refactor: split server modules into smaller more manageable files

2025-09-16 10:14:33 -05:00 · 2025-09-16 10:14:33 -05:00 · cdeb4e108b
commit cdeb4e108b
parent b2e5ae1f98
49 changed files with 1519 additions and 1270 deletions
--- a/modules/nixos-modules/server/home-assistant/database.nix
+++ b/modules/nixos-modules/server/home-assistant/database.nix
@ -0,0 +1,56 @@
+{
+  lib,
+  config,
+  ...
+}: let
+  dbUser = "hass";
+in {
+  config = lib.mkIf config.services.home-assistant.enable (
+    lib.mkMerge [
+      {
+        host = {
+          postgres = {
+            enable = true;
+          };
+        };
+
+        assertions = [
+          {
+            assertion = config.services.home-assistant.database == "postgres";
+            message = "Home Assistant database type must be postgres";
+          }
+        ];
+      }
+      (lib.mkIf config.host.postgres.enable {
+        host = {
+          postgres = {
+            extraUsers = {
+              ${dbUser} = {
+                isClient = true;
+                createUser = true;
+              };
+            };
+            extraDatabases = {
+              ${dbUser} = {
+                name = dbUser;
+              };
+            };
+          };
+        };
+
+        services.home-assistant = {
+          extraPackages = python3Packages:
+            with python3Packages; [
+              psycopg2
+            ];
+        };
+
+        systemd.services.home-assistant = {
+          requires = [
+            config.systemd.services.postgresql.name
+          ];
+        };
+      })
+    ]
+  );
+}
--- a/modules/nixos-modules/server/home-assistant/default.nix
+++ b/modules/nixos-modules/server/home-assistant/default.nix
@ -0,0 +1,118 @@
+{
+  lib,
+  config,
+  ...
+}: {
+  imports = [
+    ./proxy.nix
+    ./database.nix
+    ./fail2ban.nix
+    ./impermanence.nix
+    ./extensions
+  ];
+
+  options.services.home-assistant = {
+    subdomain = lib.mkOption {
+      type = lib.types.str;
+      description = "subdomain of base domain that home-assistant will be hosted at";
+      default = "home-assistant";
+    };
+
+    database = lib.mkOption {
+      type = lib.types.enum [
+        "builtin"
+        "postgres"
+      ];
+      description = "what database do we want to use";
+      default = "builtin";
+    };
+
+    extensions = {
+      sonos = {
+        enable = lib.mkEnableOption "enable the sonos plugin";
+        port = lib.mkOption {
+          type = lib.types.int;
+          default = 1400;
+          description = "what port to use for sonos discovery";
+        };
+      };
+      jellyfin = {
+        enable = lib.mkEnableOption "enable the jellyfin plugin";
+      };
+      wyoming = {
+        enable = lib.mkEnableOption "enable wyoming";
+      };
+    };
+  };
+
+  config = lib.mkIf config.services.home-assistant.enable (lib.mkMerge [
+    {
+      services.home-assistant = {
+        configDir = "/var/lib/hass";
+        extraComponents = [
+          "default_config"
+          "esphome"
+          "met"
+          "radio_browser"
+          "isal"
+          "zha"
+          "webostv"
+          "tailscale"
+          "syncthing"
+          "analytics_insights"
+          "unifi"
+          "openweathermap"
+          "ollama"
+          "mobile_app"
+          "logbook"
+          "ssdp"
+          "usb"
+          "webhook"
+          "bluetooth"
+          "dhcp"
+          "energy"
+          "history"
+          "backup"
+          "assist_pipeline"
+          "conversation"
+          "sun"
+          "zeroconf"
+          "cpuspeed"
+        ];
+        config = {
+          http = {
+            server_port = 8123;
+            use_x_forwarded_for = true;
+            trusted_proxies = ["127.0.0.1" "::1"];
+            ip_ban_enabled = true;
+            login_attempts_threshold = 10;
+          };
+          homeassistant = {
+            external_url = "https://${config.services.home-assistant.subdomain}.${config.host.reverse_proxy.hostname}";
+            # internal_url = "http://192.168.1.2:8123";
+          };
+          recorder.db_url = "postgresql://@/${config.services.home-assistant.configDir}";
+          "automation manual" = [];
+          "automation ui" = "!include automations.yaml";
+          mobile_app = {};
+        };
+        extraPackages = python3Packages:
+          with python3Packages; [
+            hassil
+            numpy
+            gtts
+          ];
+      };
+
+      # TODO: configure /var/lib/hass/secrets.yaml via sops
+
+      networking.firewall.allowedUDPPorts = [
+        1900
+      ];
+
+      systemd.tmpfiles.rules = [
+        "f ${config.services.home-assistant.configDir}/automations.yaml 0755 hass hass"
+      ];
+    }
+  ]);
+}
--- a/modules/nixos-modules/server/home-assistant/extensions/default.nix
+++ b/modules/nixos-modules/server/home-assistant/extensions/default.nix
@ -0,0 +1,12 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  imports = [
+    ./sonos.nix
+    ./jellyfin.nix
+    ./wyoming.nix
+  ];
+}
--- a/modules/nixos-modules/server/home-assistant/extensions/jellyfin.nix
+++ b/modules/nixos-modules/server/home-assistant/extensions/jellyfin.nix
@ -0,0 +1,9 @@
+{
+  lib,
+  config,
+  ...
