forked from c3d2/nix-config
Add home-assistant
This commit is contained in:
parent
fe2b2f852b
commit
5c56d05d5d
|
@ -38,6 +38,7 @@ keys:
|
||||||
- &gnunet age1kk0thtx6mg5cs0gqm4ylc4r8w6klq660s3j04w7m8w0w084yrpcqh3tqwf
|
- &gnunet age1kk0thtx6mg5cs0gqm4ylc4r8w6klq660s3j04w7m8w0w084yrpcqh3tqwf
|
||||||
- &grafana age1yahhqn2620300n20k68az5lr2u42wdgtjwysgqyr99a4cj52ay0qjw02pl
|
- &grafana age1yahhqn2620300n20k68az5lr2u42wdgtjwysgqyr99a4cj52ay0qjw02pl
|
||||||
- &hedgedoc age1jt5pj0c0fvmzg7quaucq4n2rzcx9ajzstp8ruwc8ewjpay5vqfqsdjaal8
|
- &hedgedoc age1jt5pj0c0fvmzg7quaucq4n2rzcx9ajzstp8ruwc8ewjpay5vqfqsdjaal8
|
||||||
|
- &home-assistant age1l2tld2cttpkj4vpuh9hm4xjwq94rmf8vukjgvdzcvwwtze6k6s6qjf0s5r
|
||||||
- &hydra age1px8sjpcmnz27ayczzu883n0p5ad34vnzj6rl9y2eyye546v0m3dqfqx459
|
- &hydra age1px8sjpcmnz27ayczzu883n0p5ad34vnzj6rl9y2eyye546v0m3dqfqx459
|
||||||
- &jabber age1tnq862ekxepjkes6efr282uj9gtcsqru04s5k0l2enq5djxyt5as0k0c2a
|
- &jabber age1tnq862ekxepjkes6efr282uj9gtcsqru04s5k0l2enq5djxyt5as0k0c2a
|
||||||
- &leon age1cm0cjk2764s4pv5g7e67as34g9xtcltex96ga87wckndw62wqqlsvkscqc
|
- &leon age1cm0cjk2764s4pv5g7e67as34g9xtcltex96ga87wckndw62wqqlsvkscqc
|
||||||
|
@ -201,6 +202,12 @@ creation_rules:
|
||||||
age:
|
age:
|
||||||
- *hedgedoc
|
- *hedgedoc
|
||||||
- *polygon-snowflake
|
- *polygon-snowflake
|
||||||
|
- path_regex: hosts/home-assistant/[^/]+\.yaml$
|
||||||
|
key_groups:
|
||||||
|
- pgp: *admins
|
||||||
|
age:
|
||||||
|
- *home-assistant
|
||||||
|
- *polygon-snowflake
|
||||||
- path_regex: hosts/hydra/[^/]+\.yaml$
|
- path_regex: hosts/hydra/[^/]+\.yaml$
|
||||||
key_groups:
|
key_groups:
|
||||||
- pgp: *admins
|
- pgp: *admins
|
||||||
|
|
|
@ -428,6 +428,13 @@
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
home-assistant = nixosSystem' {
|
||||||
|
modules = [
|
||||||
|
self.nixosModules.microvm
|
||||||
|
./hosts/home-assistant
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
hydra = nixosSystem' {
|
hydra = nixosSystem' {
|
||||||
modules = [
|
modules = [
|
||||||
self.nixosModules.cluster
|
self.nixosModules.cluster
|
||||||
|
|
127
hosts/home-assistant/default.nix
Normal file
127
hosts/home-assistant/default.nix
Normal file
|
@ -0,0 +1,127 @@
|
||||||
|
{ config, pkgs, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
c3d2.deployment.server = "server10";
|
||||||
|
microvm = {
|
||||||
|
mem = 1 * 1024;
|
||||||
|
vcpu = 2;
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.hostName = "home-assistant";
|
||||||
|
|
||||||
|
services = {
|
||||||
|
home-assistant = {
|
||||||
|
enable = true;
|
||||||
|
config = {
|
||||||
|
default_config = { }; # yes, this is required...
