mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-11 07:10:39 +02:00
Code Activity

feat(zackbiene): reenable hass with ACME double proxy

Browse source
This commit is contained in:
oddlama 2023-07-27 19:06:03 +02:00
parent b2b2e60725
commit eeac57d30d
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
8 changed files with 68 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

2
hosts/sentinel/acme.nix
View file

@ -16,6 +16,6 @@ in {
dnsPropagationCheck = true; dnsPropagationCheck = true;
reloadServices = ["nginx"]; reloadServices = ["nginx"];
}; };
wildcardDomains = acme.domains;
}; };
security.acme.wildcardDomains = acme.domains;
} }

17
hosts/zackbiene/default.nix
View file

@ -1,9 +1,12 @@
{ {
config,
lib, lib,
nodes, nodes,
... ...
}: let }: let
inherit (config.repo.secrets.local) acme;
sentinelCfg = nodes.sentinel.config; sentinelCfg = nodes.sentinel.config;
inherit (sentinelCfg.repo.secrets.local) personalDomain;
in { in {
imports = [ imports = [
../../modules/optional/hardware/odroid-n2plus.nix ../../modules/optional/hardware/odroid-n2plus.nix
@ -15,15 +18,25 @@ in {
#./esphome.nix #./esphome.nix
./fs.nix ./fs.nix
#./home-assistant.nix ./home-assistant.nix
./hostapd.nix ./hostapd.nix
#./mosquitto.nix #./mosquitto.nix
./kea.nix ./kea.nix
./net.nix ./net.nix
#./nginx.nix
#./zigbee2mqtt.nix #./zigbee2mqtt.nix
]; ];
users.groups.acme.members = ["nginx"];
services.nginx.enable = true;
security.acme = {
acceptTerms = true;
defaults = {
inherit (acme) email;
reloadServices = ["nginx"];
};
};
meta.wireguard-proxy.sentinel = {}; meta.wireguard-proxy.sentinel = {};
meta.promtail = { meta.promtail = {
enable = true; enable = true;

3
hosts/zackbiene/esphome.nix
View file

@ -10,6 +10,9 @@
# TODO instead deny the zigbee device # TODO instead deny the zigbee device
}; };
#security.acme.certs."home.${personalDomain}".extraDomainNames = [
# "esphome.home.${personalDomain}"
#];
systemd.services.nginx = { systemd.services.nginx = {
serviceConfig.SupplementaryGroups = ["esphome"]; serviceConfig.SupplementaryGroups = ["esphome"];
requires = ["esphome.service"]; requires = ["esphome.service"];

39
hosts/zackbiene/home-assistant.nix
View file

@ -1,10 +1,14 @@
{ {
lib, lib,
config, config,
nodes,
... ...
}: let }: let
haPort = 8123; sentinelCfg = nodes.sentinel.config;
homeDomain = "home.${sentinelCfg.repo.secrets.local.personalDomain}";
in { in {
meta.wireguard-proxy.sentinel.allowedTCPPorts = [80];
services.home-assistant = { services.home-assistant = {
enable = true; enable = true;
extraComponents = [ extraComponents = [
@ -21,7 +25,7 @@ in {
config = { config = {
http = { http = {
server_host = ["127.0.0.1"]; server_host = ["127.0.0.1"];
server_port = haPort; server_port = 8123;
use_x_forwarded_for = true; use_x_forwarded_for = true;
trusted_proxies = ["127.0.0.1"]; trusted_proxies = ["127.0.0.1"];
}; };
@ -38,7 +42,6 @@ in {
manual = "!include manual.yaml"; manual = "!include manual.yaml";
}; };
}; };
met = {};
#### only selected components from default_config #### #### only selected components from default_config ####
@ -107,23 +110,21 @@ in {
# - only allow connections from privileged LAN to HA or from vpn range # - only allow connections from privileged LAN to HA or from vpn range
services.nginx = { services.nginx = {
upstreams."homeassistant" = { upstreams.homeassistant = {
servers."localhost:${toString haPort}" = {}; servers."localhost:${toString config.services.home-assistant.config.http.server_port}" = {};
extraConfig = '' extraConfig = ''
zone homeassistant 64k; zone homeassistant 64k;
keepalive 2; keepalive 2;
''; '';
}; };
virtualHosts."${config.repo.secrets.local.homeassistant.domain}" = { virtualHosts.${homeDomain} = {
serverAliases = ["192.168.1.21"]; # TODO remove later
forceSSL = true; forceSSL = true;
#enableACME = true; enableACME = true;
sslCertificate = config.age.secrets."selfcert.crt".path;
sslCertificateKey = config.age.secrets."selfcert.key".path;
locations."/" = { locations."/" = {
proxyPass = "http://homeassistant"; proxyPass = "http://homeassistant";
proxyWebsockets = true; proxyWebsockets = true;
}; };
# TODO listenAddresses = ["127.0.0.1" "[::1]"];
# TODO dynamic definitions for the "local" network, IPv6 # TODO dynamic definitions for the "local" network, IPv6
extraConfig = '' extraConfig = ''
allow 192.168.0.0/22; allow 192.168.0.0/22;
@ -131,4 +132,22 @@ in {
''; '';
}; };
}; };
nodes.sentinel = {
services.nginx = {
upstreams."zackbiene" = {
servers."${config.meta.wireguard.proxy-sentinel.ipv4}:80" = {};
extraConfig = ''
zone zackbiene 64k;
keepalive 2;
'';
};
virtualHosts.${homeDomain} = {
# useACMEWildcardHost = true;
# TODO add aliases
rejectSSL = true; # TODO TLS SNI pass with `ssl_preread on;`
locations."/".proxyPass = "http://zackbiene";
};
};
};
} }

BIN
hosts/zackbiene/secrets/local.nix.age
View file

Binary file not shown.

3
hosts/zackbiene/zigbee2mqtt.nix
View file

@ -10,6 +10,9 @@
group = "mosquitto"; group = "mosquitto";
}; };
#security.acme.certs."home.${personalDomain}".extraDomainNames = [
# "zigbee.home.${personalDomain}"
#];
services.zigbee2mqtt = { services.zigbee2mqtt = {
enable = true; enable = true;
settings = { settings = {

16
modules/config/impermanence.nix
View file

@ -165,6 +165,22 @@
group = "root"; group = "root";
mode = "0700"; mode = "0700";
} }
]
++ lib.optionals config.services.esphome.enable [
{
directory = "/var/lib/private/esphome";
user = "root";
group = "root";
mode = "0700";
}
]
++ lib.optionals config.services.home-assistant.enable [
{
directory = config.services.home-assistant.configDir;
user = "hass";
group = "hass";
mode = "0700";
}
]; ];
}; };
} }

1
modules/meta/nginx.nix
View file

@ -77,6 +77,7 @@ in {
virtualHosts.dummy = { virtualHosts.dummy = {
listenAddresses = ["127.0.0.1" "[::1]"]; listenAddresses = ["127.0.0.1" "[::1]"];
default = true; default = true;
rejectSSL = true;
locations."/".extraConfig = '' locations."/".extraConfig = ''
deny all; deny all;
''; '';