+}:
+lib.mkIf (config.services.home-assistant.extensions.jellyfin.enable) {
+  services.home-assistant.extraComponents = ["jellyfin"];
+  # TODO: configure port, address, and login information here
+}
--- a/modules/nixos-modules/server/home-assistant/extensions/sonos.nix
+++ b/modules/nixos-modules/server/home-assistant/extensions/sonos.nix
@ -0,0 +1,11 @@
+{
+  lib,
+  config,
+  ...
+}:
+lib.mkIf (config.services.home-assistant.extensions.sonos.enable) {
+  services.home-assistant.extraComponents = ["sonos"];
+  networking.firewall.allowedTCPPorts = [
+    config.services.home-assistant.extensions.sonos.port
+  ];
+}
--- a/modules/nixos-modules/server/home-assistant/extensions/wyoming.nix
+++ b/modules/nixos-modules/server/home-assistant/extensions/wyoming.nix
@ -0,0 +1,9 @@
+{
+  lib,
+  config,
+  ...
+}:
+lib.mkIf (config.services.home-assistant.extensions.wyoming.enable) {
+  services.home-assistant.extraComponents = ["wyoming"];
+  services.wyoming.enable = true;
+}
--- a/modules/nixos-modules/server/home-assistant/fail2ban.nix
+++ b/modules/nixos-modules/server/home-assistant/fail2ban.nix
@ -0,0 +1,39 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+lib.mkIf (config.services.fail2ban.enable && config.services.home-assistant.enable) {
+  environment.etc = {
+    "fail2ban/filter.d/hass.local".text = (
+      pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
+        [INCLUDES]
+        before = common.conf
+
+        [Definition]
+        failregex = ^%(__prefix_line)s.*Login attempt or request with invalid authentication from <HOST>.*$
+
+        ignoreregex =
+
+        [Init]
+        datepattern = ^%%Y-%%m-%%d %%H:%%M:%%S
+      '')
+    );
+  };
+
+  services.fail2ban = {
+    jails = {
+      home-assistant-iptables.settings = {
+        enabled = true;
+        filter = "hass";
+        action = ''iptables-multiport[name=HTTP, port="http,https"]'';
+        logpath = "${config.services.home-assistant.configDir}/*.log";
+        backend = "auto";
+        findtime = 600;
+        bantime = 600;
+        maxretry = 5;
+      };
+    };
+  };
+}
--- a/modules/nixos-modules/server/home-assistant/impermanence.nix
+++ b/modules/nixos-modules/server/home-assistant/impermanence.nix
@ -0,0 +1,26 @@
+{
+  lib,
+  config,
+  ...
+}: let
+  configDir = "/var/lib/hass";
+in
+  lib.mkIf (config.host.impermanence.enable && config.services.home-assistant.enable) {
+    assertions = [
+      {
+        assertion = config.services.home-assistant.configDir == configDir;
+        message = "home assistant config directory does not match persistence";
+      }
+    ];
+    environment.persistence."/persist/system/root" = {
+      enable = true;
+      hideMounts = true;
+      directories = [
+        {
+          directory = configDir;
+          user = "hass";
+          group = "hass";
+        }
+      ];
+    };
+  }
--- a/modules/nixos-modules/server/home-assistant/proxy.nix
+++ b/modules/nixos-modules/server/home-assistant/proxy.nix
@ -0,0 +1,24 @@
+{
+  lib,
+  config,
+  ...
+}:
+lib.mkIf (config.host.reverse_proxy.enable && config.services.home-assistant.enable) {
+  host = {
+    reverse_proxy.subdomains.${config.services.home-assistant.subdomain} = {
+      target = "http://localhost:${toString config.services.home-assistant.config.http.server_port}";
+
+      websockets.enable = true;
+      forwardHeaders.enable = true;
+
+      extraConfig = ''
+        add_header Upgrade $http_upgrade;
+        add_header Connection \"upgrade\";
+
+        proxy_buffering off;
+
+        proxy_read_timeout 90;
+      '';
+    };
+  };
+}