feat: add influxdb as storage backend to home assistant

2025-10-10 23:00:39 +02:00 · 2024-05-23 15:46:25 +02:00 · 2024-05-23 15:46:25 +02:00 · db86d754c4
commit db86d754c4
parent b36e7e8202
18 changed files with 141 additions and 39 deletions
--- a/hosts/sire/guests/grafana.nix
+++ b/hosts/sire/guests/grafana.nix
@ -29,7 +29,14 @@ in {
    group = "grafana";
  };

-  age.secrets.grafana-influxdb-token = {
+  age.secrets.grafana-influxdb-token-machines = {
+    generator.script = "alnum";
+    generator.tags = ["influxdb"];
+    mode = "440";
+    group = "grafana";
+  };
+
+  age.secrets.grafana-influxdb-token-home = {
    generator.script = "alnum";
    generator.tags = ["influxdb"];
    mode = "440";
@ -45,8 +52,8 @@ in {

  nodes.sire-influxdb = {
    # Mirror the original secret on the influx host
-    age.secrets."grafana-influxdb-token-${config.node.name}" = {
-      inherit (config.age.secrets.grafana-influxdb-token) rekeyFile;
+    age.secrets."grafana-influxdb-token-machines-${config.node.name}" = {
+      inherit (config.age.secrets.grafana-influxdb-token-machines) rekeyFile;
      mode = "440";
      group = "influxdb2";
    };
@ -54,7 +61,19 @@ in {
    services.influxdb2.provision.organizations.machines.auths."grafana machines:telegraf (${config.node.name})" = {
      readBuckets = ["telegraf"];
      writeBuckets = ["telegraf"];
-      tokenFile = nodes.sire-influxdb.config.age.secrets."grafana-influxdb-token-${config.node.name}".path;
+      tokenFile = nodes.sire-influxdb.config.age.secrets."grafana-influxdb-token-machines-${config.node.name}".path;
+    };
+
+    age.secrets."grafana-influxdb-token-home-${config.node.name}" = {
+      inherit (config.age.secrets.grafana-influxdb-token-home) rekeyFile;
+      mode = "440";
+      group = "influxdb2";
+    };
+
+    services.influxdb2.provision.organizations.machines.auths."grafana home:home_assistan (${config.node.name})" = {
+      readBuckets = ["home_assistant"];
+      writeBuckets = ["home_assistant"];
+      tokenFile = nodes.sire-influxdb.config.age.secrets."grafana-influxdb-token-home-${config.node.name}".path;
    };
  };

@ -177,11 +196,22 @@ in {
          access = "proxy";
          url = "https://${sentinelCfg.networking.providedDomains.influxdb}";
          orgId = 1;
-          secureJsonData.token = "$__file{${config.age.secrets.grafana-influxdb-token.path}}";
+          secureJsonData.token = "$__file{${config.age.secrets.grafana-influxdb-token-machines.path}}";
          jsonData.version = "Flux";
          jsonData.organization = "machines";
          jsonData.defaultBucket = "telegraf";
        }
+        {
+          name = "InfluxDB (home_assistant)";
+          type = "influxdb";
+          access = "proxy";
+          url = "https://${sentinelCfg.networking.providedDomains.influxdb}";
+          orgId = 1;
+          secureJsonData.token = "$__file{${config.age.secrets.grafana-influxdb-token-home.path}}";
+          jsonData.version = "Flux";
+          jsonData.organization = "home";
+          jsonData.defaultBucket = "home_assistant";
+        }
        {
          name = "Loki";
          type = "loki";
--- a/hosts/sire/guests/influxdb.nix
+++ b/hosts/sire/guests/influxdb.nix
@ -133,6 +133,7 @@ in {
        tokenFile = config.age.secrets.influxdb-admin-token.path;
      };
      organizations.machines.buckets.telegraf = {};
+      organizations.home.buckets.home_assistant = {};
    };
  };

--- a/hosts/zackbiene/README.md
+++ b/hosts/zackbiene/README.md
@ -1,7 +0,0 @@
-# First Setup
-
- Install Tow-Boot (version 006 is broken, currently used 005) to SPI flash to be able to use UEFI. <3
-
- In HomeAssistant, MQTT integration needs to be added
-  manually, and the mqtt connection details must be entered
-  localhost:1883, user=home_assistant, pass=<see corresponding secret file>
--- a/hosts/zackbiene/home-assistant.nix
+++ b/hosts/zackbiene/home-assistant.nix
@ -1,7 +1,8 @@
 {
-  lib,
  config,
+  lib,
  nodes,
+  pkgs,
  ...
