WIP: homeassistant

2025-01-05 22:27:49 +01:00 · 2025-01-05 22:27:49 +01:00 · 6113c50a44
parent b94d523805
commit 6113c50a44
16 changed files with 2483 additions and 20 deletions
--- a/config/basic/net.nix
+++ b/config/basic/net.nix
@ -41,6 +41,7 @@
    llmnr = "false";
    extraConfig = ''
      Domains=~.
+      MulticastDNS=false
    '';
  };
 }
--- a/config/services/homeassistant.nix
+++ b/config/services/homeassistant.nix
@ -1,7 +1,8 @@
 {
  config,
-  globals,
  nodes,
+  lib,
+  pkgs,
  ...
 }:
 {
@ -59,17 +60,17 @@
        #themes = "!include_dir_merge_named themes";
      };

-      influxdb = {
-        api_version = 2;
-        host = globals.services.influxdb.domain;
-        port = "443";
-        max_retries = 10;
-        ssl = true;
-        verify_ssl = true;
-        token = "!secret influxdb_token";
-        organization = "home";
-        bucket = "home_assistant";
-      };
+      # influxdb = {
+      #   api_version = 2;
+      #   host = globals.services.influxdb.domain;
+      #   port = "443";
+      #   max_retries = 10;
+      #   ssl = true;
+      #   verify_ssl = true;
+      #   token = "!secret influxdb_token";
+      #   organization = "home";
+      #   bucket = "home_assistant";
+      # };
    };
    extraPackages =
      python3Packages: with python3Packages; [
@ -77,4 +78,25 @@
        gtts
      ];
  };
+  age.secrets."home-assistant-secrets.yaml" = {
+    rekeyFile = "${config.node.secretsDir}/secrets.yaml.age";
+    owner = "hass";
+  };
+  systemd.services.home-assistant = {
+    preStart = lib.mkBefore ''
+      if [[ -e ${config.services.home-assistant.configDir}/secrets.yaml ]]; then
+        rm ${config.services.home-assistant.configDir}/secrets.yaml
+      fi
+
+      # Update influxdb token
+      # We don't use -i because it would require chown with is a @privileged syscall
+      # INFLUXDB_TOKEN="$(cat ${config.age.secrets.hass-influxdb-token.path})" \
+      #   ${lib.getExe pkgs.yq-go} '.influxdb_token = strenv(INFLUXDB_TOKEN)'
+        cat ${
+          config.age.secrets."home-assistant-secrets.yaml".path
+        } > ${config.services.home-assistant.configDir}/secrets.yaml
+
+      touch -a ${config.services.home-assistant.configDir}/{automations,scenes,scripts,manual}.yaml
+    '';
+  };
 }
--- a/config/services/nginx.nix
+++ b/config/services/nginx.nix
@ -134,6 +134,7 @@ in
      (blockOf "yourspotify" { port = 80; })
      (blockOf "blog" { port = 80; })
      (blockOf "homebox" { })
+      (blockOf "homeassistant" { })
