From 962532ea09316aed8c804981f310b2626598a595 Mon Sep 17 00:00:00 2001
From: oddlama <oddlama@oddlama.org>
Date: Sun, 26 Jan 2025 03:10:22 +0100
Subject: [PATCH] feat: allow homeassistant to see adguardhome

---
 hosts/sausebiene/home-assistant.nix               |   9 +++++++--
 hosts/ward/guests/adguardhome.nix                 |   6 ++++++
 ...uard-proxy-home-psks-ward+ward-adguardhome.age |   8 ++++++++
 ...wireguard-proxy-home-priv-ward-adguardhome.age |   8 ++++++++
 ...uard-proxy-home-psks-ward+ward-adguardhome.age |   9 +++++++++
 .../proxy-home/keys/ward-adguardhome.age          |  10 ++++++++++
 .../proxy-home/keys/ward-adguardhome.pub          |   1 +
 .../proxy-home/psks/ward+ward-adguardhome.age     | Bin 0 -> 515 bytes
 8 files changed, 49 insertions(+), 2 deletions(-)
 create mode 100644 secrets/rekeyed/ward-adguardhome/a59470476f4151bbae3e2b65010d1003-wireguard-proxy-home-psks-ward+ward-adguardhome.age
 create mode 100644 secrets/rekeyed/ward-adguardhome/ae68e15b0af4a73aca607cc0fcae24b3-wireguard-proxy-home-priv-ward-adguardhome.age
 create mode 100644 secrets/rekeyed/ward/0807225dcebc6e46b72050aae1d9f8ce-wireguard-proxy-home-psks-ward+ward-adguardhome.age
 create mode 100644 secrets/wireguard/proxy-home/keys/ward-adguardhome.age
 create mode 100644 secrets/wireguard/proxy-home/keys/ward-adguardhome.pub
 create mode 100644 secrets/wireguard/proxy-home/psks/ward+ward-adguardhome.age

diff --git a/hosts/sausebiene/home-assistant.nix b/hosts/sausebiene/home-assistant.nix
index 23aab33..bc6fbd9 100644
--- a/hosts/sausebiene/home-assistant.nix
+++ b/hosts/sausebiene/home-assistant.nix
@@ -8,7 +8,7 @@
 }:
 let
   homeassistantDomain = "home.${globals.domains.personal}";
-  fritzboxDomain = "fritzbox.${globals.domains.me}";
+  fritzboxDomain = "fritzbox.${globals.domains.personal}";
 in
 {
   wireguard.proxy-home.firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [
@@ -80,7 +80,8 @@ in
         currency = "EUR";
         time_zone = "Europe/Berlin";
         unit_system = "metric";
-        #external_url = "https://";
+        external_url = "https://${homeassistantDomain}";
+        internal_url = "https://${homeassistantDomain}";
         packages.manual = "!include manual.yaml";
       };
 
@@ -164,6 +165,10 @@ in
     fritzboxDomain
   ];
 
+  networking.hosts.${nodes.ward-adguardhome.config.wireguard.proxy-home.ipv4} = [
+    "adguardhome.internal"
+  ];
+
   nodes.ward-web-proxy = {
     services.nginx = {
       upstreams."home-assistant" = {
diff --git a/hosts/ward/guests/adguardhome.nix b/hosts/ward/guests/adguardhome.nix
index 63b67c3..a46d398 100644
--- a/hosts/ward/guests/adguardhome.nix
+++ b/hosts/ward/guests/adguardhome.nix
@@ -13,6 +13,12 @@ in
     firewallRuleForNode.sentinel.allowedTCPPorts = [ config.services.adguardhome.port ];
   };
 