|
||||||
|
homeassistant = {
|
||||||
|
auth_providers = [
|
||||||
|
{
|
||||||
|
type = "command_line";
|
||||||
|
command =
|
||||||
|
# the script is not inheriting PATH from home-assistant
|
||||||
|
pkgs.resholve.writeScript "ldap-auth-sh" {
|
||||||
|
fake = {
|
||||||
|
external = [ "on_auth_failure" "on_auth_success" ];
|
||||||
|
};
|
||||||
|
inputs = with pkgs; [ coreutils curl gnugrep gnused openldap ];
|
||||||
|
interpreter = "${pkgs.bash}/bin/bash";
|
||||||
|
keep."source:$CONFIG_FILE" = true;
|
||||||
|
} (builtins.readFile "${pkgs.fetchFromGitHub {
|
||||||
|
owner = "bob1de";
|
||||||
|
repo = "ldap-auth-sh";
|
||||||
|
rev = "819f9233116e68b5af5a5f45167bcbb4ed412ed4";
|
||||||
|
sha256 = "sha256-+QjRP5SKUojaCv3lZX2Kv3wkaNvpWFd97phwsRlhroY=";
|
||||||
|
}}/ldap-auth.sh");
|
||||||
|
args =
|
||||||
|
let
|
||||||
|
ldap = config.security.ldap;
|
||||||
|
in
|
||||||
|
[
|
||||||
|
# https://github.com/bob1de/ldap-auth-sh/blob/master/examples/home-assistant.cfg
|
||||||
|
(pkgs.writeText "config.cfg" /* shell */ ''
|
||||||
|
ATTRS=${ldap.roleField}
|
||||||
|
CLIENT=ldapsearch
|
||||||
|
DEBUG=0
|
||||||
|
FILTER="${ldap.groupFilter "home-assistant"}"
|
||||||
|
SCOPE="base"
|
||||||
|
SERVER=ldaps://${ldap.domainName}
|
||||||
|
USERDN="uid=$(ldap_dn_escape "$username"),${ldap.userBaseDN}"
|
||||||
|
BASEDN="$USERDN"
|
||||||
|
|
||||||
|
on_auth_success() {
|
||||||
|
# print the meta entries for use in HA
|
||||||
|
if [ ! -z "$NAME_ATTR" ]; then
|
||||||
|
name=$(echo "$output" | sed -nr "s/^\s*$NAME_ATTR:\s*(.+)\s*\$/\1/Ip")
|
||||||
|
[ -z "$name" ] || echo "name=$name"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
'')
|
||||||
|
];
|
||||||
|
meta = true;
|
||||||
|
}
|
||||||
|
# default authentication is required for the first step of onboarding
|
||||||
|
# { type = "homeassistant"; }
|
||||||
|
];
|
||||||
|
latitude = "51.08105";
|
||||||
|
longitude = "13.72867";
|
||||||
|
name = "C3D2";
|
||||||
|
temperature_unit = "C";
|
||||||
|
time_zone = config.time.timeZone;
|
||||||
|
unit_system = "metric";
|
||||||
|
};
|
||||||
|
http = rec {
|
||||||
|
# TODO: turn on when the public-access-proxy is using PROXY PROTOCOL
|
||||||
|
# ip_ban_enabled = true;
|
||||||
|
# login_attempts_threshold = 5;
|
||||||
|
server_host = [
|
||||||
|
"127.0.0.1"
|
||||||
|
"::1"
|
||||||
|
];
|
||||||
|
trusted_proxies = server_host;
|
||||||
|
use_x_forwarded_for = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
extraComponents = [
|
||||||
|
# required for onboarding
|
||||||
|
"backup"
|
||||||
|
"default_config"
|
||||||
|
"met"
|
||||||
|
# extra things we use
|
||||||
|
"wled"
|
||||||
|
];
|
||||||
|
package = (pkgs.home-assistant.override {
|
||||||
|
packageOverrides = final: prev: {
|
||||||
|
moto = prev.moto.overrideAttrs (_: {
|
||||||
|
# takes a long time and can't be sped up with pytest-xdist
|
||||||
|
doCheck = false;
|
||||||
|
doInstallCheck = false;
|
||||||
|
});
|
||||||
|
};
|
||||||
|
}).overrideAttrs (_: {
|
||||||
|
doCheck = false;
|
||||||
|
doInstallCheck = false;
|
||||||
|
});
|
||||||
|
};
|
||||||
|
|
||||||
|
nginx = {
|
||||||
|
enable = true;
|
||||||
|
virtualHosts."home-assistant.hq.c3d2.de" = {
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
locations."/" = {
|
||||||
|
proxyPass = "http://127.0.0.1:${toString config.services.home-assistant.config.http.server_port}";
|
||||||
|
proxyWebsockets = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
portunus.addToHosts = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
sops = {
|
||||||
|
defaultSopsFile = ./secrets.yaml;
|
||||||
|
};
|
||||||
|
|
||||||
|
system.stateVersion = "22.11";
|
||||||
|
}
|
0
hosts/home-assistant/secrets.yaml
Normal file
0
hosts/home-assistant/secrets.yaml
Normal file
Loading…
Reference in New Issue
Block a user