      (proxyProtect "ollama" { })
      (proxyProtect "firefly" { port = 80; })
      (blockOf "apispotify" {
--- a/globals.nix
+++ b/globals.nix
@ -143,6 +143,10 @@ in
        host = "elisabeth-murmur";
        ip = 9;
      };
+      homeassistant = {
+        domain = "hs.${globals.domains.web}";
+        host = "elisabeth-homeassistant";
+      };
    };
  };
 }
--- a/hosts/elisabeth/guests.nix
+++ b/hosts/elisabeth/guests.nix
@ -127,6 +127,7 @@
    // mkContainer "netbird" { }
    // mkContainer "blog" { }
    // mkContainer "kanidm" { }
+    // mkContainer "homeassistant" { }
    // mkContainer "nextcloud" { enablePanzer = true; }
    // mkContainer "paperless" { enableSharedPaperless = true; }
    // mkContainer "forgejo" { enablePanzer = true; }
--- a/hosts/elisabeth/secrets/homeassistant/secrets.yaml.age
+++ b/hosts/elisabeth/secrets/homeassistant/secrets.yaml.age
@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> X25519 NliweT9EQ6nsDdQTzH+navFs1SdqXwqa8k4yV24QYRQ
+jko+UoInyn1NgRRorYlchIIhLocze0+o/YJBlZ6xrY4
+-> piv-p256 ZFgiIw AhszEpkyHZ102kA19ogh3v4v88P2yx3gdWJ5UdgFecpB
+UFQCJCo6xHAHlkBLe3+khl+hXV35/d6VTSQx+CfrZt4
+-> piv-p256 XTQkUA A/z6RjbWqwVTsyD+5/A//nPAjlhYQSg/eWeO32oZ5ZeY
+eV5ZO6XkCEdyHngYmd6t9A7VxqRvffWqqn+frW4OMco
+-> piv-p256 ZFgiIw A9NcNdRvBzyh2b7BxUKhPB2anbK3sl8LZKTgANula29D
+RfSFUp3fDOJW5WHZS//kLN6MJUgZd7O2KKhPkfdI9ME
+-> piv-p256 5vmPtQ AiMkRE/phq3bmzBBB4s/IHX3uV5WKRKrZTWDEH3/RFSf
+pEYqKIDxHwSBl+X9Ftvq5a/n8v7QnmJNkKWpX3JXHuc
+-> nbG`Q28-grease }&} zD n"q?
+MJKwGIHtnXlOAp2OMdNaxGVSrw
+--- 8vcYpdAfrcYGRaJocxJHk1LUFOreD4FMt8x2MuDeWO4
+Â—Ą^9±řAĐĺŘĆŃ)<29>Ż<EFBFBD>·śČČéŞ%ÍJ˙Óž•[˛íŔň6ß$ˇšUZTŠ˙ČµŇâ‚ť:)óŰrßwĚLŻ íöJ6ţWşĺÎj7„)™T¶Ďĺ’ń˝ÉęÔ˙)řę[#â¨“7>,źU-ýš#c.çąÓiC^I„Đ=Î
--- a/hosts/nucnix/hostapd.nix
+++ b/hosts/nucnix/hostapd.nix
@ -1,5 +1,6 @@
 {
  globals,
+  config,
  pkgs,
  ...
 }:
@ -9,6 +10,14 @@
    intel2200BGFirmware
  ];
  #boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+  age.secrets = {
+    homeWlan = {
+      generator.script = "alnum";
+    };
+    guestWlan = {
+      generator.script = "alnum";
+    };
+  };

  networking.nftables.firewall.zones.wlan.interfaces = [ "wlan1" ];
  networking.nftables.firewall.zones.home.interfaces = [ "br-home" ];
@ -56,11 +65,11 @@
        authentication = {
          saePasswords = [
            {
-              password = "ctiectie";
+              passwordFile = config.age.secrets.homeWlan.path;
              vlanid = 10;
            }
            {
-              password = "nrsgnrsg";
