home-assistant: move patches to here, add support for admin group, fix person entity not being created by ldap login

2024-02-04 03:08:47 +01:00 · 2024-02-04 03:08:47 +01:00 · 549cedc09b
parent 453f941ff2
commit 549cedc09b
4 changed files with 125 additions and 4 deletions
--- a/modules/home-assistant-create-person-when-credentials-exist.diff
+++ b/modules/home-assistant-create-person-when-credentials-exist.diff
@ -0,0 +1,57 @@
+--- a/homeassistant/auth/providers/command_line.py	2024-02-04 01:41:34.460181490 +0100
+++ b/homeassistant/auth/providers/command_line.py	2024-02-04 01:46:55.952650748 +0100
+@@ -118,6 +118,13 @@
+         username = flow_result["username"].strip().casefold()
+
+         users = await self.store.async_get_users()
+        hass = async_get_hass()
+        meta = self._user_meta.get(flow_result["username"], {})
+
+        pretty_name = meta.get("fullname")
+        if not pretty_name:
+            pretty_name = flow_result["username"]
+
+         for user in users:
+             if user.name and user.name.strip().casefold() != username:
+                 continue
+@@ -127,28 +134,34 @@
+
+             for credential in await self.async_credentials():
+                 if credential.data["username"] and credential.data["username"].strip().casefold() == username:
+                    coll: person.PersonStorageCollection = hass.data[person.DOMAIN][1]
+                    found = False
+                    for pers in coll.async_items():
+                        if pers.get(person.ATTR_USER_ID) == user.id:
+                            found = True
+                            break
+
+                    if "person" in hass.config.components and not found:
+                        await person.async_create_person(hass, pretty_name, user_id=user.id)
+
+                     return credential
+
+             cred = self.async_create_credentials({"username": username})
+             await self.store.async_link_user(user, cred)
+             return cred
+
+-        hass = async_get_hass()
+-        meta = self._user_meta.get(flow_result["username"], {})
+-
+         provider = _async_get_hass_provider(hass)
+         await provider.async_initialize()
+
+         user = await hass.auth.async_create_user(flow_result["username"], group_ids=[meta.get("group")])
+         cred = await provider.async_get_or_create_credentials({"username": flow_result["username"]})
+
+-        pretty_name = meta.get("fullname")
+-        if not pretty_name:
+-            pretty_name = flow_result["username"]
+         await provider.data.async_save()
+         await hass.auth.async_link_user(user, cred)
+
+         if "person" in hass.config.components:
+             await person.async_create_person(hass, pretty_name, user_id=user.id)
+
+         # Create new credentials.
+         return cred
+
--- a/modules/home-assistant-increase-local_temperature_calibration.diff
+++ b/modules/home-assistant-increase-local_temperature_calibration.diff
@ -0,0 +1,15 @@
+diff --git a/homeassistant/components/zha/number.py b/homeassistant/components/zha/number.py
+index 24964d7a15..4c43958f41 100644
+--- a/homeassistant/components/zha/number.py
+++ b/homeassistant/components/zha/number.py
+@@ -956,8 +956,8 @@ class ThermostatLocalTempCalibration(ZHANumberConfigurationEntity):
+     """Local temperature calibration."""
+ 
+     _unique_id_suffix = "local_temperature_calibration"
+-    _attr_native_min_value: float = -2.5
+-    _attr_native_max_value: float = 2.5
+    _attr_native_min_value: float = -5.0
+    _attr_native_max_value: float = 5.0
+     _attr_native_step: float = 0.1
+     _attr_multiplier: float = 0.1
+     _attribute_name = "local_temperature_calibration"
--- a/modules/home-assistant-no-cloud.diff
+++ b/modules/home-assistant-no-cloud.diff
@ -0,0 +1,10 @@
+--- a/homeassistant/components/default_config/manifest.json	2023-10-22 01:46:48.596580412 +0200
+++ b/homeassistant/components/default_config/manifest.json	2023-10-22 01:47:01.916784170 +0200
+@@ -7,7 +7,6 @@
+     "assist_pipeline",
+     "automation",
+     "bluetooth",
+-    "cloud",
+     "conversation",
+     "counter",
+     "dhcp",
--- a/modules/home-assistant.nix
+++ b/modules/home-assistant.nix
@ -14,13 +14,44 @@ in
          Only enable this after completing the onboarding!
          :::
        '');
+
        userGroup = libS.ldap.mkUserGroupOption;
+        adminGroup = lib.mkOption {
+          type = with lib.types; nullOr str;
+          default = null;
+          example = "home-assistant-admins";
+          description = lib.mdDoc "Name of the ldap group that grants admin access in Home-Assistant.";
+        };
      };

      recommendedDefaults = libS.mkOpinionatedOption "set recommended default settings";
    };
  };

