From eeac57d30d672f69671839b5d90f9610014f7294 Mon Sep 17 00:00:00 2001 From: oddlama Date: Thu, 27 Jul 2023 19:06:03 +0200 Subject: [PATCH] feat(zackbiene): reenable hass with ACME double proxy --- hosts/sentinel/acme.nix | 2 +- hosts/zackbiene/default.nix | 17 +++++++++-- hosts/zackbiene/esphome.nix | 3 ++ hosts/zackbiene/home-assistant.nix | 39 +++++++++++++++++++------- hosts/zackbiene/secrets/local.nix.age | Bin 599 -> 699 bytes hosts/zackbiene/zigbee2mqtt.nix | 3 ++ modules/config/impermanence.nix | 16 +++++++++++ modules/meta/nginx.nix | 1 + 8 files changed, 68 insertions(+), 13 deletions(-) diff --git a/hosts/sentinel/acme.nix b/hosts/sentinel/acme.nix index c710a70..5100774 100644 --- a/hosts/sentinel/acme.nix +++ b/hosts/sentinel/acme.nix @@ -16,6 +16,6 @@ in { dnsPropagationCheck = true; reloadServices = ["nginx"]; }; + wildcardDomains = acme.domains; }; - security.acme.wildcardDomains = acme.domains; } diff --git a/hosts/zackbiene/default.nix b/hosts/zackbiene/default.nix index 1529bab..f60d215 100644 --- a/hosts/zackbiene/default.nix +++ b/hosts/zackbiene/default.nix @@ -1,9 +1,12 @@ { + config, lib, nodes, ... }: let + inherit (config.repo.secrets.local) acme; sentinelCfg = nodes.sentinel.config; + inherit (sentinelCfg.repo.secrets.local) personalDomain; in { imports = [ ../../modules/optional/hardware/odroid-n2plus.nix @@ -15,15 +18,25 @@ in { #./esphome.nix ./fs.nix - #./home-assistant.nix + ./home-assistant.nix ./hostapd.nix #./mosquitto.nix ./kea.nix ./net.nix - #./nginx.nix #./zigbee2mqtt.nix ]; + users.groups.acme.members = ["nginx"]; + services.nginx.enable = true; + + security.acme = { + acceptTerms = true; + defaults = { + inherit (acme) email; + reloadServices = ["nginx"]; + }; + }; + meta.wireguard-proxy.sentinel = {}; meta.promtail = { enable = true; diff --git a/hosts/zackbiene/esphome.nix b/hosts/zackbiene/esphome.nix index b4f9d1c..0703a64 100644 --- a/hosts/zackbiene/esphome.nix +++ b/hosts/zackbiene/esphome.nix @@ -10,6 +10,9 @@ # TODO instead deny the zigbee device }; + #security.acme.certs."home.${personalDomain}".extraDomainNames = [ + # "esphome.home.${personalDomain}" + #]; systemd.services.nginx = { serviceConfig.SupplementaryGroups = ["esphome"]; requires = ["esphome.service"]; diff --git a/hosts/zackbiene/home-assistant.nix b/hosts/zackbiene/home-assistant.nix index d6afc7d..74f5991 100644 --- a/hosts/zackbiene/home-assistant.nix +++ b/hosts/zackbiene/home-assistant.nix @@ -1,10 +1,14 @@ { lib, config, + nodes, ... }: let - haPort = 8123; + sentinelCfg = nodes.sentinel.config; + homeDomain = "home.${sentinelCfg.repo.secrets.local.personalDomain}"; in { + meta.wireguard-proxy.sentinel.allowedTCPPorts = [80]; + services.home-assistant = { enable = true; extraComponents = [ @@ -21,7 +25,7 @@ in { config = { http = { server_host = ["127.0.0.1"]; - server_port = haPort; + server_port = 8123; use_x_forwarded_for = true; trusted_proxies = ["127.0.0.1"]; }; @@ -38,7 +42,6 @@ in { manual = "!include manual.yaml"; }; }; - met = {}; #### only selected components from default_config #### @@ -107,23 +110,21 @@ in { # - only allow connections from privileged LAN to HA or from vpn range services.nginx = { - upstreams."homeassistant" = { - servers."localhost:${toString haPort}" = {}; + upstreams.homeassistant = { + servers."localhost:${toString config.services.home-assistant.config.http.server_port}" = {}; extraConfig = '' zone homeassistant 64k; keepalive 2; ''; }; - virtualHosts."${config.repo.secrets.local.homeassistant.domain}" = { - serverAliases = ["192.168.1.21"]; # TODO remove later + virtualHosts.${homeDomain} = { forceSSL = true; - #enableACME = true; - sslCertificate = config.age.secrets."selfcert.crt".path; - sslCertificateKey = config.age.secrets."selfcert.key".path; + enableACME = true; locations."/" = { proxyPass = "http://homeassistant"; proxyWebsockets = true; }; + # TODO listenAddresses = ["127.0.0.1" "[::1]"]; # TODO dynamic definitions for the "local" network, IPv6 extraConfig = '' allow 192.168.0.0/22; @@ -131,4 +132,22 @@ in { ''; }; }; + + nodes.sentinel = { + services.nginx = { + upstreams."zackbiene" = { + servers."${config.meta.wireguard.proxy-sentinel.ipv4}:80" = {}; + extraConfig = '' + zone zackbiene 64k; + keepalive 2; + ''; + }; + virtualHosts.${homeDomain} = { + # useACMEWildcardHost = true; + # TODO add aliases + rejectSSL = true; # TODO TLS SNI pass with `ssl_preread on;` + locations."/".proxyPass = "http://zackbiene"; + }; + }; + }; } diff --git a/hosts/zackbiene/secrets/local.nix.age b/hosts/zackbiene/secrets/local.nix.age index d847ad725bf29584861c0985a43e09927b621d32..6883a8d4335f5164e36ba23f14b094615660809c 100644 GIT binary patch delta 679 zcmV;Y0$Bam1iJ;0Ab)muI95kWZ7*d-Vo5Y{HcU}>NOE#cX>2QHWn*hiFKRYfGAl@D zX?jO^YYI4GYBo`1WNI8{=3XlFMt zF*SH^Q$uM`Z#N1xF?VV=Qgv2PaByRENJU0-K{+)@Ra$OkPi$d!NjPR2nYC|$hQffywl8z*0clm~T=Pt{mabaFu#z(W%<-Wx1^LTRdbXTdS!I-9>+K``e24`jzap!1@ zL++lkyxO=s)DMWtiRq&%*Kh9J`TJccpxP7AzQVtl2Mfh`t z4yPra)~+Mepv*PZ^N5As2h^b7=Ioj@@Nq5hG$5REwPJSo5ktAWZwgFPM{GH2WkG8)ZE$OOYE(*aIB8i)SXwwML`GF;QdvSqb!BULS~yx$Sqd#a zAaH4REpRe5HXwL$Q)M_&AVFtUSyN?UGBZbZR8ebVHFj4^ZGSdeGHzK@bx$}&VtP+h zSw(DRa5HUIHf#!WR%$S3PhojXG*nVaZ8mW?XhLBzP(w^%GfYu8cQs^sW@$%pb1`N$ zNoxu%J|IYGEoX9NVRL05M`nFHAZAuoNg#74OdwNu3R8AtLo{?WWqD9-b2UOK*cDgw&Bo6{vHsotOg7rU=1j8=nRDU{ptJ4e#eD>`!K0mRF{dR+Q zX2oj;8d$4NKoZm=2`$NUR02*wN=NeaR|DFGy+_GQ*bC&8<7LSLn z1$p@yB&