+              passwordFile = config.age.secrets.guestWlan.path;
              vlanid = 50;
            }
          ];
--- a/hosts/nucnix/secrets/generated/guestWlan.age
+++ b/hosts/nucnix/secrets/generated/guestWlan.age
@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> X25519 DnkfavonwcikVjuIH3aQTxh9+U+Vr6se2PPdjCL68iw
+qcfI8Rz+8fLqePoqk4XEY0vQyH2+eZtE3c/lrei9OWo
+-> piv-p256 ZFgiIw AzKnjNFccsLZSS6EipE+gqoMzjj5Q//OMpAxrPFVHzPW
+VphyHLTFEc7nsPfETAi/4VLg+mXb6B2qgTikgn1SyJI
+-> piv-p256 XTQkUA A6mFKlj6AYBxwe+p3Yn57Re5e4Ihk42qNCbwFXDVLsV2
+YogIWza1sZGXOOeZVVD2fcShAG00QQosLlHntBK+UeI
+-> piv-p256 ZFgiIw A2dlENHarOIr4e3ZikrRYeWZI1N4NKwzWuIB4+Vuq96a
+55zk9XyUEGwwnxxGFyfia8YVF9Sjj7KFut03YrH6+Zc
+-> piv-p256 5vmPtQ Aq81XRMh1/reZhBMQIGd7C+sOEG1pKSTJbdEAmkPoP17
+WCzUWz3HDZIIrqMuypxkZMqzoggCmaSPrXNdmNMntHY
+-> &1koE-grease
+dqDfmnpD0sarnFxWDlpn5p3AMIWMPz58V0pJ5Lu2mXAIjEqPimCW/Q
+--- UA2bf9I/vCa+Zn6zRM6V7OeHS69Drwes8V0UexK+SBU
+‰5ÃPg÷µKD¸Š &éÁòö£ûïß@ÖuZ<75>¢ú?J$fÄšºëšZC¤ÑÉ‹9ùL
R£òã„”Ìxb¹'ù…cMC:ÆJ’²–GÎ~!M(÷
--- a/hosts/nucnix/secrets/generated/homeWlan.age
+++ b/hosts/nucnix/secrets/generated/homeWlan.age
@ -0,0 +1,17 @@
+age-encryption.org/v1
+-> X25519 Io4w4AN1fKAsgZhvXsbVdT5tyEa1gyRHrhLfyXzxqBA
+5cSqWN9G6sggJ4k1dAZCvu/oOLm6ZaWADF+DProHAsA
+-> piv-p256 ZFgiIw AlmnDZAzIM6GDb664n2W93DDLUFT+z5rhJfPNyDxcmBk
+b9f/neXP5AZhkFjVDqZ0jHe0FBWm3+Z1tQt7qocr3vE
+-> piv-p256 XTQkUA A4L+oki+mDOX6WecLSEcKzIRqYuCkldYkrjfszaLabFE
+mWvfhhaArRvZ6xzNPb2SrAWrVHuqSwvIUc9plLjPRz0
+-> piv-p256 ZFgiIw A0TS+eA3oAyX6zNgtIQfPw43lbbOVnRxvCXDS7+TWFR9
+Bt9KhW9Hm8fXrFQdAKkGlxoTYDjSxo23inufxn0xOYI
+-> piv-p256 5vmPtQ Azl4XTePC2ZZieO7HpQjvHm0faUL3DJWRCNCol6Unr7I
+0a2aSindDkEOxKwsA46E0W7I4NLU6faO+Qu5/1pLTxo
+-> Fo0Mz*I-grease ? b2!|/ KVp$+a7 x1}p
+kS2j+WLNigyT4x/5cy6iLIEsjGGkhmFuKvq5UBAPcWLl4P2EdA71MJBLMgJbSHXn
+Km9g17KSjBLoiW+DnWin0PXnA2xBsTbBSj7jsRIEQ8GW2z2++hAsk/+aIClwy1U7
+eaSP
+--- N8wn5/cIfxnpYjHiJNJ5fTuB0J844jQ3Sbr0bBJwe9U
+}^YÝŸ£^·íÖÔþªcŽ|ÖéNóÃûýKVK¼J"|Á$çíÃá1cæÅ*&VÚ
û–¨9çI Œ¿BmID!Ïië¢é‘÷ÿ$yc
--- a/hosts/patricknix/net.nix
+++ b/hosts/patricknix/net.nix
@ -52,7 +52,6 @@
      networkConfig = {
        IPv6PrivacyExtensions = "yes";
      };
-      dns = [ "1.1.1.1" ];
      dhcpV4Config.RouteMetric = 10;
      dhcpV6Config.RouteMetric = 10;
    };
@ -62,7 +61,6 @@
      networkConfig = {
        IPv6PrivacyExtensions = "yes";
      };
-      dns = [ "1.1.1.1" ];
      dhcpV4Config.RouteMetric = 10;
      dhcpV6Config.RouteMetric = 10;
    };
@ -72,7 +70,6 @@
      networkConfig = {
        IPv6PrivacyExtensions = "yes";
      };
