diff --git a/data.nix b/data.nix index 526fa04..83fba1d 100644 --- a/data.nix +++ b/data.nix @@ -29,6 +29,7 @@ rec { matrix-synapse = 8008; vaultwarden = 8222; kodi = 8080; + hass = 8123; prometheus = 9001; tailscale = 41641; exporters.node = 9002; @@ -160,6 +161,11 @@ rec { _acme-endpoint.irc NS ns._acme-endpoint.irc ns._acme-endpoint.irc A ${vno1} + hass A ${hosts."vno1-oh2.servers.jakst".jakstIP} + _acme-challenge.hass CNAME _acme-endpoint.hass + _acme-endpoint.hass NS ns._acme-endpoint.hass + ns._acme-endpoint.hass A ${vno1} + bitwarden A ${hosts."vno1-oh2.servers.jakst".jakstIP} _acme-challenge.bitwarden CNAME _acme-endpoint.bitwarden _acme-endpoint.bitwarden NS ns._acme-endpoint.bitwarden diff --git a/hosts/vno1-oh2/configuration.nix b/hosts/vno1-oh2/configuration.nix index 450327a..6f08e05 100644 --- a/hosts/vno1-oh2/configuration.nix +++ b/hosts/vno1-oh2/configuration.nix @@ -173,6 +173,7 @@ enable = true; zones."irc.jakstys.lt".accountKey = accountKey; zones."hdd.jakstys.lt".accountKey = accountKey; + zones."hass.jakstys.lt".accountKey = accountKey; zones."grafana.jakstys.lt".accountKey = accountKey; zones."bitwarden.jakstys.lt".accountKey = accountKey; }; @@ -250,6 +251,12 @@ metrics } ''; + virtualHosts."hass.jakstys.lt".extraConfig = '' + @denied not remote_ip ${myData.subnets.tailscale.cidr} + abort @denied + reverse_proxy 127.0.0.1:8123 + tls {$CREDENTIALS_DIRECTORY}/hass.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/hass.jakstys.lt-key.pem + ''; virtualHosts."grafana.jakstys.lt".extraConfig = '' @denied not remote_ip ${myData.subnets.tailscale.cidr} abort @denied @@ -526,20 +533,25 @@ systemd.services = { caddy = let + hass = config.mj.services.nsd-acme.zones."hass.jakstys.lt"; grafana = config.mj.services.nsd-acme.zones."grafana.jakstys.lt"; bitwarden = config.mj.services.nsd-acme.zones."bitwarden.jakstys.lt"; in { serviceConfig.LoadCredential = [ + "hass.jakstys.lt-cert.pem:${hass.certFile}" + "hass.jakstys.lt-key.pem:${hass.keyFile}" "grafana.jakstys.lt-cert.pem:${grafana.certFile}" "grafana.jakstys.lt-key.pem:${grafana.keyFile}" "bitwarden.jakstys.lt-cert.pem:${bitwarden.certFile}" "bitwarden.jakstys.lt-key.pem:${bitwarden.keyFile}" ]; after = [ + "nsd-acme-hass.jakstys.lt.service" "nsd-acme-grafana.jakstys.lt.service" "nsd-acme-bitwarden.jakstys.lt.service" ]; requires = [ + "nsd-acme-hass.jakstys.lt.service" "nsd-acme-grafana.jakstys.lt.service" "nsd-acme-bitwarden.jakstys.lt.service" ]; @@ -610,6 +622,7 @@ wantedBy = ["multi-user.target"]; pathConfig = { PathChanged = [ + config.mj.services.nsd-acme.zones."hass.jakstys.lt".certFile config.mj.services.nsd-acme.zones."grafana.jakstys.lt".certFile config.mj.services.nsd-acme.zones."bitwarden.jakstys.lt".certFile ]; diff --git a/modules/services/default.nix b/modules/services/default.nix index a74e14b..d43116e 100644 --- a/modules/services/default.nix +++ b/modules/services/default.nix @@ -5,6 +5,7 @@ ./deployerbot ./friendlyport ./gitea + ./hass ./headscale ./jakstpub ./matrix-synapse diff --git a/modules/services/hass/default.nix b/modules/services/hass/default.nix new file mode 100644 index 0000000..ae4112e --- /dev/null +++ b/modules/services/hass/default.nix @@ -0,0 +1,39 @@ +{ + config, + lib, + myData, + ... +}: let + cfg = config.mj.services.hass; +in { + options.mj.services.hass = with lib.types; { + enable = lib.mkEnableOption "Enable home-assistant"; + }; + + config = lib.mkIf cfg.enable { + mj.services.friendlyport.ports = [ + { + subnets = myData.subnets.vpn.cidrs; + tcp = [myData.ports.hass]; + } + ]; + + services = { + home-assistant = { + enable = true; + extraComponents = [ + "esphome" + "met" + "radio_browser" + ]; + config = { + auth_providers = { + trusted_networks = [myData.subnets.tailscale.cidr]; + #trusted_proxies = ["127.0.0.1"]; + }; + default_config = {}; + }; + }; + }; + }; +}