chore: rework home assistant config

hosts/sire/guests/grafana.nix

@@ -100,8 +100,10 @@ in {
           proxyPass = "http://grafana";
           proxyWebsockets = true;
         };
+        # FIXME: refer to lan 192.168... and fd10:: via globals
         extraConfig = ''
           allow 192.168.1.0/24;
+          allow fd10::/64;
           deny all;
         '';
       };

hosts/sire/guests/immich.nix

@@ -224,9 +224,11 @@ in {
           proxyPass = "http://immich";
           proxyWebsockets = true;
         };
+        # FIXME: refer to lan 192.168... and fd10:: via globals
         extraConfig = ''
           client_max_body_size 10G;
           allow 192.168.1.0/24;
+          allow fd10::/64;
           deny all;
         '';
       };

hosts/sire/guests/paperless.nix

@@ -61,9 +61,11 @@ in {
       virtualHosts.${paperlessDomain} = {
         forceSSL = true;
         useACMEWildcardHost = true;
+        # FIXME: refer to lan 192.168... and fd10:: via globals
         extraConfig = ''
           client_max_body_size 512M;
           allow 192.168.1.0/24;
+          allow fd10::/64;
           deny all;
         '';
         locations."/" = {

hosts/sire/guests/samba.nix

@@ -155,7 +155,7 @@ in {
       # Deny access to all hosts by default.
       "hosts deny = 0.0.0.0/0"
       # Allow access to local network and TODO: wireguard
-      "hosts allow = 192.168.1.0/24"
+      "hosts allow = 192.168.1.0/24 fd10::/64"
       # Don't advertise inaccessible shares to users
       "access based share enum = yes"
 

hosts/ward/kea.nix

@@ -49,7 +49,7 @@ in {
           option-data = [
             {
               name = "routers";
-              data = net.cidr.host 1 lanCidrv4;
+              data = net.cidr.host 1 lanCidrv4; # FIXME: how to advertise v6 address also?
             }
           ];
           reservations = [

hosts/zackbiene/default.nix

@@ -17,8 +17,8 @@ in {
 
     #./esphome.nix
     ./fs.nix
-    #./home-assistant.nix
+    ./home-assistant.nix
-    #./hostapd.nix
+    ./hostapd.nix
     #./mosquitto.nix
     ./kea.nix
     ./net.nix

hosts/zackbiene/home-assistant.nix

@@ -1,12 +1,14 @@
 {
   lib,
   config,
-  nodes,
   ...
 }: let
-  sentinelCfg = nodes.sentinel.config;
+  homeDomain = "home.${config.repo.secrets.global.domains.me}";
-  homeDomain = "home.${sentinelCfg.repo.secrets.global.domains.personal}";
 in {
+  wireguard.proxy-home.firewallRuleForNode.ward.allowedTCPPorts = [
+    config.services.home-assistant.config.http.server_port
+  ];
+
   environment.persistence."/persist".directories = [
     {
       directory = config.services.home-assistant.configDir;
@@ -27,23 +29,24 @@ in {
       "fritzbox"
       "soundtouch"
       "spotify"
-      "zha"
+      #"zha"
       "mqtt"
     ];
     config = {
       http = {
-        server_host = ["127.0.0.1"];
+        server_host = ["0.0.0.0"];
         server_port = 8123;
         use_x_forwarded_for = true;
         trusted_proxies = ["127.0.0.1"];
       };
+
       homeassistant = {
         name = "!secret ha_name";
         latitude = "!secret ha_latitude";
         longitude = "!secret ha_longitude";
         elevation = "!secret ha_elevation";
-        currency = "!secret ha_currency";
+        currency = "EUR";
-        time_zone = "!secret ha_time_zone";
+        time_zone = "Europe/Berlin";
         unit_system = "metric";
         #external_url = "https://";
         packages = {
@@ -53,49 +56,31 @@ in {
 
