Applications Azure

Firefly III on Ubuntu 24.04 on Azure User Guide

| Product: Firefly III on Ubuntu 24.04 LTS on Azure

Overview

Firefly III is a free, open source, self hosted personal finance manager that uses double entry bookkeeping to give you a precise, honest picture of your money. Record expenses and income, organise them into budgets, categories and tags, set savings goals with piggy banks, and let automatic rules tidy everything up. It connects to banks via Spectre and GoCardless, imports CSV, camt.xml and OFX files with the Firefly III Data Importer, and exposes a documented REST API. The cloudimg image delivers Firefly III fully installed and configured on Ubuntu 24.04 as a PHP 8.5 Laravel application, so a complete personal finance service is running within minutes of launch, with all of your financial data staying private on infrastructure you control. Backed by 24/7 cloudimg support.

Firefly III is licensed under the GNU Affero General Public License v3.0 (AGPL-3.0). All product and company names are trademarks or registered trademarks of their respective holders. This image repackages the upstream open source release with cloudimg's provisioning and support.

What is included:

  • Firefly III 6.6.3 (AGPL-3.0), served from /var/www/firefly-iii
  • PHP 8.5 (php8.5-fpm) from the ondrej/php PPA + nginx, with the web UI on port 80
  • Self contained SQLite storage, so there is no separate database server to run or secure
  • The whole application, the configuration and the SQLite database on a dedicated, independently resizable data disk mounted at /var/www/firefly-iii
  • A per-VM administrator password, a fresh application encryption key and a fresh cron token, all generated on first boot and written to a root-only file, so no default or shared login ships in the image
  • nginx.service and php8.5-fpm.service as systemd units, enabled and active
  • 24/7 cloudimg support

Firefly III sign-in page served on first boot

Prerequisites

An active Azure subscription, an SSH key pair, and a VNet plus subnet in the target region. Standard_B2s (2 vCPU / 4 GiB RAM) is a good starting point; scale up for larger households or heavy imports. NSG inbound: allow 22/tcp from your management network and 80/tcp (HTTP) from your users. Add 443/tcp if you enable HTTPS.

Step 1 — Deploy from the Azure Marketplace

Sign in to the Azure Portal, choose Create a resource, search the Marketplace for Firefly III by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size; under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22) and HTTP (80). Then Review + create and Create.

Step 2 — Deploy from the Azure CLI

az vm create \
  --resource-group <your-rg> \
  --name firefly-iii \
  --image <marketplace-image-urn> \
  --size Standard_B2s \
  --admin-username azureuser \
  --generate-ssh-keys \
  --public-ip-sku Standard

Open HTTP to reach the web UI:

az vm open-port --resource-group <your-rg> --name firefly-iii --port 80 --priority 900

Step 3 — Connect to your VM

ssh azureuser@<vm-public-ip>

Step 4 — Confirm the services are running

The two services that back Firefly III should both report active, and the sign-in page (GET /login) answers HTTP 200 on port 80:

systemctl is-active nginx php8.5-fpm
curl -s -o /dev/null -w 'GET /login -> %{http_code}\n' http://127.0.0.1/login

Expected: two lines of active, then GET /login -> 200. Only nginx on port 80 is exposed; PHP runs behind it under php-fpm, and the SQLite database is a local file, so there is no database port to open.

Service status and HTTP liveness on port 80

Step 5 — Retrieve your administrator password

On the first boot of every VM, a one-shot service (firefly-iii-firstboot.service) generates credentials that are unique to that VM: a fresh administrator password, a fresh Laravel application encryption key and a fresh cron token. It pins the application to your VM's own address. No shared or default credentials ship in the image.

sudo cat /root/firefly-iii-credentials.txt

The file (mode 0600, root only) contains the administrator email (firefly.admin.user, which is admin@example.com), the administrator password (firefly.admin.pass) and the sign-in URL.

