230 lines
6.2 KiB
Nix
230 lines
6.2 KiB
Nix
{
|
|
lib,
|
|
pkgs,
|
|
config,
|
|
...
|
|
}: let
|
|
configDir = "/var/lib/hass";
|
|
dbUser = "hass";
|
|
in {
|
|
options.services.home-assistant = {
|
|
subdomain = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = "subdomain of base domain that home-assistant will be hosted at";
|
|
default = "home-assistant";
|
|
};
|
|
|
|
database = lib.mkOption {
|
|
type = lib.types.enum [
|
|
"builtin"
|
|
"postgres"
|
|
];
|
|
description = "what database do we want to use";
|
|
default = "builtin";
|
|
};
|
|
|
|
extensions = {
|
|
sonos = {
|
|
enable = lib.mkEnableOption "enable the sonos plugin";
|
|
port = lib.mkOption {
|
|
type = lib.types.int;
|
|
default = 1400;
|
|
description = "what port to use for sonos discovery";
|
|
};
|
|
};
|
|
jellyfin = {
|
|
enable = lib.mkEnableOption "enable the jellyfin plugin";
|
|
};
|
|
wyoming = {
|
|
enable = lib.mkEnableOption "enable wyoming";
|
|
};
|
|
};
|
|
};
|
|
|
|
config = lib.mkIf config.services.home-assistant.enable (lib.mkMerge [
|
|
{
|
|
services.home-assistant = {
|
|
configDir = configDir;
|
|
extraComponents = [
|
|
"default_config"
|
|
"esphome"
|
|
"met"
|
|
"radio_browser"
|
|
"isal"
|
|
"zha"
|
|
"webostv"
|
|
"tailscale"
|
|
"syncthing"
|
|
"analytics_insights"
|
|
"unifi"
|
|
"openweathermap"
|
|
"ollama"
|
|
"mobile_app"
|
|
"logbook"
|
|
"ssdp"
|
|
"usb"
|
|
"webhook"
|
|
"bluetooth"
|
|
"dhcp"
|
|
"energy"
|
|
"history"
|
|
"backup"
|
|
"assist_pipeline"
|
|
"conversation"
|
|
"sun"
|
|
"zeroconf"
|
|
"cpuspeed"
|
|
];
|
|
config = {
|
|
http = {
|
|
server_port = 8123;
|
|
use_x_forwarded_for = true;
|
|
trusted_proxies = ["127.0.0.1" "::1"];
|
|
ip_ban_enabled = true;
|
|
login_attempts_threshold = 10;
|
|
};
|
|
homeassistant = {
|
|
external_url = "https://${config.services.home-assistant.subdomain}.${config.host.reverse_proxy.hostname}";
|
|
# internal_url = "http://192.168.1.2:8123";
|
|
};
|
|
recorder.db_url = "postgresql://@/${dbUser}";
|
|
"automation manual" = [];
|
|
"automation ui" = "!include automations.yaml";
|
|
mobile_app = {};
|
|
};
|
|
extraPackages = python3Packages:
|
|
with python3Packages; [
|
|
hassil
|
|
numpy
|
|
gtts
|
|
];
|
|
};
|
|
|
|
# TODO: configure /var/lib/hass/secrets.yaml via sops
|
|
|
|
networking.firewall.allowedUDPPorts = [
|
|
1900
|
|
];
|
|
|
|
systemd.tmpfiles.rules = [
|
|
"f ${config.services.home-assistant.configDir}/automations.yaml 0755 hass hass"
|
|
];
|
|
}
|
|
(lib.mkIf (config.services.home-assistant.extensions.sonos.enable) {
|
|
services.home-assistant.extraComponents = ["sonos"];
|
|
networking.firewall.allowedTCPPorts = [
|
|
config.services.home-assistant.extensions.sonos.port
|
|
];
|
|
})
|
|
(lib.mkIf (config.services.home-assistant.extensions.jellyfin.enable) {
|
|
services.home-assistant.extraComponents = ["jellyfin"];
|
|
# TODO: configure port, address, and login information here
|
|
})
|
|
(lib.mkIf (config.services.home-assistant.extensions.wyoming.enable) {
|
|
services.home-assistant.extraComponents = ["wyoming"];
|
|
services.wyoming.enable = true;
|
|
})
|
|
(lib.mkIf (config.services.home-assistant.database == "postgres") {
|
|
host = {
|
|
postgres = {
|
|
enable = true;
|
|
extraUsers = {
|
|
${dbUser} = {
|
|
isClient = true;
|
|
createUser = true;
|
|
};
|
|
};
|
|
extraDatabases = {
|
|
${dbUser} = {
|
|
name = dbUser;
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
services.home-assistant = {
|
|
extraPackages = python3Packages:
|
|
with python3Packages; [
|
|
psycopg2
|
|
];
|
|
};
|
|
|
|
systemd.services.home-assistant = {
|
|
requires = [
|
|
config.systemd.services.postgresql.name
|
|
];
|
|
};
|
|
})
|
|
(lib.mkIf config.host.reverse_proxy.enable {
|
|
host = {
|
|
reverse_proxy.subdomains.${config.services.home-assistant.subdomain} = {
|
|
target = "http://localhost:${toString config.services.home-assistant.config.http.server_port}";
|
|
|
|
websockets.enable = true;
|
|
forwardHeaders.enable = true;
|
|
|
|
extraConfig = ''
|
|
add_header Upgrade $http_upgrade;
|
|
add_header Connection \"upgrade\";
|
|
|
|
proxy_buffering off;
|
|
|
|
proxy_read_timeout 90;
|
|
'';
|
|
};
|
|
};
|
|
})
|
|
(lib.mkIf config.services.fail2ban.enable {
|
|
environment.etc = {
|
|
"fail2ban/filter.d/hass.local".text = lib.mkIf config.services.home-assistant.enable (
|
|
pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
|
|
[INCLUDES]
|
|
before = common.conf
|
|
|
|
[Definition]
|
|
failregex = ^%(__prefix_line)s.*Login attempt or request with invalid authentication from <HOST>.*$
|
|
|
|
ignoreregex =
|
|
|
|
[Init]
|
|
datepattern = ^%%Y-%%m-%%d %%H:%%M:%%S
|
|
'')
|
|
);
|
|
};
|
|
|
|
services.fail2ban = {
|
|
jails = {
|
|
home-assistant-iptables.settings = lib.mkIf config.services.home-assistant.enable {
|
|
enabled = true;
|
|
filter = "hass";
|
|
action = ''iptables-multiport[name=HTTP, port="http,https"]'';
|
|
logpath = "${config.services.home-assistant.configDir}/*.log";
|
|
backend = "auto";
|
|
findtime = 600;
|
|
bantime = 600;
|
|
maxretry = 5;
|
|
};
|
|
};
|
|
};
|
|
})
|
|
(lib.mkIf config.host.impermanence.enable {
|
|
assertions = [
|
|
{
|
|
assertion = config.services.home-assistant.configDir == configDir;
|
|
message = "home assistant config directory does not match persistence";
|
|
}
|
|
];
|
|
environment.persistence."/persist/system/root" = {
|
|
enable = true;
|
|
hideMounts = true;
|
|
directories = [
|
|
{
|
|
directory = configDir;
|
|
user = "hass";
|
|
group = "hass";
|
|
}
|
|
];
|
|
};
|
|
})
|
|
]);
|
|
}
|