130 lines
4.1 KiB
Nix
130 lines
4.1 KiB
Nix
{ config, pkgs, ... }:
|
|
|
|
{
|
|
c3d2.deployment.server = "server10";
|
|
microvm = {
|
|
mem = 1 * 1024;
|
|
vcpu = 2;
|
|
};
|
|
|
|
networking.hostName = "home-assistant";
|
|
|
|
services = {
|
|
home-assistant = {
|
|
enable = true;
|
|
config = {
|
|
default_config = { }; # yes, this is required...
|
|
homeassistant = {
|
|
auth_providers = [
|
|
{
|
|
type = "command_line";
|
|
command =
|
|
# the script is not inheriting PATH from home-assistant
|
|
pkgs.resholve.writeScript "ldap-auth-sh" {
|
|
fake = {
|
|
external = [ "on_auth_failure" "on_auth_success" ];
|
|
};
|
|
inputs = with pkgs; [ coreutils curl gnugrep gnused openldap ];
|
|
interpreter = "${pkgs.bash}/bin/bash";
|
|
keep."source:$CONFIG_FILE" = true;
|
|
} (builtins.readFile "${pkgs.fetchFromGitHub {
|
|
owner = "bob1de";
|
|
repo = "ldap-auth-sh";
|
|
rev = "819f9233116e68b5af5a5f45167bcbb4ed412ed4";
|
|
sha256 = "sha256-+QjRP5SKUojaCv3lZX2Kv3wkaNvpWFd97phwsRlhroY=";
|
|
}}/ldap-auth.sh");
|
|
args =
|
|
let
|
|
ldap = config.security.ldap;
|
|
sed = "${pkgs.gnused}/bin/sed";
|
|
in
|
|
[
|
|
# https://github.com/bob1de/ldap-auth-sh/blob/master/examples/home-assistant.cfg
|
|
(pkgs.writeText "config.cfg" /* shell */ ''
|
|
ATTRS="${ldap.userField}"
|
|
CLIENT="ldapsearch"
|
|
DEBUG=0
|
|
FILTER="${ldap.groupFilter "home-assistant"}"
|
|
NAME_ATTR="${ldap.userField}"
|
|
SCOPE="base"
|
|
SERVER="ldaps://${ldap.domainName}"
|
|
USERDN="uid=$(ldap_dn_escape "$username"),${ldap.userBaseDN}"
|
|
BASEDN="$USERDN"
|
|
|
|
on_auth_success() {
|
|
# print the meta entries for use in HA
|
|
if [ ! -z "$NAME_ATTR" ]; then
|
|
name=$(echo "$output" | ${sed} -nr "s/^\s*$NAME_ATTR:\s*(.+)\s*\$/\1/Ip")
|
|
[ -z "$name" ] || echo "name=$name"
|
|
fi
|
|
}
|
|
'')
|
|
];
|
|
meta = true;
|
|
}
|
|
# default authentication is required for the first step of onboarding
|
|
# { type = "homeassistant"; }
|
|
];
|
|
latitude = "51.08105";
|
|
longitude = "13.72867";
|
|
name = "C3D2";
|
|
temperature_unit = "C";
|
|
time_zone = config.time.timeZone;
|
|
unit_system = "metric";
|
|
};
|
|
http = rec {
|
|
# TODO: turn on when the public-access-proxy is using PROXY PROTOCOL
|
|
# ip_ban_enabled = true;
|
|
# login_attempts_threshold = 5;
|
|
server_host = [
|
|
"127.0.0.1"
|
|
"::1"
|
|
];
|
|
trusted_proxies = server_host;
|
|
use_x_forwarded_for = true;
|
|
};
|
|
};
|
|
extraComponents = [
|
|
# required for onboarding
|
|
"backup"
|
|
"default_config"
|
|
"met"
|
|
# extra things we use
|
|
"wled"
|
|
];
|
|
package = (pkgs.home-assistant.override {
|
|
packageOverrides = final: prev: {
|
|
moto = prev.moto.overrideAttrs (_: {
|
|
# takes a long time and can't be sped up with pytest-xdist
|
|
doCheck = false;
|
|
doInstallCheck = false;
|
|
});
|
|
};
|
|
}).overrideAttrs (_: {
|
|
doCheck = false;
|
|
doInstallCheck = false;
|
|
});
|
|
};
|
|
|
|
nginx = {
|
|
enable = true;
|
|
virtualHosts."home-assistant.hq.c3d2.de" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:${toString config.services.home-assistant.config.http.server_port}";
|
|
proxyWebsockets = true;
|
|
};
|
|
};
|
|
};
|
|
|
|
portunus.addToHosts = true;
|
|
};
|
|
|
|
sops = {
|
|
defaultSopsFile = ./secrets.yaml;
|
|
};
|
|
|
|
system.stateVersion = "22.11";
|
|
}
|