.viktorbarzin.me"]
+      secret_name = var.tls_secret_name
+    }
+    rule {
+      host = "budget.viktorbarzin.me"
+      http {
+        path {
+          path = "/"
+          backend {
+            service {
+              name = "actualbudget"
+              port {
+                number = 80
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
+
diff --git a/modules/kubernetes/main.tf b/modules/kubernetes/main.tf
index 7e68f6e5..297b21c5 100644
--- a/modules/kubernetes/main.tf
+++ b/modules/kubernetes/main.tf
@@ -532,3 +532,8 @@ module "linkwarden" {
   authentik_client_id     = var.linkwarden_authentik_client_id
   authentik_client_secret = var.linkwarden_authentik_client_secret
 }
+
+module "actualbudget" {
+  source          = "./actualbudget"
+  tls_secret_name = var.tls_secret_name
+}
diff --git a/terraform.tfstate b/terraform.tfstate
index 92df27a1..c6c72068 100644
Binary files a/terraform.tfstate and b/terraform.tfstate differ