-      dns = [ "1.1.1.1" ];
      dhcpV4Config.RouteMetric = 40;
      dhcpV6Config.RouteMetric = 40;
    };
--- a/patches/PR/365727.diff
+++ b/patches/PR/365727.diff
--- a/secrets/wireguard/services/keys/elisabeth-homeassistant.age
+++ b/secrets/wireguard/services/keys/elisabeth-homeassistant.age
@ -0,0 +1,16 @@
+age-encryption.org/v1
+-> X25519 3vw8tGmO8ONpLYsnf6qeAlTUTegbP3pEghuMOHEYlEg
+tkUxpGW6IZXZkL+gmbuhkpBSQUXkfLctt0bpyuLiWYE
+-> piv-p256 ZFgiIw A1S8HVUawvCicsmCjUhwksiX6o7s9BMsuLJb/HbLk8WM
+MM75XNcA3bTvnC2APm1d4957nXXOc5j9wqYByjfhvJU
+-> piv-p256 XTQkUA A3M65y89A/tylZE9el7j8K9JAzucdJ5rmatLSeMPHgDI
+sST3YL2E7fz0fwUrdFx+QYtovWnrNGo0o7DRR5B6TlI
+-> piv-p256 ZFgiIw AsKck72kGeXyBtiXNSJnmlZx+WBRGqgXbRoSDvl3OlQQ
+MWdneDz8DgoWgm3CdL6JOM4gHNPqcrh1rJvwPKLBOU8
+-> piv-p256 5vmPtQ A9X+YOqSin+XhAQK1sYv75Hs5aXaEX3vHZhNW8CkYlC7
+vni4g1ofCj4oitQf2TwN50VBN4RjrGItIKpJqzKKmpc
+-> z;LNR-grease qO
+1jnbiHbCwou8LM2gQA3KahqeFPotQVWIUuTCXgjGl9JuCXz8HynGSEpdTFDAQ4L6
+s8fgOzHJ814ypW8P/un1T16yQqj7HJVFRfBypMCr1u/cFEqjnVbGNrLNq5g
+--- IpjD30oIyLYKgigdi/jEsdW78UcaCXNmazi/lC8VFSs
+;qržW‚¡.×a$Hß¨MÂÒûÎÁ¨˜r$´¸2
w€vöìY•¹!‘}°AVbò¥êý4<C3BD>>HÃå<C383>DØÖkÕ]Ò-A+c
--- a/secrets/wireguard/services/keys/elisabeth-homeassistant.pub
+++ b/secrets/wireguard/services/keys/elisabeth-homeassistant.pub
@ -0,0 +1 @@
+/gvfYTHyMSgqNMrw6piPS0JXaciqRhPwgI5/LNTuaUA=
--- a/secrets/wireguard/services/psks/elisabeth-homeassistant+nucnix.age
+++ b/secrets/wireguard/services/psks/elisabeth-homeassistant+nucnix.age
--- a/users/patrick/programs/nvim/plugins/cmp.nix
+++ b/users/patrick/programs/nvim/plugins/cmp.nix
@ -5,7 +5,7 @@
      enable = true;
      settings = {
        keymap = {
-          preset = "enter";
+          preset = "none";
          "<A-Tab>" = [
            "snippet_forward"
            "fallback"
@ -44,7 +44,7 @@
        };
        signature.enabled = true;
        completion = {
-          list.selection = "manual";
+          list.selection = "auto_insert";
          #   menu = {
          #     border = "none";
          #     draw = {
--- a/users/patrick/wayland/hyprland.nix
+++ b/users/patrick/wayland/hyprland.nix
@ -254,7 +254,7 @@ in
            "5, monitor:DP-3"
            "6, monitor:DVI-D-1, default:true"
            "7, monitor:DVI-D-1"
-            "8, monitor:HDMI-A-1, default: true"
+            "8, monitor:HDMI-A-1, default:true"
            "9, monitor:HDMI-A-1"
          ];
          env = [ "HYPRLAND_FLOAT_LOCATION,3800 680" ];
				`@ -0,0 +1 @@`
				`/gvfYTHyMSgqNMrw6piPS0JXaciqRhPwgI5/LNTuaUA=`