forked from mirrors_public/oddlama_nix-config
feat: integrate fritzbox smart home devices
This commit is contained in:
oddlama
parent
db86d754c4
commit
93061af475
5 changed files with 42 additions and 10 deletions
|
|
@ -82,12 +82,12 @@ in {
|
||||||
listener = {
|
listener = {
|
||||||
jmap = {
|
jmap = {
|
||||||
protocol = "jmap";
|
protocol = "jmap";
|
||||||
bind = " [::]:18080";
|
bind = " [::]:8080";
|
||||||
url = "https://mail.${primaryDomain}/jmap";
|
url = "https://mail.${primaryDomain}/jmap";
|
||||||
};
|
};
|
||||||
imaps = {
|
imaps = {
|
||||||
protocol = "imap";
|
protocol = "imap";
|
||||||
bind = "[::]:1993";
|
bind = "[::]:993";
|
||||||
tls.enable = true;
|
tls.enable = true;
|
||||||
tls.implicit = true;
|
tls.implicit = true;
|
||||||
};
|
};
|
||||||
|
|
|
||||||
|
|
@ -70,7 +70,7 @@ in {
|
||||||
group = "influxdb2";
|
group = "influxdb2";
|
||||||
};
|
};
|
||||||
|
|
||||||
services.influxdb2.provision.organizations.machines.auths."grafana home:home_assistan (${config.node.name})" = {
|
services.influxdb2.provision.organizations.home.auths."grafana home:home_assistant (${config.node.name})" = {
|
||||||
readBuckets = ["home_assistant"];
|
readBuckets = ["home_assistant"];
|
||||||
writeBuckets = ["home_assistant"];
|
writeBuckets = ["home_assistant"];
|
||||||
tokenFile = nodes.sire-influxdb.config.age.secrets."grafana-influxdb-token-home-${config.node.name}".path;
|
tokenFile = nodes.sire-influxdb.config.age.secrets."grafana-influxdb-token-home-${config.node.name}".path;
|
||||||
|
|
|
||||||
|
|
@ -94,6 +94,7 @@ in {
|
||||||
nodes.sentinel.config.networking.providedDomains.loki
|
nodes.sentinel.config.networking.providedDomains.loki
|
||||||
nodes.sentinel.config.networking.providedDomains.paperless
|
nodes.sentinel.config.networking.providedDomains.paperless
|
||||||
"home.${config.repo.secrets.global.domains.me}"
|
"home.${config.repo.secrets.global.domains.me}"
|
||||||
|
"fritzbox.${config.repo.secrets.global.domains.me}"
|
||||||
];
|
];
|
||||||
filters = [
|
filters = [
|
||||||
{
|
{
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,6 @@
|
||||||
{config, ...}: let
|
{config, ...}: let
|
||||||
inherit (config.repo.secrets.local) acme;
|
inherit (config.repo.secrets.local) acme;
|
||||||
|
fritzboxDomain = "fritzbox.${config.repo.secrets.global.domains.me}";
|
||||||
in {
|
in {
|
||||||
wireguard.proxy-home = {
|
wireguard.proxy-home = {
|
||||||
client.via = "ward";
|
client.via = "ward";
|
||||||
|
|
@ -32,6 +33,33 @@ in {
|
||||||
inherit (acme) certs wildcardDomains;
|
inherit (acme) certs wildcardDomains;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
services.nginx = {
|
||||||
|
upstreams.fritzbox = {
|
||||||
|
servers."192.168.178.1" = {};
|
||||||
|
extraConfig = ''
|
||||||
|
zone grafana 64k;
|
||||||
|
keepalive 2;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
virtualHosts.${fritzboxDomain} = {
|
||||||
|
forceSSL = true;
|
||||||
|
useACMEWildcardHost = true;
|
||||||
|
locations."/" = {
|
||||||
|
proxyPass = "http://fritzbox";
|
||||||
|
proxyWebsockets = true;
|
||||||
|
};
|
||||||
|
# Allow using self-signed certs. We just want to make sure the connection
|
||||||
|
# is over TLS.
|
||||||
|
# FIXME: refer to lan 192.168... and fd10:: via globals
|
||||||
|
extraConfig = ''
|
||||||
|
proxy_ssl_verify off;
|
||||||
|
allow 192.168.1.0/24;
|
||||||
|
allow fd10::/64;
|
||||||
|
deny all;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
users.groups.acme.members = ["nginx"];
|
users.groups.acme.members = ["nginx"];
|
||||||
services.nginx.enable = true;
|
services.nginx.enable = true;
|
||||||
services.nginx.recommendedSetup = true;
|
services.nginx.recommendedSetup = true;
|
||||||
|
|
|
||||||
|
|
@ -6,6 +6,7 @@
|
||||||
...
|
...
