From 6c731eede444e80d3b3e98eadcf7100899aae3d6 Mon Sep 17 00:00:00 2001
From: oddlama <oddlama@oddlama.org>
Date: Wed, 22 May 2024 02:04:43 +0200
Subject: [PATCH] chore: rework home assistant config

---
 hosts/sire/guests/grafana.nix                 |   2 +
 hosts/sire/guests/immich.nix                  |   2 +
 hosts/sire/guests/paperless.nix               |   2 +
 hosts/sire/guests/samba.nix                   |   2 +-
 hosts/ward/kea.nix                            |   2 +-
 hosts/zackbiene/default.nix                   |   4 +-
 hosts/zackbiene/home-assistant.nix            |  95 +++++++-----------
 hosts/zackbiene/hostapd.nix                   |   3 +-
 hosts/zackbiene/net.nix                       |  11 +-
 .../secrets/home-assistant-secrets.yaml.age   |  20 ++--
 ...97ed6618156ecad1b137cdbb5-wifi-clients.age |  11 ++
 ...49ca9e2def-home-assistant-secrets.yaml.age | Bin 0 -> 395 bytes
 12 files changed, 73 insertions(+), 81 deletions(-)
 create mode 100644 secrets/rekeyed/zackbiene/77e703197ed6618156ecad1b137cdbb5-wifi-clients.age
 create mode 100644 secrets/rekeyed/zackbiene/a481329d3f50d59d3236d949ca9e2def-home-assistant-secrets.yaml.age

diff --git a/hosts/sire/guests/grafana.nix b/hosts/sire/guests/grafana.nix
index 9dc3fd2..fff12c5 100644
--- a/hosts/sire/guests/grafana.nix
+++ b/hosts/sire/guests/grafana.nix
@@ -100,8 +100,10 @@ in {
           proxyPass = "http://grafana";
           proxyWebsockets = true;
         };
+        # FIXME: refer to lan 192.168... and fd10:: via globals
         extraConfig = ''
           allow 192.168.1.0/24;
+          allow fd10::/64;
           deny all;
         '';
       };
diff --git a/hosts/sire/guests/immich.nix b/hosts/sire/guests/immich.nix
index 4dbce30..af955b3 100644
--- a/hosts/sire/guests/immich.nix
+++ b/hosts/sire/guests/immich.nix
@@ -224,9 +224,11 @@ in {
           proxyPass = "http://immich";
           proxyWebsockets = true;
         };
+        # FIXME: refer to lan 192.168... and fd10:: via globals
         extraConfig = ''
           client_max_body_size 10G;
           allow 192.168.1.0/24;
+          allow fd10::/64;
           deny all;
         '';
       };
diff --git a/hosts/sire/guests/paperless.nix b/hosts/sire/guests/paperless.nix
index 125d270..0c51cd1 100644
--- a/hosts/sire/guests/paperless.nix
+++ b/hosts/sire/guests/paperless.nix
@@ -61,9 +61,11 @@ in {
       virtualHosts.${paperlessDomain} = {
         forceSSL = true;
         useACMEWildcardHost = true;
+        # FIXME: refer to lan 192.168... and fd10:: via globals
         extraConfig = ''
           client_max_body_size 512M;
           allow 192.168.1.0/24;
+          allow fd10::/64;
           deny all;
         '';
         locations."/" = {
diff --git a/hosts/sire/guests/samba.nix b/hosts/sire/guests/samba.nix
index 316783e..06eaa11 100644
--- a/hosts/sire/guests/samba.nix
+++ b/hosts/sire/guests/samba.nix
@@ -155,7 +155,7 @@ in {
       # Deny access to all hosts by default.
       "hosts deny = 0.0.0.0/0"
       # Allow access to local network and TODO: wireguard
-      "hosts allow = 192.168.1.0/24"
+      "hosts allow = 192.168.1.0/24 fd10::/64"
       # Don't advertise inaccessible shares to users
       "access based share enum = yes"
 
diff --git a/hosts/ward/kea.nix b/hosts/ward/kea.nix
index 8fa4ccf..eaa844c 100644
--- a/hosts/ward/kea.nix
+++ b/hosts/ward/kea.nix
@@ -49,7 +49,7 @@ in {
           option-data = [
             {
               name = "routers";
-              data = net.cidr.host 1 lanCidrv4;
+              data = net.cidr.host 1 lanCidrv4; # FIXME: how to advertise v6 address also?
             }
           ];
           reservations = [
diff --git a/hosts/zackbiene/default.nix b/hosts/zackbiene/default.nix
index 7ab7c18..ca62c1d 100644
--- a/hosts/zackbiene/default.nix
+++ b/hosts/zackbiene/default.nix
@@ -17,8 +17,8 @@ in {
 
     #./esphome.nix
     ./fs.nix
-    #./home-assistant.nix
-    #./hostapd.nix
+    ./home-assistant.nix
+    ./hostapd.nix
     #./mosquitto.nix
     ./kea.nix
     ./net.nix
diff --git a/hosts/zackbiene/home-assistant.nix b/hosts/zackbiene/home-assistant.nix
index 6c65582..2506d27 100644
--- a/hosts/zackbiene/home-assistant.nix
+++ b/hosts/zackbiene/home-assistant.nix
@@ -1,12 +1,14 @@
 {
   lib,
   config,
-  nodes,
   ...
 }: let
-  sentinelCfg = nodes.sentinel.config;
-  homeDomain = "home.${sentinelCfg.repo.secrets.global.domains.personal}";
+  homeDomain = "home.${config.repo.secrets.global.domains.me}";
 in {
+  wireguard.proxy-home.firewallRuleForNode.ward.allowedTCPPorts = [
+    config.services.home-assistant.config.http.server_port
+  ];
+
   environment.persistence."/persist".directories = [
     {
       directory = config.services.home-assistant.configDir;
@@ -27,23 +29,24 @@ in {
       "fritzbox"
       "soundtouch"
       "spotify"
-      "zha"
+      #"zha"
       "mqtt"
     ];
     config = {
       http = {
-        server_host = ["127.0.0.1"];
+        server_host = ["0.0.0.0"];
         server_port = 8123;
         use_x_forwarded_for = true;
         trusted_proxies = ["127.0.0.1"];
       };
+
       homeassistant = {
         name = "!secret ha_name";
         latitude = "!secret ha_latitude";
         longitude = "!secret ha_longitude";
         elevation = "!secret ha_elevation";
-        currency = "!secret ha_currency";
-        time_zone = "!secret ha_time_zone";
+        currency = "EUR";
+        time_zone = "Europe/Berlin";
         unit_system = "metric";
         #external_url = "https://";
         packages = {
@@ -53,49 +56,31 @@ in {
 
       #### only selected components from default_config ####
 
-      automation = {};
-      backup = {};
+      assist_pipeline = {};
       bluetooth = {};
       #cloud = {};
-      config = {};
       #conversation = {};
-      counter = {};
       dhcp = {};
       energy = {};
-      frontend = {
-        #themes = "!include_dir_merge_named themes";
-      };
-      hardware = {};
       history = {};
       homeassistant_alerts = {};
-      image_upload = {};
-      input_boolean = {};
-      input_button = {};
-      input_datetime = {};
-      input_number = {};
-      input_select = {};
-      input_text = {};
       logbook = {};
-      logger = {};
       map = {};
       #media_source = {};
       mobile_app = {};
-      #my = {};
-      network = {};
-      person = {};
-      schedule = {};
-      scene = {};
-      script = {};
+      my = {};
       ssdp = {};
       stream = {};
       sun = {};
-      system_health = {};
-      tag = {};
-      timer = {};
       #usb = {};
       webhook = {};
       zeroconf = {};
-      zone = {};
+
+      backup = {};
+      config = {};
+      frontend = {
+        #themes = "!include_dir_merge_named themes";
+      };
     };
     extraPackages = python3Packages: with python3Packages; [psycopg2];
   };
@@ -112,49 +97,37 @@ in {
     '';
   };
 
-  # TODO
-  # - auth for zigbee2mqtt frontend
-  # - auth for esphome dashboard
-  # - only allow connections from privileged LAN to HA or from vpn range
-
   services.nginx = {
     upstreams.homeassistant = {
-      servers."localhost:${toString config.services.home-assistant.config.http.server_port}" = {};
       extraConfig = ''
         zone homeassistant 64k;
         keepalive 2;
       '';
     };
-    virtualHosts.${homeDomain} = {
-      forceSSL = true;
-      enableACME = true;
-      locations."/" = {
-        proxyPass = "http://homeassistant";
-        proxyWebsockets = true;
-      };
-      # TODO listenAddresses = ["127.0.0.1" "[::1]"];
-      # TODO dynamic definitions for the "local" network, IPv6
-      extraConfig = ''
-        allow 192.168.0.0/22;
-        deny all;
-      '';
-    };
   };
 
-  nodes.sentinel = {
+  nodes.ward = {
     services.nginx = {
-      upstreams."zackbiene" = {
-        servers."${config.wireguard.proxy-sentinel.ipv4}:80" = {};
+      upstreams."home-assistant" = {
+        servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.home-assistant.config.http.server_port}" = {};
         extraConfig = ''
-          zone zackbiene 64k;
+          zone home-assistant 64k;
           keepalive 2;
         '';
       };
       virtualHosts.${homeDomain} = {
-        # useACMEWildcardHost = true;
-        # TODO add aliases
-        rejectSSL = true; # TODO TLS SNI pass with `ssl_preread on;`
-        locations."/".proxyPass = "http://zackbiene";
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://home-assistant";
+          proxyWebsockets = true;
+        };
+        # FIXME: refer to lan 192.168... and fd10:: via globals
+        extraConfig = ''
+          allow 192.168.1.0/24;
+          allow fd10::/64;
+          deny all;
+        '';
       };
     };
   };
diff --git a/hosts/zackbiene/hostapd.nix b/hosts/zackbiene/hostapd.nix
index 6eb9ad0..ccbeef0 100644
--- a/hosts/zackbiene/hostapd.nix
+++ b/hosts/zackbiene/hostapd.nix
@@ -1,5 +1,6 @@
 {config, ...}: {
-  # Associates each known client to a unique password
+  # Associates a mandatory and unique password to each client
+  # TODO: autogenerate? via secret generators and derived secrets?
   age.secrets.wifi-clients.rekeyFile = ./secrets/wifi-clients.age;
 
   hardware.wirelessRegulatoryDatabase = true;
diff --git a/hosts/zackbiene/net.nix b/hosts/zackbiene/net.nix
index 381fdcf..d7aeacf 100644
--- a/hosts/zackbiene/net.nix
+++ b/hosts/zackbiene/net.nix
@@ -8,9 +8,7 @@
 in {
   networking.hostId = config.repo.secrets.local.networking.hostId;
 
-  wireguard.proxy-home = {
-    client.via = "ward";
-  };
+  wireguard.proxy-home.client.via = "ward";
 
   boot.initrd.systemd.network = {
     enable = true;
@@ -55,7 +53,12 @@ in {
 
     zones = {
       untrusted.interfaces = ["lan1"];
-      lan.interfaces = ["lan1"];
+      lan-interface.interfaces = ["lan1"];
+      lan = {
+        parent = "lan-interface";
+        ipv4Addresses = ["192.168.1.0/24"]; # FIXME: refer to via globals
+        ipv6Addresses = ["fd10::/64"]; # FIXME: refer to via globals
+      };
       iot.interfaces = ["wlan1"];
     };
 