 }: let
  homeDomain = "home.${config.repo.secrets.global.domains.me}";
@ -77,11 +78,25 @@ in {
      webhook = {};
      zeroconf = {};

+      ### Components not from default_config
+
      backup = {};
      config = {};
      frontend = {
        #themes = "!include_dir_merge_named themes";
      };
+
+      influxdb = {
+        api_version = 2;
+        host = nodes.sentinel.config.networking.providedDomains.influxdb;
+        port = "443";
+        max_retries = 10;
+        ssl = true;
+        verify_ssl = true;
+        token = "!secret influxdb_token";
+        organization = "home";
+        bucket = "home_assistant";
+      };
    };
    extraPackages = python3Packages:
      with python3Packages; [
@ -97,11 +112,41 @@ in {

  systemd.services.home-assistant = {
    preStart = lib.mkBefore ''
-      ln -sf ${config.age.secrets."home-assistant-secrets.yaml".path} ${config.services.home-assistant.configDir}/secrets.yaml
+      if [[ -e ${config.services.home-assistant.configDir}/secrets.yaml ]]; then
+        rm ${config.services.home-assistant.configDir}/secrets.yaml
+      fi
+      cat ${config.age.secrets."home-assistant-secrets.yaml".path} > ${config.services.home-assistant.configDir}/secrets.yaml
+
+      # Update influxdb token
+      INFLUXDB_TOKEN="$(cat ${config.age.secrets.hass-influxdb-token.path})" \
+        ${lib.getExe pkgs.yq-go} -i '.influxdb_token = strenv(INFLUXDB_TOKEN)' \
+        ${config.services.home-assistant.configDir}/secrets.yaml
+
      touch -a ${config.services.home-assistant.configDir}/{automations,scenes,scripts,manual}.yaml
    '';
  };

+  age.secrets.hass-influxdb-token = {
+    generator.script = "alnum";
+    mode = "440";
+    group = "hass";
+  };
+
+  nodes.sire-influxdb = {
+    # Mirror the original secret on the influx host
+    age.secrets."hass-influxdb-token-${config.node.name}" = {
+      inherit (config.age.secrets.hass-influxdb-token) rekeyFile;
+      mode = "440";
+      group = "influxdb2";
+    };
+
+    services.influxdb2.provision.organizations.machines.auths."home-assistant (${config.node.name})" = {
+      readBuckets = ["home_assistant"];
+      writeBuckets = ["home_assistant"];