       #### only selected components from default_config ####
 
-      automation = {};
+      assist_pipeline = {};
-      backup = {};
       bluetooth = {};
       #cloud = {};
-      config = {};
       #conversation = {};
-      counter = {};
       dhcp = {};
       energy = {};
-      frontend = {
-        #themes = "!include_dir_merge_named themes";
-      };
-      hardware = {};
       history = {};
       homeassistant_alerts = {};
-      image_upload = {};
-      input_boolean = {};
-      input_button = {};
-      input_datetime = {};
-      input_number = {};
-      input_select = {};
-      input_text = {};
       logbook = {};
-      logger = {};
       map = {};
       #media_source = {};
       mobile_app = {};
-      #my = {};
+      my = {};
-      network = {};
-      person = {};
-      schedule = {};
-      scene = {};
-      script = {};
       ssdp = {};
       stream = {};
       sun = {};
-      system_health = {};
-      tag = {};
-      timer = {};
       #usb = {};
       webhook = {};
       zeroconf = {};
-      zone = {};
+
+      backup = {};
+      config = {};
+      frontend = {
+        #themes = "!include_dir_merge_named themes";
+      };
     };
     extraPackages = python3Packages: with python3Packages; [psycopg2];
   };
@@ -112,50 +97,38 @@ in {
     '';
   };
 
-  # TODO
-  # - auth for zigbee2mqtt frontend
-  # - auth for esphome dashboard
-  # - only allow connections from privileged LAN to HA or from vpn range
-
   services.nginx = {
     upstreams.homeassistant = {
-      servers."localhost:${toString config.services.home-assistant.config.http.server_port}" = {};
       extraConfig = ''
         zone homeassistant 64k;
         keepalive 2;
       '';
     };
+  };
+
+  nodes.ward = {
+    services.nginx = {
+      upstreams."home-assistant" = {
+        servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.home-assistant.config.http.server_port}" = {};
+        extraConfig = ''
+          zone home-assistant 64k;
+          keepalive 2;
+        '';
+      };
       virtualHosts.${homeDomain} = {
         forceSSL = true;
         enableACME = true;
         locations."/" = {
-        proxyPass = "http://homeassistant";
+          proxyPass = "http://home-assistant";
           proxyWebsockets = true;
         };
-      # TODO listenAddresses = ["127.0.0.1" "[::1]"];
+        # FIXME: refer to lan 192.168... and fd10:: via globals
-      # TODO dynamic definitions for the "local" network, IPv6
         extraConfig = ''
-        allow 192.168.0.0/22;
+          allow 192.168.1.0/24;
+          allow fd10::/64;
           deny all;
         '';
       };
     };
-
-  nodes.sentinel = {
-    services.nginx = {
-      upstreams."zackbiene" = {
-        servers."${config.wireguard.proxy-sentinel.ipv4}:80" = {};
-        extraConfig = ''
-          zone zackbiene 64k;
-          keepalive 2;
-        '';
-      };
-      virtualHosts.${homeDomain} = {
-        # useACMEWildcardHost = true;
-        # TODO add aliases
-        rejectSSL = true; # TODO TLS SNI pass with `ssl_preread on;`
-        locations."/".proxyPass = "http://zackbiene";
-      };
-    };
   };
 }

hosts/zackbiene/hostapd.nix

@@ -1,5 +1,6 @@
 {config, ...}: {
-  # Associates each known client to a unique password
+  # Associates a mandatory and unique password to each client
+  # TODO: autogenerate? via secret generators and derived secrets?
   age.secrets.wifi-clients.rekeyFile = ./secrets/wifi-clients.age;
 
   hardware.wirelessRegulatoryDatabase = true;

hosts/zackbiene/net.nix

@@ -8,9 +8,7 @@
 in {
   networking.hostId = config.repo.secrets.local.networking.hostId;
 
-  wireguard.proxy-home = {
+  wireguard.proxy-home.client.via = "ward";
-    client.via = "ward";
-  };
 
   boot.initrd.systemd.network = {
     enable = true;
@@ -55,7 +53,12 @@ in {
 
     zones = {
       untrusted.interfaces = ["lan1"];
-      lan.interfaces = ["lan1"];
+      lan-interface.interfaces = ["lan1"];
+      lan = {
+        parent = "lan-interface";
+        ipv4Addresses = ["192.168.1.0/24"]; # FIXME: refer to via globals
+        ipv6Addresses = ["fd10::/64"]; # FIXME: refer to via globals
+      };
       iot.interfaces = ["wlan1"];
     };
 