+  config.nixpkgs.overlays = lib.mkIf cfg.enable [
+    (final: prev: {
+      home-assistant = (prev.home-assistant.override (lib.optionalAttrs cfg.recommendedDefaults {
+        extraPackages = ps: with ps; [
+          pyqrcode # for TOTP qrcode
+        ];
+      })).overrideAttrs ({ patches ? [ ], ... }: {
+        patches = patches ++ lib.optionals cfg.recommendedDefaults [
+          ./home-assistant-increase-local_temperature_calibration.diff
+          ./home-assistant-no-cloud.diff
+        ] ++ lib.optionals cfg.ldap.enable [
+          # expand command_line authentication provider
+          (final.fetchpatch {
+            url = "https://github.com/home-assistant/core/pull/107419.diff";
+            hash = "sha256-rbdu6aMpBExblMT2oOuPS4kb+S71AFtyxBCgKWLi6g8=";
+          })
+          ./home-assistant-create-person-when-credentials-exist.diff
+        ];
+
+        doInstallCheck = false;
+      });
+    })
+  ];
+
  config.services.home-assistant = lib.mkMerge [
    (lib.mkIf (cfg.enable && cfg.recommendedDefaults) {
      config = {
@ -67,10 +98,10 @@ in
        args = [
          # https://github.com/bob1de/ldap-auth-sh/blob/master/examples/home-assistant.cfg
          (pkgs.writeText "config.cfg" /* shell */ ''
-            ATTRS="${ldap.userField}"
+            ATTRS="${ldap.userField} ${ldap.roleField} isMemberOf"
            CLIENT="ldapsearch"
            DEBUG=0
-            FILTER="${ldap.groupFilter "home-assistant-users"}"
+            FILTER="${ldap.groupFilter cfg.ldap.userGroup}"
            NAME_ATTR="${ldap.userField}"
            SCOPE="base"
            SERVER="ldaps://${ldap.domainName}"
@ -80,8 +111,12 @@ in
            on_auth_success() {
              # print the meta entries for use in HA
              if [ ! -z "$NAME_ATTR" ]; then
-                name=$(echo "$output" | ${lib.getExe pkgs.gnused} -nr "s/^\s*$NAME_ATTR:\s*(.+)\s*\$/\1/Ip")
-                [ -z "$name" ] || echo "name=$name"
+                name=$(echo "$output" | ${lib.getExe pkgs.gnused} -nr "s/^\s*${ldap.userField}:\s*(.+)\s*\$/\1/Ip")
+                [ -z "$name" ] || echo "$name = $name"
+                fullname=$(echo "$output" | ${lib.getExe pkgs.gnused} -nr "s/^\s*${ldap.roleField}:\s*(.+)\s*\$/\1/Ip")
+                [ -z "$fullname" ] || echo "fullname = $fullname"
+                group=$(echo "$output" | ${lib.getExe pkgs.gnused} -nr "s/^\s*isMemberOf: cn=${cfg.ldap.adminGroup}\s*(.+)\s*\$/\1/Ip")
+                [ -z "$group" ] && echo "group = system-users" || echo "group = system-admin"
              fi
            }
          '')
@ -95,6 +130,10 @@ in
    long_name = "Home-Assistant Users";
    name = cfg.ldap.userGroup;
    permissions = { };
+  } ++ lib.optional (cfg.ldap.adminGroup != null) {
+    long_name = "Home-Assistant Administrators";
+    name = cfg.ldap.adminGroup;
+    permissions = { };
  };

  config.systemd.tmpfiles.rules = lib.mkIf (cfg.enable && cfg.recommendedDefaults) [