+      tokenFile = nodes.sire-influxdb.config.age.secrets."hass-influxdb-token-${config.node.name}".path;
+    };
+  };
+
  nodes.ward-web-proxy = {
    services.nginx = {
      upstreams."home-assistant" = {
--- a/secrets/generated/sire-grafana/grafana-influxdb-token-home.age
+++ b/secrets/generated/sire-grafana/grafana-influxdb-token-home.age
@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 MiVjKhmcPoryN213jpcDtwM82OG66AVVGHN/AL4H3EA
+y5NItWLZhVKgTrUDDU4euyOeB+9k33Gmguklx38csCY
+-> piv-p256 xqSe8Q A+IEiVKYZQoj1WIZupZdUWZ8m0Qi+7xd7DJIUd1TSXVc
+4MwF1yVTyoRp7QF6/rUpywEVpqS6lg8RZendWAMd5/U
+-> opvcX>!-grease omZ
+2xokmE8MrVzRcsPjTvovMN4+oENCc9I996b6ceiRbqATBHqghFofIyQlC+63BK9R
+zqsVYHsTj9xsHQ
+--- lsktZnNVUrWPii9QSAN8dCqFdqgNXqdPJpEL5NSlQtY
+�üÈÁo>·äã›èæh«6¨ÝSJÙ�§™ÑeðŸûÅ7?4Âþ×š°'?S)×i¿à!Q*Ó,ÿS••‘r$ Y¢ñÁå6¼ÌÓ×
--- a/secrets/generated/sire-grafana/grafana-influxdb-token-machines.age
+++ b/secrets/generated/sire-grafana/grafana-influxdb-token-machines.age
@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> X25519 8RST3xS+wVkBHfVo21d+fYDxjLyKAvm7YV2pdgTNmmA
+b03ClQlTW2I/qdUsqCse7WhbPhcj0s+g1WUlZ5SIxbA
+-> piv-p256 xqSe8Q A8lbeX/6k6fV+K2/YEiJJXWoXX9OLJ9tDIbO0qJPwRLg
+SjOddGF5dQbDxtmAAWuUmehieP7X5C9jj9CIalDSSxA
+-> -4gr-grease Dg3nr, bBf9!>h
+Kb0310cWQZGEZLpBI969WbCU3OT2hCJ7KzLA2PgDBnagP/x4aZS7MSEof9amXIrb
+jgyIAMySsC2ZjmGPYiNzFSUxZpsBK90NxFCNFpVgupAz6PtXMz4U3QDq3G4Hq37m
+JQ
+--- zYoy9Lc9etflU4gmc6qYzrwaPrvo8q6O6RvkKVb8iw0
+Ôá×ôkŽGJßñï–©µ7F„¿pµ‹n'Â¢çY gå8ô´=þå}zèÂAqí¥¦Ã©•×B2h3ª[„*'ñ�€`,A†½ÿ©Xª¹å
--- a/secrets/generated/sire-grafana/grafana-influxdb-token.age
+++ b/secrets/generated/sire-grafana/grafana-influxdb-token.age
@ -1,10 +0,0 @@
-age-encryption.org/v1
-> X25519 Bo6kBRQL230lQ3HcTc3AajPp/gw7PA8oTM8gYSg62y8
-o2VKru7J29Nk+pLPIIodPwIRT9dY8iemtPy/PDTaPDU
-> piv-p256 xqSe8Q AldXLqMr0qwEaKHsed9nLXLWyMs1GLAd7fDY+kwelRUW
-p1soq4J7A73ZgoUcQJknAHBo54sFVCaTZ+hirVjL9OE
-> g6z"P-grease (@ Y
-TM39Zea9KUhp85YkmHg7Qd069qelJ3rgHIW4MFHhAvRxGpTnq02uRlkUJC1KdOH3
-kkx0bXhb9ueJ5i0kvQYeURM6j6rIcFy0a4GZgH/QjjF/GDsx0Yj55SPYmfD/
--- ncrTYfKfUkwg2T6xI0dxf5+8qzNWpiUQirMn0G9/w80
-µôc×uÎË¢ÒpË+Mç´lãƒâ—÷Hxž|ž§zDj\lz+?I2>`¦6lUÂLHq¦™¢Í€¿ªÙ9•Îæm¬ÛWÔëäæDïIäˆ,÷U„
