From 5c56d05d5d3740b466847694d4d3f9f9e929f1d4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Fri, 7 Apr 2023 01:42:21 +0200 Subject: [PATCH] Add home-assistant --- .sops.yaml | 7 ++ flake.nix | 7 ++ hosts/home-assistant/default.nix | 127 ++++++++++++++++++++++++++++++ hosts/home-assistant/secrets.yaml | 0 4 files changed, 141 insertions(+) create mode 100644 hosts/home-assistant/default.nix create mode 100644 hosts/home-assistant/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index fa0775bb..ae6e9959 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -38,6 +38,7 @@ keys: - &gnunet age1kk0thtx6mg5cs0gqm4ylc4r8w6klq660s3j04w7m8w0w084yrpcqh3tqwf - &grafana age1yahhqn2620300n20k68az5lr2u42wdgtjwysgqyr99a4cj52ay0qjw02pl - &hedgedoc age1jt5pj0c0fvmzg7quaucq4n2rzcx9ajzstp8ruwc8ewjpay5vqfqsdjaal8 + - &home-assistant age1l2tld2cttpkj4vpuh9hm4xjwq94rmf8vukjgvdzcvwwtze6k6s6qjf0s5r - &hydra age1px8sjpcmnz27ayczzu883n0p5ad34vnzj6rl9y2eyye546v0m3dqfqx459 - &jabber age1tnq862ekxepjkes6efr282uj9gtcsqru04s5k0l2enq5djxyt5as0k0c2a - &leon age1cm0cjk2764s4pv5g7e67as34g9xtcltex96ga87wckndw62wqqlsvkscqc @@ -201,6 +202,12 @@ creation_rules: age: - *hedgedoc - *polygon-snowflake + - path_regex: hosts/home-assistant/[^/]+\.yaml$ + key_groups: + - pgp: *admins + age: + - *home-assistant + - *polygon-snowflake - path_regex: hosts/hydra/[^/]+\.yaml$ key_groups: - pgp: *admins diff --git a/flake.nix b/flake.nix index 44da6ad7..cda27fea 100644 --- a/flake.nix +++ b/flake.nix @@ -428,6 +428,13 @@ ]; }; + home-assistant = nixosSystem' { + modules = [ + self.nixosModules.microvm + ./hosts/home-assistant + ]; + }; + hydra = nixosSystem' { modules = [ self.nixosModules.cluster diff --git a/hosts/home-assistant/default.nix b/hosts/home-assistant/default.nix new file mode 100644 index 00000000..e7b0b334 --- /dev/null +++ b/hosts/home-assistant/default.nix @@ -0,0 +1,127 @@ +{ config, pkgs, ... }: + +{ + c3d2.deployment.server = "server10"; + microvm = { + mem = 1 * 1024; + vcpu = 2; + }; + + networking.hostName = "home-assistant"; + + services = { + home-assistant = { + enable = true; + config = { + default_config = { }; # yes, this is required... + homeassistant = { + auth_providers = [ + { + type = "command_line"; + command = + # the script is not inheriting PATH from home-assistant + pkgs.resholve.writeScript "ldap-auth-sh" { + fake = { + external = [ "on_auth_failure" "on_auth_success" ]; + }; + inputs = with pkgs; [ coreutils curl gnugrep gnused openldap ]; + interpreter = "${pkgs.bash}/bin/bash"; + keep."source:$CONFIG_FILE" = true; + } (builtins.readFile "${pkgs.fetchFromGitHub { + owner = "bob1de"; + repo = "ldap-auth-sh"; + rev = "819f9233116e68b5af5a5f45167bcbb4ed412ed4"; + sha256 = "sha256-+QjRP5SKUojaCv3lZX2Kv3wkaNvpWFd97phwsRlhroY="; + }}/ldap-auth.sh"); + args = + let + ldap = config.security.ldap; + in + [ + # https://github.com/bob1de/ldap-auth-sh/blob/master/examples/home-assistant.cfg + (pkgs.writeText "config.cfg" /* shell */ '' + ATTRS=${ldap.roleField} + CLIENT=ldapsearch + DEBUG=0 + FILTER="${ldap.groupFilter "home-assistant"}" + SCOPE="base" + SERVER=ldaps://${ldap.domainName} + USERDN="uid=$(ldap_dn_escape "$username"),${ldap.userBaseDN}" + BASEDN="$USERDN" + + on_auth_success() { + # print the meta entries for use in HA + if [ ! -z "$NAME_ATTR" ]; then + name=$(echo "$output" | sed -nr "s/^\s*$NAME_ATTR:\s*(.+)\s*\$/\1/Ip") + [ -z "$name" ] || echo "name=$name" + fi + } + '') + ]; + meta = true; + } + # default authentication is required for the first step of onboarding + # { type = "homeassistant"; } + ]; + latitude = "51.08105"; + longitude = "13.72867"; + name = "C3D2"; + temperature_unit = "C"; + time_zone = config.time.timeZone; + unit_system = "metric"; + }; + http = rec { + # TODO: turn on when the public-access-proxy is using PROXY PROTOCOL + # ip_ban_enabled = true; + # login_attempts_threshold = 5; + server_host = [ + "127.0.0.1" + "::1" + ]; + trusted_proxies = server_host; + use_x_forwarded_for = true; + }; + }; + extraComponents = [ + # required for onboarding + "backup" + "default_config" + "met" + # extra things we use + "wled" + ]; + package = (pkgs.home-assistant.override { + packageOverrides = final: prev: { + moto = prev.moto.overrideAttrs (_: { + # takes a long time and can't be sped up with pytest-xdist + doCheck = false; + doInstallCheck = false; + }); + }; + }).overrideAttrs (_: { + doCheck = false; + doInstallCheck = false; + }); + }; + + nginx = { + enable = true; + virtualHosts."home-assistant.hq.c3d2.de" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString config.services.home-assistant.config.http.server_port}"; + proxyWebsockets = true; + }; + }; + }; + + portunus.addToHosts = true; + }; + + sops = { + defaultSopsFile = ./secrets.yaml; + }; + + system.stateVersion = "22.11"; +} diff --git a/hosts/home-assistant/secrets.yaml b/hosts/home-assistant/secrets.yaml new file mode 100644 index 00000000..e69de29b