diff --git a/hosts/sentinel/acme.nix b/hosts/sentinel/acme.nix index c710a70..5100774 100644 --- a/hosts/sentinel/acme.nix +++ b/hosts/sentinel/acme.nix @@ -16,6 +16,6 @@ in { dnsPropagationCheck = true; reloadServices = ["nginx"]; }; + wildcardDomains = acme.domains; }; - security.acme.wildcardDomains = acme.domains; } diff --git a/hosts/zackbiene/default.nix b/hosts/zackbiene/default.nix index 1529bab..f60d215 100644 --- a/hosts/zackbiene/default.nix +++ b/hosts/zackbiene/default.nix @@ -1,9 +1,12 @@ { + config, lib, nodes, ... }: let + inherit (config.repo.secrets.local) acme; sentinelCfg = nodes.sentinel.config; + inherit (sentinelCfg.repo.secrets.local) personalDomain; in { imports = [ ../../modules/optional/hardware/odroid-n2plus.nix @@ -15,15 +18,25 @@ in { #./esphome.nix ./fs.nix - #./home-assistant.nix + ./home-assistant.nix ./hostapd.nix #./mosquitto.nix ./kea.nix ./net.nix - #./nginx.nix #./zigbee2mqtt.nix ]; + users.groups.acme.members = ["nginx"]; + services.nginx.enable = true; + + security.acme = { + acceptTerms = true; + defaults = { + inherit (acme) email; + reloadServices = ["nginx"]; + }; + }; + meta.wireguard-proxy.sentinel = {}; meta.promtail = { enable = true; diff --git a/hosts/zackbiene/esphome.nix b/hosts/zackbiene/esphome.nix index b4f9d1c..0703a64 100644 --- a/hosts/zackbiene/esphome.nix +++ b/hosts/zackbiene/esphome.nix @@ -10,6 +10,9 @@ # TODO instead deny the zigbee device }; + #security.acme.certs."home.${personalDomain}".extraDomainNames = [ + # "esphome.home.${personalDomain}" + #]; systemd.services.nginx = { serviceConfig.SupplementaryGroups = ["esphome"]; requires = ["esphome.service"]; diff --git a/hosts/zackbiene/home-assistant.nix b/hosts/zackbiene/home-assistant.nix index d6afc7d..74f5991 100644 --- a/hosts/zackbiene/home-assistant.nix +++ b/hosts/zackbiene/home-assistant.nix @@ -1,10 +1,14 @@ { lib, config, + nodes, ... }: let - haPort = 8123; + sentinelCfg = nodes.sentinel.config; + homeDomain = "home.${sentinelCfg.repo.secrets.local.personalDomain}"; in { + meta.wireguard-proxy.sentinel.allowedTCPPorts = [80]; + services.home-assistant = { enable = true; extraComponents = [ @@ -21,7 +25,7 @@ in { config = { http = { server_host = ["127.0.0.1"]; - server_port = haPort; + server_port = 8123; use_x_forwarded_for = true; trusted_proxies = ["127.0.0.1"]; }; @@ -38,7 +42,6 @@ in { manual = "!include manual.yaml"; }; }; - met = {}; #### only selected components from default_config #### @@ -107,23 +110,21 @@ in { # - only allow connections from privileged LAN to HA or from vpn range services.nginx = { - upstreams."homeassistant" = { - servers."localhost:${toString haPort}" = {}; + upstreams.homeassistant = { + servers."localhost:${toString config.services.home-assistant.config.http.server_port}" = {}; extraConfig = '' zone homeassistant 64k; keepalive 2; ''; }; - virtualHosts."${config.repo.secrets.local.homeassistant.domain}" = { - serverAliases = ["192.168.1.21"]; # TODO remove later + virtualHosts.${homeDomain} = { forceSSL = true; - #enableACME = true; - sslCertificate = config.age.secrets."selfcert.crt".path; - sslCertificateKey = config.age.secrets."selfcert.key".path; + enableACME = true; locations."/" = { proxyPass = "http://homeassistant"; proxyWebsockets = true; }; + # TODO listenAddresses = ["127.0.0.1" "[::1]"]; # TODO dynamic definitions for the "local" network, IPv6 extraConfig = '' allow 192.168.0.0/22; @@ -131,4 +132,22 @@ in { ''; }; }; + + nodes.sentinel = { + services.nginx = { + upstreams."zackbiene" = { + servers."${config.meta.wireguard.proxy-sentinel.ipv4}:80" = {}; + extraConfig = '' + zone zackbiene 64k; + keepalive 2; + ''; + }; + virtualHosts.${homeDomain} = { + # useACMEWildcardHost = true; + # TODO add aliases + rejectSSL = true; # TODO TLS SNI pass with `ssl_preread on;` + locations."/".proxyPass = "http://zackbiene"; + }; + }; + }; } diff --git a/hosts/zackbiene/secrets/local.nix.age b/hosts/zackbiene/secrets/local.nix.age index d847ad7..6883a8d 100644 Binary files a/hosts/zackbiene/secrets/local.nix.age and b/hosts/zackbiene/secrets/local.nix.age differ diff --git a/hosts/zackbiene/zigbee2mqtt.nix b/hosts/zackbiene/zigbee2mqtt.nix index c50dddd..d4af159 100644 --- a/hosts/zackbiene/zigbee2mqtt.nix +++ b/hosts/zackbiene/zigbee2mqtt.nix @@ -10,6 +10,9 @@ group = "mosquitto"; }; + #security.acme.certs."home.${personalDomain}".extraDomainNames = [ + # "zigbee.home.${personalDomain}" + #]; services.zigbee2mqtt = { enable = true; settings = { diff --git a/modules/config/impermanence.nix b/modules/config/impermanence.nix index 8024b3a..173195a 100644 --- a/modules/config/impermanence.nix +++ b/modules/config/impermanence.nix @@ -165,6 +165,22 @@ group = "root"; mode = "0700"; } + ] + ++ lib.optionals config.services.esphome.enable [ + { + directory = "/var/lib/private/esphome"; + user = "root"; + group = "root"; + mode = "0700"; + } + ] + ++ lib.optionals config.services.home-assistant.enable [ + { + directory = config.services.home-assistant.configDir; + user = "hass"; + group = "hass"; + mode = "0700"; + } ]; }; } diff --git a/modules/meta/nginx.nix b/modules/meta/nginx.nix index 04d41ba..9cba64d 100644 --- a/modules/meta/nginx.nix +++ b/modules/meta/nginx.nix @@ -77,6 +77,7 @@ in { virtualHosts.dummy = { listenAddresses = ["127.0.0.1" "[::1]"]; default = true; + rejectSSL = true; locations."/".extraConfig = '' deny all; '';