--- a/secrets/generated/zackbiene/dhparams.pem.age
+++ b/secrets/generated/zackbiene/dhparams.pem.age
--- a/secrets/generated/zackbiene/hass-influxdb-token.age
+++ b/secrets/generated/zackbiene/hass-influxdb-token.age
--- a/secrets/rekeyed/sire-grafana/aaf399ee7f5cf427ef41a2edf0a9b1e3-grafana-influxdb-token.age
+++ b/secrets/rekeyed/sire-grafana/aaf399ee7f5cf427ef41a2edf0a9b1e3-grafana-influxdb-token.age
@ -1,7 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 B7KO8w 8wCp1rYZS3lDaGRqUiTIUBpfcSA8vH1CddfRpcCmwFg
-F5t+bPiacZls0kXXmYlGditf0s1RiMcXSLl0nsSW+jI
-> C-,-grease <fcN F g
-GTedNm74HhMm
--- Y13a+/YSQ9MMjhRpfwVHQ0nphPG8qN4798HEgRVlovU
-mŽ§]ŠVºï^�˜"²R�Õ$ÏïÔâ÷•®±¿‘š¾J•ö±R©e�iuH9pfÀ‚SFFa·Ò˜X{¿åQ¿‰ž&ìð¶ª+ÃÖ…ÅKœ
--- a/secrets/rekeyed/sire-grafana/b7cdee9d8b438cbb0ee99308e707f32a-grafana-influxdb-token-home.age
+++ b/secrets/rekeyed/sire-grafana/b7cdee9d8b438cbb0ee99308e707f32a-grafana-influxdb-token-home.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 B7KO8w NtS2dqQU1BoTwoT/42UfEcOKVlrKDdT4zoSqtkvD2Cg
+E3gjjbUQwUAs/Gljfv0CfoPAKo6L9rcPBPP6rx9kBTI
+-> EXb+5IAV-grease e) G
+kvWs+CDtZg
+--- 97OhIK+gTO3VZe+lOmjFGe1RygiTPhbyK5ZhtIWW4tk
+”WÞÒ|N¼J±ˆÁêãzXÀò>ÈÛäf3iÙÀF°�€áˆZÙ36MnJ úÌB7›ïMMcß¾W9eò»ZÆ>D¨±n}Ãr>&
--- a/secrets/rekeyed/sire-grafana/f4f9a0c80af2c983350250c972a30b68-grafana-influxdb-token-machines.age
+++ b/secrets/rekeyed/sire-grafana/f4f9a0c80af2c983350250c972a30b68-grafana-influxdb-token-machines.age
--- a/secrets/rekeyed/sire-influxdb/1fb396826d821005062459f27a453004-grafana-influxdb-token-machines-sire-grafana.age
+++ b/secrets/rekeyed/sire-influxdb/1fb396826d821005062459f27a453004-grafana-influxdb-token-machines-sire-grafana.age
@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 1tdZKQ 7/FNR9qPfnog6Ci/YIfPv/SWstIvi9KNfoOJSKj3UhU
+pRyszE6vS1KWz/oqRddga6TDCKigzEHneOMtpiF+6ZM
+-> V]6Awl-grease
+vGI9Lof1yQ
+--- ugvostW30lRVwoa0y1CG2zlNnOsG6+Fl6xA3VZJAagA
+MRZöŐc×?,čĂ…˛űMí¶íűéË8ć’óR
+ÓźĺçŽüvşÝÜ„JŚĐ�Öńh˝‚Íu�oŇ€ă»ÔMĽôĽîë»•Č\({Óžu
--- a/secrets/rekeyed/sire-influxdb/85f8ae2b2465f6ce8f9354f8569d0320-grafana-influxdb-token-sire-grafana.age
+++ b/secrets/rekeyed/sire-influxdb/85f8ae2b2465f6ce8f9354f8569d0320-grafana-influxdb-token-sire-grafana.age
