{ config, lib, pkgs, ... }: let c3d2MacAddress = "00:0b:ad:00:1d:ea"; in { c3d2.deployment.server = "server10"; microvm = { mem = 1 * 1024; vcpu = 2; # add a network interface in c3d2 for mDNS interfaces = [{ type = "tap"; id = builtins.substring 0 15 "c3d2-${config.networking.hostName}"; mac = c3d2MacAddress; }]; }; networking.hostName = "home-assistant"; systemd.network = { links."40-c3d2" = { matchConfig.MACAddress = c3d2MacAddress; # rename interface to net name linkConfig.Name = "c3d2"; }; networks."40-c3d2" = { matchConfig.MACAddress = c3d2MacAddress; networkConfig = { LinkLocalAddressing = "yes"; IPv6AcceptRA = "no"; }; }; }; services = { avahi.enable = true; home-assistant = { enable = true; config = { binary_sensor = [ { platform = "rest"; name = "Turmlabor"; unique_id = "status_turmlabor_dresden"; resource = "https://turmlabor.de/spaces.api"; method = "GET"; scan_interval = 60; verify_ssl = true; value_template = "{{ value_json['state']['open'] }}"; device_class = "door"; } { platform = "rest"; name = "c3d2"; unique_id = "status_c3d2"; resource = "https://c3d2.de/spaceapi.json"; method = "GET"; scan_interval = 60; verify_ssl = true; value_template = "{{ value_json['state']['open'] }}"; device_class = "door"; } ]; default_config = { }; # yes, this is required... automation = "!include automations.yaml"; homeassistant = { auth_providers = [ { type = "command_line"; command = # the script is not inheriting PATH from home-assistant pkgs.resholve.writeScript "ldap-auth-sh" { fake.external = [ "on_auth_failure" "on_auth_success" ]; inputs = with pkgs; [ coreutils curl gnugrep gnused openldap ]; interpreter = "${pkgs.bash}/bin/bash"; keep."source:$CONFIG_FILE" = true; } (builtins.readFile "${pkgs.fetchFromGitHub { owner = "bob1de"; repo = "ldap-auth-sh"; rev = "819f9233116e68b5af5a5f45167bcbb4ed412ed4"; sha256 = "sha256-+QjRP5SKUojaCv3lZX2Kv3wkaNvpWFd97phwsRlhroY="; }}/ldap-auth.sh"); args = let inherit (config.security) ldap; sed = "${pkgs.gnused}/bin/sed"; in [ # https://github.com/bob1de/ldap-auth-sh/blob/master/examples/home-assistant.cfg (pkgs.writeText "config.cfg" /* shell */ '' ATTRS="${ldap.userField}" CLIENT="ldapsearch" DEBUG=0 FILTER="${ldap.groupFilter "home-assistant-users"}" NAME_ATTR="${ldap.userField}" SCOPE="base" SERVER="ldaps://${ldap.domainName}" USERDN="uid=$(ldap_dn_escape "$username"),${ldap.userBaseDN}" BASEDN="$USERDN" on_auth_success() { # print the meta entries for use in HA if [ ! -z "$NAME_ATTR" ]; then name=$(echo "$output" | ${sed} -nr "s/^\s*$NAME_ATTR:\s*(.+)\s*\$/\1/Ip") [ -z "$name" ] || echo "name=$name" fi } '') ]; meta = true; } # default authentication is required for the first step of onboarding # { type = "homeassistant"; } ]; latitude = "51.08105"; longitude = "13.72867"; name = "C3D2"; temperature_unit = "C"; time_zone = config.time.timeZone; unit_system = "metric"; }; http = rec { # TODO: turn on when the public-access-proxy is using PROXY PROTOCOL # ip_ban_enabled = true; # login_attempts_threshold = 5; server_host = [ "127.0.0.1" "::1" ]; trusted_proxies = server_host; use_x_forwarded_for = true; }; }; extraComponents = [ # defaults plus required for onboarding "backup" "default_config" "esphome" "met" "radio_browser" # extra things we use "wled" ]; package = (pkgs.home-assistant.override { # those tests take a long(er) time and can't be sped up with pytest-xdist packageOverrides = final: prev: let noTests = { doCheck = false; doInstallCheck = false; }; in { aws-sam-translator = prev.aws-sam-translator.overrideAttrs (_: noTests); moto = prev.moto.overrideAttrs (_: noTests); }; }).overrideAttrs (_: { doCheck = false; doInstallCheck = false; }); }; nginx = { enable = true; virtualHosts."home-assistant.hq.c3d2.de" = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://127.0.0.1:${toString config.services.home-assistant.config.http.server_port}"; proxyWebsockets = true; }; }; }; portunus.addToHosts = true; }; sops.defaultSopsFile = ./secrets.yaml; system.stateVersion = "22.11"; }