diff --git a/hosts/zackbiene/secrets/home-assistant-secrets.yaml.age b/hosts/zackbiene/secrets/home-assistant-secrets.yaml.age
index b6b2d30..6dfd0c5 100644
--- a/hosts/zackbiene/secrets/home-assistant-secrets.yaml.age
+++ b/hosts/zackbiene/secrets/home-assistant-secrets.yaml.age
@@ -1,12 +1,10 @@
 age-encryption.org/v1
--> X25519 90GQu1DAxHxwy1GWOAE1rHYoQs77Q35YPuQCRTgcWFk
-3AefIIsdsaE/exhb7acz/Vh4OBKIl15rRxFnndo6g2I
--> piv-p256 xqSe8Q A+/OdhOqSsDgiaYVOoa7Tnk/JZdSGgHJ094mtoort+V3
-tBDFM3y1wDUt2UzjMLgFWprcFSPp25djnJAqXah4/+4
--> ;[OuQ^De-grease Ce@IYqTR
-B85uiwRHPv4yBPoaXxIvJJb9s+UGkfF/KQ1mEIoBu9XBArYESFmj+kLcSWgLI1r5
-CI26cYM
---- K9FHvO0db0Xe6pGjnbLeJRqHGI+lFFnFoo6/R5d8dZ4
->©ˆqñOhÓ¦qP
-)Ä†°„%®É>ÂôÔ|ÁÀÒzNjóG•<à3S´àÝR‰2¶±^?\|ßDEÏ2œÕ'€ ±[l‡fL³*GªùQùUk#JEÞGàxÐª-Šù*Ì¬Bnµƒç"šq;£©¾Â‘{Ê
-ì¬{üåƒ¦°ì{!)ðŒ˜w÷ÝÃUw½H„}àŒòýœüîïæDÕ„5jRWîLCl8_Ù¢G
\ No newline at end of file
+-> X25519 /fHu4GoqBkVzZqZJ38xy8XbcWQ6SF3X6rvYjFv8gums
+4FPbuUEYdrFpv72oo8+VL8rxdQzDFMgy7lfYp/e6PWc
+-> piv-p256 xqSe8Q A7xG4f2f/SRpM1RIQSVL9q8g/AzVcIrDWq7nGDJQimQo
+rL9Wgz4z18F5Qn+5Z20N7356YVLLrJvtvtGgx0jJwm4
+-> u[-grease ad
+4NbLgEGN91yifuQh9zzwJegrU3ZvxOqtHsCn3XAXpQpv0x9f0HXMGJ2HJnB3dNXL
+bxLtOZDlNinTOnR0p6ygxhg
+--- uCx7X+ivq3iUCwYZjIcNZfHgfkzeuTGnG7lsVyKLqTk
+ßSª#:.éá}"5Â˜:¦Ÿ¢—ÂM1CÊ‡ug-é6UºFfÎ:kjqœ’0ô‡”`~’IÐÿTL{P5ðZ3tw¥]¯º*YŠOçYS9¢üË"#ø9Ô|WE"—íz4G“tÖ!k\YÒ—O({úð”~¡ßGˆWÕ_îÎàhŸ$@
\ No newline at end of file
diff --git a/secrets/rekeyed/zackbiene/77e703197ed6618156ecad1b137cdbb5-wifi-clients.age b/secrets/rekeyed/zackbiene/77e703197ed6618156ecad1b137cdbb5-wifi-clients.age
new file mode 100644
index 0000000..e793195
--- /dev/null
+++ b/secrets/rekeyed/zackbiene/77e703197ed6618156ecad1b137cdbb5-wifi-clients.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 DynNMA LHq3/m3kKCvk3cTzGFp8WIQ8uwB7izjVOZ/k/J+lbAE
+u2Wh/dTlWa39hqshp8uQEaUW/EHovCvLn6OJ7mJapgw
+-> j.F8#}r^-grease "y
+F2G++oErF6R9OUHv8vyUIQMVr76UQgihDZ0mtCSV4Y//8OOw
+--- bDukn+c2gV2ChC+26cuBFe2j/ObgYGK9OIJsXVRyO8U
+Ô¦®¿È ómÃ«YS¹˜Ò¤##Vn÷íŽv•§ò»áŸÎ5ñ$œ]UuÞ†VŒ=ƒL5|/ýbOü’0áyÁ@-j3¦W?ûí|rK‡8Î)]»Ü6Ït¦EÆE
+Iu÷”çÏ=0´ñ¿Æ…;^ÎÇ•O2*æà©¿ É;–ZTþq~)‰õ>u¡Çc“|7ùê,TEêpxmù.µ…ï’ÒÂô'ìÅÓ×[óŸ§éŽ’‘š,1˜RPÓfúÒx¡-EøADé”ç3¥¾cÄN¨¡Ïùî´ñëJè˜§=”q³˜Ú¤GÕý³ì%½œîUN’R½ÌÚcåc  Âðá¶\/çóecÚFÌoùfúú
+ ­nÍŒoø ³öîµ”µô°£µ.¼ÈáhÅSÇ„élt{)<ÇµÐ¨Ñ§c¼*¶¥Ósòçõ¼·T‚d]
+^•tÄDéØ÷E0C`&yõ=Ç$7À¶úº6=iÀÌ'Àú¹ø0?ú>p
+pÜ£òðTl5§míi (Õüðk«ûíº-µÐìã¦ÄZ©_ªòg)·®Ô*k#Îú?êÏ¦P¤_šPÏè=X¦C™?¾‰´Ùk«¯£ÂN3ò{eðhA.3þÓÓ¨î½Ø‰,Æ5AuÛt™Êƒà%^|á‹¨’0¶ãúchgKy¦5+îO3Íbojì-W_*Ý
\ No newline at end of file
diff --git a/secrets/rekeyed/zackbiene/a481329d3f50d59d3236d949ca9e2def-home-assistant-secrets.yaml.age b/secrets/rekeyed/zackbiene/a481329d3f50d59d3236d949ca9e2def-home-assistant-secrets.yaml.age
new file mode 100644
index 0000000000000000000000000000000000000000..398f9592e5aca491ad154d85ef856199dc43588d
GIT binary patch
literal 395
zcmV;60d)RhXJsvAZewzJaCB*JZZ2<fXD@a!3N1b$b8~1dWn?lnH8D9LM0svbO+g?=
zS~hb*VOmOfMs8_xbx%++aCk{Vbu?>4S#U*CZgoshSWIn4dUSDDQ%MR#MK3j1D^^T%
zSZp?EQBZAEL~Sv3L@QQHb6Q4rN?KZNGFehDMn!IQPEiUiJ|KA}MM8XfEoX9NVRL05
zLs>;3Y9L*FEg*PaPattvIAl>K3VAt7bVx>5Y;b2aGIeD*ZbwjeGiNn*V^MB(aY0Q^
zN-|SSLP29RQwl9DEg(TTMOH&KYj-boayM;OGDJZ{a7t4_NOdzxRZD6{YA{!2c4=-(
zM|DqTI0~#T^LEINLJg^vkV14DF0Mzu@`?x(*+$<QN;d!l2ktJS(lK{J(Nbcq640zQ
z5pc<W6`No6pjMhtd5#D*<b2UX-*CHOO<!OIMEk{9RJ;9p1YH~xQ^&9H7wmnCQYmFx
plRDd|pE@Xu>YnL}CjU($y~z<Oa7)R1{3Y#^*5N!QB~tUsm5tWAlGy+N

literal 0
HcmV?d00001