🏡 my personal home lab
add homeassistant
+113
-1
+1
hosts/rk1-node-2.nix
+1
hosts/rk1-node-2.nix
+56
-1
modules/caddy.nix
+56
-1
modules/caddy.nix
···
1
-
{ config, ... }:
1
+
{ config, pkgs, ... }:
2
2
{
3
3
services.caddy = {
4
4
enable = true;
5
5
enableReload = true;
6
+
package = pkgs.caddy.withPlugins {
7
+
plugins = [ "github.com/greenpau/caddy-security@v1.1.50" ];
8
+
hash = "";
9
+
};
10
+
environmentFile = config.sops.templates."caddy.env".path;
6
11
globalConfig = ''
7
12
grace_period 1m
13
+
order authenticate before respond
14
+
order authorize before basicauth
15
+
16
+
security {
17
+
oauth identity provider homeassistant {
18
+
delay_start 3
19
+
realm homeassistant
20
+
driver generic
21
+
client_id {$HOMEASSISTANT_OIDC_CLIENT_ID}
22
+
client_secret {$HOMEASSISTANT_OIDC_CLIENT_SECRET}
23
+
scopes openid email profile
24
+
base_auth_url https://id.goo.garden
25
+
metadata_url https://id.goo.garden/.well-known/openid-configuration
26
+
}
27
+
28
+
authentication portal homeassistant_portal {
29
+
crypto default token lifetime 3600
30
+
enable identity provider homeassistant
31
+
cookie domain goo.garden
32
+
cookie insecure off
33
+
transform user {
34
+
match realm homeassistant
35
+
action add role authp/user
36
+
}
37
+
}
38
+
39
+
authorization policy homeassistant_policy {
40
+
set auth url https://home.goo.garden/auth/homeassistant
41
+
allow roles authp/user
42
+
validate bearer header
43
+
inject headers with claims
44
+
}
45
+
}
8
46
'';
9
47
logDir = "/mnt/nas/logs/caddy";
10
48
virtualHosts = {
···
60
98
"audiobooks.goo.garden".extraConfig = ''
61
99
reverse_proxy rk1-node-2:8000
62
100
'';
101
+
"home.goo.garden".extraConfig = ''
102
+
route /auth/* {
103
+
authenticate with homeassistant_portal
104
+
}
105
+
route {
106
+
authorize with homeassistant_policy
107
+
reverse_proxy rk1-node-2:8123
108
+
}
109
+
'';
63
110
"probe.outerwilds.space".extraConfig = ''
64
111
reverse_proxy localhost:${config.services.uptime-kuma.settings.PORT}
65
112
'';
···
71
118
group = config.services.caddy.group;
72
119
reloadServices = [ "caddy" ];
73
120
};
121
+
122
+
sops.templates."caddy.env".content = ''
123
+
HOMEASSISTANT_OIDC_CLIENT_ID=${config.sops.placeholder.homeassistant-oidc-client-id}
124
+
HOMEASSISTANT_OIDC_CLIENT_SECRET=${config.sops.placeholder.homeassistant-oidc-client-secret}
125
+
'';
126
+
127
+
sops.secrets.homeassistant-oidc-client-id = { };
128
+
sops.secrets.homeassistant-oidc-client-secret = { };
74
129
75
130
systemd.services.caddy = {
76
131
after = [ "mnt-nas.mount" ];
+56
modules/home-assistant.nix
+56
modules/home-assistant.nix
···
1
+
{ config, ... }:
2
+
{
3
+
virtualisation.oci-containers = {
4
+
backend = "podman";
5
+
containers.home-assistant = {
6
+
image = "ghcr.io/home-assistant/home-assistant:stable";
7
+
volumes = [
8
+
"/var/lib/homeassistant:/config"
9
+
"/run/dbus:/run/dbus:ro"
10
+
];
11
+
extraOptions = [
12
+
"--network=host"
13
+
];
14
+
environment = {
15
+
TZ = config.time.timeZone;
16
+
};
17
+
};
18
+
};
19
+
20
+
services.mosquitto = {
21
+
enable = true;
22
+
listeners = [
23
+
{
24
+
port = 1883;
25
+
acl = [ "topic readwrite #" ];
26
+
users.zigbee2mqtt = {
27
+
acl = [ "readwrite #" ];
28
+
hashedPasswordFile = config.sops.secrets.zigbee2mqtt-mosquitto-hashedpassword.path;
29
+
};
30
+
}
31
+
];
32
+
};
33
+
34
+
services.zigbee2mqtt = {
35
+
enable = true;
36
+
settings = {
37
+
homeassistant = true;
38
+
mqtt = {
39
+
base_topic = "zigbee2mqtt";
40
+
server = "mqtt://localhost:1883";
41
+
user = "zigbee2mqtt";
42
+
password = "!${config.sops.secrets.zigbee2mqtt-mosquitto-password.path} password";
43
+
};
44
+
serial.port = "/dev/ttyUSB0";
45
+
frontend.port = 8124;
46
+
};
47
+
};
48
+
49
+
sops.secrets.zigbee2mqtt-mosquitto-password = { };
50
+
sops.secrets.zigbee2mqtt-mosquitto-hashedpassword = { };
51
+
52
+
networking.firewall.allowedTCPPorts = [
53
+
8123
54
+
8124
55
+
];
56
+
}