+  # Allow home-assistant to access it directly
+  wireguard.proxy-home = {
+    client.via = "ward";
+    firewallRuleForNode.sausebiene.allowedTCPPorts = [ config.services.adguardhome.port ];
+  };
+
   globals.services.adguardhome.domain = adguardhomeDomain;
   globals.monitoring.dns.adguardhome = {
     server = globals.net.home-lan.vlans.services.hosts.ward-adguardhome.ipv4;
diff --git a/secrets/rekeyed/ward-adguardhome/a59470476f4151bbae3e2b65010d1003-wireguard-proxy-home-psks-ward+ward-adguardhome.age b/secrets/rekeyed/ward-adguardhome/a59470476f4151bbae3e2b65010d1003-wireguard-proxy-home-psks-ward+ward-adguardhome.age
new file mode 100644
index 0000000..fdcb4e6
--- /dev/null
+++ b/secrets/rekeyed/ward-adguardhome/a59470476f4151bbae3e2b65010d1003-wireguard-proxy-home-psks-ward+ward-adguardhome.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 iMlJww LcDZuXwwr/dGoj/CzBn9brVhyZjpCTalCCqSghTgKXo
+gjlkRjoWfeU1p62rZUiwZNmDVfkZYkGVzwjqCB4o3Kc
+-> |?s>\8-grease : qWq 7s 6
+BcxYNl6jGOWAQne7b73ndOl4F+Sx/KWZu2YnWSGk5t6xigHGdhnayS15c7UpMwtX
+2kRllLKGT+GVa1ZdkcxqOomFVCEuTqphLflsmyAVZOWiDOcKz5trJJIwzaglCl4
+--- cAhf8esIsFV6xjJB50XcoPY1Q6KRA/Zunin3KVXPIqE
+?`"zlÅïÀƒêyJ…§_¿f3<P°Ú.›aäxCýHì+ýC ’û£*âk™Ìßx>ñƒ…°ÏG5<@ÏKwáÅ`Û3qO(G
\ No newline at end of file
diff --git a/secrets/rekeyed/ward-adguardhome/ae68e15b0af4a73aca607cc0fcae24b3-wireguard-proxy-home-priv-ward-adguardhome.age b/secrets/rekeyed/ward-adguardhome/ae68e15b0af4a73aca607cc0fcae24b3-wireguard-proxy-home-priv-ward-adguardhome.age
new file mode 100644
index 0000000..21c6b73
--- /dev/null
+++ b/secrets/rekeyed/ward-adguardhome/ae68e15b0af4a73aca607cc0fcae24b3-wireguard-proxy-home-priv-ward-adguardhome.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 iMlJww jtnCnEFZ1T/u9JYmyHF1qDdAss49L9pdwCLGiWx2fRk
+fFlcfA91amGpSLfj+/eC3Vlq+xMT5sUbGJ1ETb6KjRE
+-> Ib-grease M;HenC[2 4D~s$ eHi[gc/#
+ug8sUzolBxptKxNReOiU0sw/V6K/7Z4z7d9hkZpgVDLIk7js7EElkTmLlyr5JX0/
+bA5KBj6prReCaSTxlKpe5mQzW5vVjjBn
+--- ajcDhhtD3Lr25V6lKBK6MhiKutoPurRyiS1daILhQ+c
+äÉkßA¬Æ\‡t¹¬ÞB/»hÜo(SÇßÌþÀ€èž®Š<Z¶Æ5î»>Ò}¼QÛ…ŒgEÓ&ÏS¦4îÍJLl“3á/P^º-
\ No newline at end of file
diff --git a/secrets/rekeyed/ward/0807225dcebc6e46b72050aae1d9f8ce-wireguard-proxy-home-psks-ward+ward-adguardhome.age b/secrets/rekeyed/ward/0807225dcebc6e46b72050aae1d9f8ce-wireguard-proxy-home-psks-ward+ward-adguardhome.age
new file mode 100644
index 0000000..25a51a7
--- /dev/null