hosts/zackbiene/secrets/home-assistant-secrets.yaml.age

@@ -1,12 +1,10 @@
 age-encryption.org/v1
--> X25519 90GQu1DAxHxwy1GWOAE1rHYoQs77Q35YPuQCRTgcWFk
+-> X25519 /fHu4GoqBkVzZqZJ38xy8XbcWQ6SF3X6rvYjFv8gums
-3AefIIsdsaE/exhb7acz/Vh4OBKIl15rRxFnndo6g2I
+4FPbuUEYdrFpv72oo8+VL8rxdQzDFMgy7lfYp/e6PWc
--> piv-p256 xqSe8Q A+/OdhOqSsDgiaYVOoa7Tnk/JZdSGgHJ094mtoort+V3
+-> piv-p256 xqSe8Q A7xG4f2f/SRpM1RIQSVL9q8g/AzVcIrDWq7nGDJQimQo
-tBDFM3y1wDUt2UzjMLgFWprcFSPp25djnJAqXah4/+4
+rL9Wgz4z18F5Qn+5Z20N7356YVLLrJvtvtGgx0jJwm4
--> ;[OuQ^De-grease Ce@IYqTR
+-> u[-grease ad
-B85uiwRHPv4yBPoaXxIvJJb9s+UGkfF/KQ1mEIoBu9XBArYESFmj+kLcSWgLI1r5
+4NbLgEGN91yifuQh9zzwJegrU3ZvxOqtHsCn3XAXpQpv0x9f0HXMGJ2HJnB3dNXL
-CI26cYM
+bxLtOZDlNinTOnR0p6ygxhg
---- K9FHvO0db0Xe6pGjnbLeJRqHGI+lFFnFoo6/R5d8dZ4
+--- uCx7X+ivq3iUCwYZjIcNZfHgfkzeuTGnG7lsVyKLqTk
->©ˆqñOhÓ¦qP
+ßSª#:.éá}"5Â�˜:¦Ÿ¢—ÂM1Cʇug-é6UºFfÎ:k
j�qœ’0ô‡”`~’IÐÿTL{P5ðZ3tw¥]¯º*YŠOçYS9¢üË"#ø9Ô|WE"—íz4G“tÖ!k\YÒ—O(�{úð”~¡ßGˆWÕ_îÎàhŸ$@
-)Ć°„%®É>ÂôÔ|ÁÀÒzNjóG•<à3S´àÝR‰2¶±^?\
|ßD
�EÏ2œÕ'€ �±[l‡fL³*GªùQ
ùUk#JEÞGàxЪ-
Šù*̬Bnµƒç"šq;£©¾Â‘{Ê
-ì¬{ü僦°�ì{!)ðŒ˜w÷ÝÃU
w½H„}àŒòýœüîïæDÕ„5jRWîLC�l8_Ù¢G

secrets/rekeyed/zackbiene/77e703197ed6618156ecad1b137cdbb5-wifi-clients.age

@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 DynNMA LHq3/m3kKCvk3cTzGFp8WIQ8uwB7izjVOZ/k/J+lbAE
+u2Wh/dTlWa39hqshp8uQEaUW/EHovCvLn6OJ7mJapgw
+-> j.F8#}r^-grease "y
+F2G++oErF6R9OUHv8vyUIQMVr76UQgihDZ0mtCSV4Y//8OOw
+--- bDukn+c2gV2ChC+26cuBFe2j/ObgYGK9OIJsXVRyO8U
+Ô¦®¿È ómëYS¹˜Ò¤##V
n÷íŽv•§ò»áŸÎ5ñ$œ]UuÞ†VŒ=ƒL5|/ýbOü’0áyÁ@-j3¦W?ûí|rK‡8Î)]»Ü6Ït¦EÆE
+
Iu÷”çÏ=0´ñ¿�Æ…;^ÎÇ•O2*æà©¿ É;–ZTþq~)‰õ>u¡Çc“|7ùê,TEêpxmù.µ…�ï’ÒÂô'ìÅÓ×[óŸ§éŽ’‘š,1˜RPÓfúÒx¡-EøADé”ç3¥¾cÄN¨�¡Ïùî´ñëJè˜�§=”q³˜Ú¤GÕý�³ì�%½œîUN’R½ÌÚcå
c  Âðá¶\/çóecÚFÌoùfúú
+ ­nÍŒoø ³öîµ”µô°£µ.¼ÈáhÅSÇ„élt{)�<ǵШѧc¼�*¶¥Ó
sòçõ
¼·T‚d]
+^•tÄDéØ÷�E0C`&yõ=Ç$7À¶úº�6=iÀÌ'Àú¹ø0?ú>p
+pÜ£òðTl5§míi (�Õüðk«ûíº-µÐìã¦ÄZ©_ªòg)·®Ô*k#Îú?êϦP¤_šPÏè=X¦�C™?¾‰´Ùk«¯£ÂN3ò{eðhA.3þÓÓ¨î½Ø‰,Æ5AuÛt™ʃà%^|የ’0¶ãúchgKy¦5+îO3Íbojì-W�_*Ý