141 lines
3.6 KiB
Nix
141 lines
3.6 KiB
Nix
{ config, lib, my, pkgs, secrets, ... }:
|
|
|
|
let
|
|
hassCfg = config.services.home-assistant.config;
|
|
mosquittoSecret = {
|
|
sopsFile = ../secrets/sops/home-assistant.yaml;
|
|
owner = "mosquitto";
|
|
restartUnits = [ "mosquitto.service" ];
|
|
};
|
|
in {
|
|
# https://nixos.wiki/wiki/Home-assistant#OpenSSL_1.1_is_marked_as_insecure.2C_refusing_to_evaluate
|
|
nixpkgs.config.permittedInsecurePackages = [ "openssl-1.1.1w" ];
|
|
|
|
sops.secrets."home-assistant/automation-sshkey" = {
|
|
sopsFile = ../secrets/sops/home-assistant.yaml;
|
|
owner = "hass";
|
|
restartUnits = [ "home-assistant.service" ];
|
|
};
|
|
|
|
services.home-assistant = {
|
|
enable = true;
|
|
config = {
|
|
automation = { };
|
|
config = { };
|
|
counter = { };
|
|
dhcp = { };
|
|
energy = { };
|
|
frontend = { };
|
|
hardware = { };
|
|
history = { };
|
|
homeassistant_alerts = { };
|
|
http = {
|
|
server_host = "::1";
|
|
use_x_forwarded_for = true;
|
|
trusted_proxies = "::1";
|
|
};
|
|
image_upload = { };
|
|
input_boolean = { };
|
|
input_button = { };
|
|
input_datetime = { };
|
|
input_number = { };
|
|
input_select = { };
|
|
input_text = { };
|
|
logbook = { };
|
|
logger = { };
|
|
map = { };
|
|
mobile_app = { };
|
|
network = { };
|
|
person = { };
|
|
prometheus = {
|
|
namespace = "hass";
|
|
filter = { include_domains = [ "sensor" ]; };
|
|
};
|
|
recorder.db_url = "postgresql://@/hass";
|
|
scene = { };
|
|
schedule = { };
|
|
shell_command.poweroff_zero = lib.trimNewlines ''
|
|
${pkgs.openssh}/bin/ssh
|
|
-i ${secrets."home-assistant/automation-sshkey".path}
|
|
-o BatchMode=yes
|
|
-o StrictHostKeyChecking=no
|
|
automation@zero poweroff
|
|
'';
|
|
script = { };
|
|
ssdp = { };
|
|
sun = { };
|
|
switch = [{
|
|
platform = "wake_on_lan";
|
|
name = "wake/poweroff zero";
|
|
mac = my.machines.zero.macAddress;
|
|
host = "zero";
|
|
turn_off.service = "shell_command.poweroff_zero";
|
|
}];
|
|
system_health = { };
|
|
tag = { };
|
|
timer = { };
|
|
wake_on_lan = { };
|
|
webhook = { };
|
|
zeroconf = { };
|
|
zone = { };
|
|
};
|
|
extraComponents = [ "esphome" "met" "mqtt" "prometheus" ];
|
|
extraPackages = ps: with ps; [ psycopg2 hatasmota ];
|
|
};
|
|
|
|
services.postgresql = {
|
|
ensureDatabases = [ "hass" ];
|
|
ensureUsers = [{
|
|
name = "hass";
|
|
ensureDBOwnership = true;
|
|
ensureClauses.login = true;
|
|
}];
|
|
};
|
|
|
|
systemd.services.home-assistant.after = [ "postgresql.service" ];
|
|
|
|
services.nginx.virtualHosts."home.${my.domain}" = {
|
|
forceSSL = true;
|
|
useACMEHost = my.domain;
|
|
kTLS = true;
|
|
locations."/" = {
|
|
proxyPass = "http://[::1]:${toString hassCfg.http.server_port}";
|
|
proxyWebsockets = true;
|
|
extraConfig = ''
|
|
client_max_body_size 512M;
|
|
'';
|
|
};
|
|
};
|
|
|
|
# Mosquitto
|
|
sops.secrets."mosquitto/home-assistant-password" = mosquittoSecret;
|
|
sops.secrets."mosquitto/tasmota-password" = mosquittoSecret;
|
|
|
|
services.mosquitto = {
|
|
enable = true;
|
|
listeners = [
|
|
{
|
|
address = "::1";
|
|
users.homeassistant = {
|
|
acl = [ "readwrite #" ];
|
|
hashedPasswordFile = secrets."mosquitto/home-assistant-password".path;
|
|
};
|
|
}
|
|
{
|
|
port = 1884;
|
|
acl = [
|
|
"pattern read cmnd/#"
|
|
"pattern write stat/#"
|
|
"pattern write tele/#"
|
|
];
|
|
users.tasmota = {
|
|
acl = [ "write tasmota/discovery/#" ];
|
|
hashedPasswordFile = secrets."mosquitto/tasmota-password".path;
|
|
};
|
|
}
|
|
];
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [ 1884 ];
|
|
}
|