|
||||||
}: let
|
}: let
|
||||||
homeDomain = "home.${config.repo.secrets.global.domains.me}";
|
homeDomain = "home.${config.repo.secrets.global.domains.me}";
|
||||||
|
fritzboxDomain = "fritzbox.${config.repo.secrets.global.domains.me}";
|
||||||
in {
|
in {
|
||||||
wireguard.proxy-home.firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [
|
wireguard.proxy-home.firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [
|
||||||
config.services.home-assistant.config.http.server_port
|
config.services.home-assistant.config.http.server_port
|
||||||
|
|
@ -59,7 +60,9 @@ in {
|
||||||
#### only selected components from default_config ####
|
#### only selected components from default_config ####
|
||||||
|
|
||||||
assist_pipeline = {};
|
assist_pipeline = {};
|
||||||
|
backup = {};
|
||||||
bluetooth = {};
|
bluetooth = {};
|
||||||
|
config = {};
|
||||||
#cloud = {};
|
#cloud = {};
|
||||||
#conversation = {};
|
#conversation = {};
|
||||||
dhcp = {};
|
dhcp = {};
|
||||||
|
|
@ -67,7 +70,6 @@ in {
|
||||||
history = {};
|
history = {};
|
||||||
homeassistant_alerts = {};
|
homeassistant_alerts = {};
|
||||||
logbook = {};
|
logbook = {};
|
||||||
map = {};
|
|
||||||
#media_source = {};
|
#media_source = {};
|
||||||
mobile_app = {};
|
mobile_app = {};
|
||||||
my = {};
|
my = {};
|
||||||
|
|
@ -80,8 +82,6 @@ in {
|
||||||
|
|
||||||
### Components not from default_config
|
### Components not from default_config
|
||||||
|
|
||||||
backup = {};
|
|
||||||
config = {};
|
|
||||||
frontend = {
|
frontend = {
|
||||||
#themes = "!include_dir_merge_named themes";
|
#themes = "!include_dir_merge_named themes";
|
||||||
};
|
};
|
||||||
|
|
@ -115,12 +115,12 @@ in {
|
||||||
if [[ -e ${config.services.home-assistant.configDir}/secrets.yaml ]]; then
|
if [[ -e ${config.services.home-assistant.configDir}/secrets.yaml ]]; then
|
||||||
rm ${config.services.home-assistant.configDir}/secrets.yaml
|
rm ${config.services.home-assistant.configDir}/secrets.yaml
|
||||||
fi
|
fi
|
||||||
cat ${config.age.secrets."home-assistant-secrets.yaml".path} > ${config.services.home-assistant.configDir}/secrets.yaml
|
|
||||||
|
|
||||||
# Update influxdb token
|
# Update influxdb token
|
||||||
|
# We don't use -i because it would require chown with is a @privileged syscall
|
||||||
INFLUXDB_TOKEN="$(cat ${config.age.secrets.hass-influxdb-token.path})" \
|
INFLUXDB_TOKEN="$(cat ${config.age.secrets.hass-influxdb-token.path})" \
|
||||||
${lib.getExe pkgs.yq-go} -i '.influxdb_token = strenv(INFLUXDB_TOKEN)' \
|
${lib.getExe pkgs.yq-go} '.influxdb_token = strenv(INFLUXDB_TOKEN)' \
|
||||||
${config.services.home-assistant.configDir}/secrets.yaml
|
${config.age.secrets."home-assistant-secrets.yaml".path} > ${config.services.home-assistant.configDir}/secrets.yaml
|
||||||
|
|
||||||
touch -a ${config.services.home-assistant.configDir}/{automations,scenes,scripts,manual}.yaml
|
touch -a ${config.services.home-assistant.configDir}/{automations,scenes,scripts,manual}.yaml
|
||||||
'';
|
'';
|
||||||
|
|
@ -140,13 +140,16 @@ in {
|
||||||
group = "influxdb2";
|
group = "influxdb2";
|
||||||
};
|
};
|
||||||
|
|
||||||
services.influxdb2.provision.organizations.machines.auths."home-assistant (${config.node.name})" = {
|
services.influxdb2.provision.organizations.home.auths."home-assistant (${config.node.name})" = {
|
||||||
readBuckets = ["home_assistant"];
|
readBuckets = ["home_assistant"];
|
||||||
writeBuckets = ["home_assistant"];
|
writeBuckets = ["home_assistant"];
|
||||||
tokenFile = nodes.sire-influxdb.config.age.secrets."hass-influxdb-token-${config.node.name}".path;
|
tokenFile = nodes.sire-influxdb.config.age.secrets."hass-influxdb-token-${config.node.name}".path;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# Connect to fritzbox via https proxy (to ensure valid cert)
|
||||||
|
networking.hosts."192.168.1.4" = [fritzboxDomain];
|
||||||
|
|
||||||
nodes.ward-web-proxy = {
|
nodes.ward-web-proxy = {
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
upstreams."home-assistant" = {
|
upstreams."home-assistant" = {
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue