fix: fix routes to home assistant

2025-10-10 23:00:39 +02:00 · 2024-05-23 02:10:45 +02:00 · 2024-05-23 02:10:45 +02:00 · b36e7e8202
commit b36e7e8202
parent 6c731eede4
4 changed files with 11 additions and 32 deletions
--- a/hosts/ward/guests/adguardhome.nix
+++ b/hosts/ward/guests/adguardhome.nix
@ -93,6 +93,7 @@ in {
          nodes.sentinel.config.networking.providedDomains.influxdb
          nodes.sentinel.config.networking.providedDomains.loki
          nodes.sentinel.config.networking.providedDomains.paperless
          "home.${config.repo.secrets.global.domains.me}"
        ];
      filters = [
        {
--- a/hosts/zackbiene/default.nix
+++ b/hosts/zackbiene/default.nix
@ -4,7 +4,6 @@
  nodes,
  ...
 }: let
  inherit (config.repo.secrets.local) acme;
  sentinelCfg = nodes.sentinel.config;
  wardWebProxyCfg = nodes.ward-web-proxy.config;
 in {
@ -30,17 +29,6 @@ in {
  topology.self.hardware.info = "O-Droid N2+";
  boot.mode = "efi";
  users.groups.acme.members = ["nginx"];
  services.nginx.enable = true;
  services.nginx.recommendedSetup = true;
  security.acme = {
    acceptTerms = true;
    defaults = {
      inherit (acme) email;
      reloadServices = ["nginx"];
    };
  };
  meta.promtail = {
    enable = true;
--- a/hosts/zackbiene/home-assistant.nix
+++ b/hosts/zackbiene/home-assistant.nix
@ -1,11 +1,12 @@
 {
  lib,
  config,
  nodes,
  ...
 }: let
  homeDomain = "home.${config.repo.secrets.global.domains.me}";
 in {
-  wireguard.proxy-home.firewallRuleForNode.ward.allowedTCPPorts = [
+  wireguard.proxy-home.firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [
    config.services.home-assistant.config.http.server_port
  ];
@ -37,7 +38,7 @@ in {
        server_host = ["0.0.0.0"];
        server_port = 8123;
        use_x_forwarded_for = true;
-        trusted_proxies = ["127.0.0.1"];
+        trusted_proxies = [nodes.ward-web-proxy.config.wireguard.proxy-home.ipv4];
      };
      homeassistant = {
@ -82,7 +83,11 @@ in {
        #themes = "!include_dir_merge_named themes";
      };
    };
-    extraPackages = python3Packages: with python3Packages; [psycopg2];
+    extraPackages = python3Packages:
      with python3Packages; [
        psycopg2
        gtts
      ];
  };
  age.secrets."home-assistant-secrets.yaml" = {
@ -97,16 +102,7 @@ in {
    '';
  };
-  services.nginx = {
+  nodes.ward-web-proxy = {
    upstreams.homeassistant = {
      extraConfig = ''
        zone homeassistant 64k;
        keepalive 2;
      '';
    };
  };
  nodes.ward = {
    services.nginx = {
      upstreams."home-assistant" = {
        servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.home-assistant.config.http.server_port}" = {};
@ -117,7 +113,7 @@ in {
      };
      virtualHosts.${homeDomain} = {
        forceSSL = true;
-        enableACME = true;
+        useACMEWildcardHost = true;
        locations."/" = {
          proxyPass = "http://home-assistant";
          proxyWebsockets = true;
--- a/hosts/zackbiene/kea.nix
+++ b/hosts/zackbiene/kea.nix
@ -27,12 +27,6 @@ in {
        interfaces = ["wlan1"];
        service-sockets-max-retries = -1;
      };
      option-data = [
        {
          name = "domain-name-servers";
          data = "192.168.1.3"; # FIXME: global (also search for 192.168 and "*Ip =")
        }
      ];
      subnet4 = [
        {
          interface = "wlan1";