@ -1,8 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 1tdZKQ zBATrC0W9c0OA8FO03FFxqPJaLsNb7O5ownBSmSn1gY
-X3oqnPWt8wv3PaHtdxZ9SRsz3fUtowpMA6LUz3Vvjxg
-> ;}-grease O>
-ba89giA262+t2OeOhZ5ewG+AUHXjJnT9UkpPqQaZovpmWaV4lRLX/+e5DWVzXlzd
-n5fEjrhovARYQ9rTCIwI
--- LX956zk61RQNVOkrkxHRN4Ki6auA6crNbwl4SmysfO8
-µÝ2ë%y¹È»ƒZOe¾®üæRš6‘î§LÐï~0u�¥(èi€è"xi¾+ŽfâîÈ]…5ÎfxÑàP×ÕWÉ«¹ÐMËV=¢9n åóö
--- a/secrets/rekeyed/sire-influxdb/8af19159b484f7ee716bbd8d0ef4b290-hass-influxdb-token-zackbiene.age
+++ b/secrets/rekeyed/sire-influxdb/8af19159b484f7ee716bbd8d0ef4b290-hass-influxdb-token-zackbiene.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 1tdZKQ 7hRaB/jl5aAQ0OaLaE84invNGJc4iuzxk/jGA7cxMS0
+nKH9M7KqbC2yQbjRY7h9yeCUPjii/PKbaArv7vF0tgs
+-> =Bq38rC-grease |< t'@ f
+WX5ZG96lJs4zzi4
+--- Msg4tXQbL4PdKR//oobUKg2lvMAp1IZgimw09W6BnK4
+Î	ýhÄ}ª@“hÝ4[ðœñã¢Ø„=RýJ`O3ŠÍÐulàbÎ’íìŒ£â¦«zÌUBÙâµ¢ÍìÄ¸/]¦i¢-—®ë³ª±ÅN�
--- a/secrets/rekeyed/sire-influxdb/b83247c406e7672605e94a6d354ecb29-grafana-influxdb-token-home-sire-grafana.age
+++ b/secrets/rekeyed/sire-influxdb/b83247c406e7672605e94a6d354ecb29-grafana-influxdb-token-home-sire-grafana.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 1tdZKQ AsgXjTnMlWoukmKdk3jBqZKildhbuhemjeXVEP6hxU4
+27r8siEl0mvMKMUxXapJqYgHkc/3pO3pGQwzKFV9lV8
+-> IzSa}-grease )hD+%g6Z
+jdkBplRj8opuM6K2D4j2g4CeyQ
+--- 9/pgTJnwXS0d4avPkE4joBUEiCxGOzzAM2+O4kAayxg
+: ÉQqA”Üx�}‡hœW!ÇkËFKoC¿²<e•s¶²áS�ËŠ×ˆò(¿¸£ép£¨2y`nMZ<æ9EÆ@áóÿv¬ÿ¦E'‡S
--- a/secrets/rekeyed/zackbiene/31a04c4d82c35307e01835f3d41e6066-hass-influxdb-token.age
+++ b/secrets/rekeyed/zackbiene/31a04c4d82c35307e01835f3d41e6066-hass-influxdb-token.age
@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 DynNMA t66pK0Xp15NUNuTlvpUDfD+jfYmZr6vje8Zil3yV4xA
+NJ89Tcht+GvI7R8RgA0GniOLgbIS7IBTTal2FUN+Pn8
+-> L8|W-grease {#S
+6NoW21RijvL4DTAL7742L9eB5aG3X0fgvf+3vY6IGLW2vKPCIVr1rLkzzhfYnUp4
+avIHxxFbWVHqXUHO71WMcBiC+dHLYxJ9gEeY338
+--- 3zxIzft5E8Z9sQIrEMZKkqxugeS9g8LWYeY3hP8HHio
+.Üu€Å.BzLHNrpµÿÀ�?å#ÍsÎÓ¸|•c�xÛ¡\¦·$‰Ÿ¼ˆQæ]³¹æ.í¯¿¹>Œ
@qö)ì�j•ÛÕÇ"
--- a/secrets/rekeyed/zackbiene/c06371c0df2e7f04d986d0efb4c11c52-dhparams.pem.age
+++ b/secrets/rekeyed/zackbiene/c06371c0df2e7f04d986d0efb4c11c52-dhparams.pem.age