+++ b/secrets/rekeyed/ward/0807225dcebc6e46b72050aae1d9f8ce-wireguard-proxy-home-psks-ward+ward-adguardhome.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 iNceIg aLBsJxvdC9NQbN5Sdv1JkljaXiwo3lVQLYYN3gu6jgw
+B4PbbBvHf/xs97U7vaob55DJxVNwWaqMzRf26mayeP4
+-> pg_02\K-grease dl34LY
+qnYGF6f0nfvHrPkYDymNgG6iS7RwpThN3I2X3HIG0SOWktqmTgHpFmwqcCPrBxZS
+EKML2Qzgz1hpO2ml
+--- mCTF7YTPFttEgFQM1EVnTpCxTRqSijEcwgDpLqVzZ7o
+öHsDu½ã¯â‡~—âŠePŒk#£jtÁECxê)Î4¬ÜkCÍõ‰9Ì@ýùt‘p7±8Ó«ofU„Ùs
+ydÌ°>{“x‘sC
\ No newline at end of file
diff --git a/secrets/wireguard/proxy-home/keys/ward-adguardhome.age b/secrets/wireguard/proxy-home/keys/ward-adguardhome.age
new file mode 100644
index 0000000..f82d00a
--- /dev/null
+++ b/secrets/wireguard/proxy-home/keys/ward-adguardhome.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 vW5hwIXwVkbRjMGS8cHM5lvB9SNQD0dSV5xR2PFRhkk
+A4YoPsXllbPp3x7RwbMNRJjQ217PS8El/9V5TfADG7U
+-> piv-p256 xqSe8Q A6xD8V3EOqGFHOytfnKWLL6K5Dz7KWO5XoAPs/Un7WT8
+g59blWifMKGL6qdRj3+PYsQnmfDezySzd4FItEcl5OA
+-> h6^upJ-grease
+0aZsMxGYVCyLC29k+vuIjlLmUQs3nEW0tKBsJm51dQ38RhXzwfZ0/18j/iJMQbPF
+f/b+LxRkNSWz7Hgb7a0Gkg
+--- wyTiI3dbqYlLOg3aY/dwMNLEowuWXX5T3mR8xnDjj4k
+1›—Ù36 –dqÄGën[£)|Ð¾ˆpn¥»å­=ÎØ›^¦c¥dý6B¸„!oS,m–€U¦ãb¼"ŠÁ4JÕ¡N½­H3XÌ¾öÅ3
\ No newline at end of file
diff --git a/secrets/wireguard/proxy-home/keys/ward-adguardhome.pub b/secrets/wireguard/proxy-home/keys/ward-adguardhome.pub
new file mode 100644
index 0000000..27aa2de
--- /dev/null
+++ b/secrets/wireguard/proxy-home/keys/ward-adguardhome.pub
@@ -0,0 +1 @@
+/cNYC+G+JTSbVfjCRO+gm1odlmsbA6aIMqj76lDo210=
diff --git a/secrets/wireguard/proxy-home/psks/ward+ward-adguardhome.age b/secrets/wireguard/proxy-home/psks/ward+ward-adguardhome.age
new file mode 100644
index 0000000000000000000000000000000000000000..28406763b622333e04a14d2f998c5f3e5e3047e9
GIT binary patch
literal 515
zcmWm7J&%)M007{d*^Hwx;T*hyU=Qe9;Le<(^lc0MgbK8pm;j}eQa)PXeSzc>KL!Ui
zuKofilS|xnaJt3G#L=6LiJOUogSqDqJht!AUhM9xG!K&aUb6Qah#}}Ra?S$4h@{~b
z$#SW7On$sgd8utpjuj&=`sT8f0=+#2^;~&4LJ;*eLO?~g$A@K9;JG3Ox~Pwgh1}V=
zDPygrI5JqFWrdo_Y>n$74G^8OphcFunI~wZl*I}~t=GCkdA%5xGr1*)mY|e7Gyq8#
z_)5mIP1*JxkP?o(ocN`_(5g)Jn_L}MMLiv7-blw2*-TcAmbd}q#A`t9`g%OLJL@?z
z?e9H1^T<Pg7}TAk73mlY^28cS)ruyorpX;XAtcI_Rp?i+Z0G5tJdCOpF49=#cReg~
z`94<b2(BQ2*jBa)<ESFfE~5+&t8!}`qY*KKRmmncu4NM?h;gYl4iJ-%G>i?8)8lrN
z-HywE_cUb?3!E5A1WnVV8EveHa_idE0qARJ0eD_W%E?3#D46I&TyHqVhy7Wp5U_Wk
zJ%8G*(CNu3`;NZ-^T*%I?stQ||LMzl|Au&^9oUzz<Oj=(TQ9%9*kAqm_w4<h*Ka;w
Y{mR^%`TFDe#fRT#X%p+6Z`1hge@p7I&;S4c

literal 0
HcmV?d00001