Per-VM credentials, root-only and masked

You can prove the login round-trip from the VM's own shell. Firefly III signs in through a form that carries a Laravel CSRF token, so this reads the per-VM credentials, fetches the token and posts a real sign-in (a correct password answers HTTP 200 and reaches the dashboard):

EMAIL=$(sudo grep '^firefly.admin.user=' /root/firefly-iii-credentials.txt | cut -d= -f2-)
PASS=$(sudo grep '^firefly.admin.pass=' /root/firefly-iii-credentials.txt | cut -d= -f2-)
J=$(mktemp)
T=$(curl -s -c "$J" http://127.0.0.1/login | grep -oE 'name="_token"[^>]*value="[^"]+"' | head -1 | sed -E 's/.*value="([^"]+)".*/\1/')
echo -n 'sign-in HTTP status -> '
curl -s -o /dev/null -w '%{http_code}\n' -b "$J" -c "$J" -L \
  --data-urlencode "_token=$T" --data-urlencode "email=$EMAIL" --data-urlencode "password=$PASS" \
  http://127.0.0.1/login
rm -f "$J"

Expected: sign-in HTTP status -> 200, confirming the credentials in the file sign in.

Step 6 — Sign in and set up your first account

Browse to http://<vm-public-ip>/ and sign in with the administrator email and password from the credentials file. On first sign-in Firefly III asks for your bank's name and the balance of your main checking account so it has something to start with; you can add more accounts later. You can also register your own first user instead, which becomes the owner of the installation.

Firefly III dashboard after sign in

The dashboard shows your net worth, an account balance chart and your accounts. Add your asset accounts (checking, savings, credit cards) with their opening balances from Accounts.

Accounts view for managing asset, expense and revenue accounts

Step 7 — Create budgets and record transactions

Open Budgets to create budgets and give them a soft cap, so you can see how much you have left to spend in each category during the period. Record income and expenses as transactions, organise them into categories and tags, set up bills and piggy bank savings goals, and let automatic rules categorise transactions for you.

Budgets view with budget allocations and spending

To pull transactions in automatically, connect your banks via Spectre or GoCardless, or import CSV, camt.xml and OFX files, using the Firefly III Data Importer.

Step 8 — Confirm the version, the stack and the data disk

php -v | head -1
nginx -v
findmnt /var/www/firefly-iii

Expected: PHP 8.5, nginx, and /var/www/firefly-iii mounted from the dedicated data disk (/dev/sdc). The entire Firefly III application, the configuration and the SQLite database live on that disk, which is independently resizable and survives instance replacement — resize it from the Azure portal if you need more room.

Version and application data disk

First-boot service and security model

A one-shot firefly-iii-firstboot.service runs after the network is up. It regenerates a fresh Laravel APP_KEY and STATIC_CRON_TOKEN, pins the application URL to the VM's own address (resolved from the Azure instance metadata service), rotates the administrator password to a fresh per-VM value, runs the Firefly III database upgrade so the app is immediately usable, writes the credentials file at mode 0600 (root only) and drops a sentinel so it runs exactly once. The image ships with an empty database and no usable login; the per-VM administrator is created on first boot.

systemctl is-active firefly-iii-firstboot.service
sudo stat -c '%a %U:%G %n' /root/firefly-iii-credentials.txt

Expected: active, then 600 root:root /root/firefly-iii-credentials.txt.

First-boot rotation and credential file permissions

Enabling HTTPS with your own domain

The image serves the web UI over plain HTTP on port 80. For a browser-trusted certificate, point a DNS record at the VM, open port 443 in the NSG, and install a certificate from your CA (for example Let's Encrypt):

sudo apt-get update && sudo apt-get install -y certbot python3-certbot-nginx
sudo certbot --nginx -d your-domain.example.com

Certbot updates the nginx site to serve your domain certificate. Then set APP_URL=https://your-domain.example.com in /var/www/firefly-iii/.env and run sudo -u www-data php /var/www/firefly-iii/artisan config:cache so generated links use your domain.

Backup and maintenance

Firefly III stores everything, including the SQLite database, under /var/www/firefly-iii on the dedicated data disk, so a backup is a single directory. Snapshot the data disk and OS disk from the Azure portal for a full point-in-time copy, or archive the tree:

sudo tar -C /var/www -czf /var/backups/firefly-iii-$(date +%F).tar.gz firefly-iii

Keep the OS current with sudo apt-get update && sudo apt-get upgrade; the image ships with unattended security updates enabled. Review the Firefly III documentation before moving between major versions, and always back up before an upgrade.

Support

This image is backed by 24/7 cloudimg support for deployment and initial configuration, retrieving first-boot administrator credentials, data import setup (Spectre, GoCardless, CSV, OFX), budgeting rules and automation, application upgrades and patch management, HTTPS and custom domain setup, performance tuning and storage administration. Email support@cloudimg.co.uk or use the live chat in the support portal; critical issues receive a one-hour average response.