feat: more homeassistant

This commit is contained in:
Patrick 2025-01-07 21:23:06 +01:00
parent 0a11ac5c48
commit b2256f2459
Signed by: patrick
GPG key ID: 451F95EFB8BECD0F
9 changed files with 81 additions and 21 deletions

View file

@ -7,7 +7,12 @@
{
wireguard.services = {
client.via = "nucnix";
firewallRuleForNode.nucnix-nginx.allowedTCPPorts = [ config.services.adguardhome.port ];
firewallRuleForNode.${globals.services.nginx.host}.allowedTCPPorts = [
config.services.adguardhome.port
];
firewallRuleForNode.${globals.services.homeassistant.host}.allowedTCPPorts = [
config.services.adguardhome.port
];
};
services.adguardhome = {
enable = true;

View file

@ -1,5 +1,6 @@
{
config,
globals,
nodes,
lib,
...
@ -24,9 +25,11 @@
"met"
"esphome"
"fritzbox"
"homematic"
"soundtouch"
"spotify"
"matter"
"esphome"
#"zha"
"mqtt"
];
@ -75,8 +78,15 @@
python3Packages: with python3Packages; [
psycopg2
gtts
fritzconnection
adguardhome
];
};
networking.hosts = {
"${nodes.${globals.services.adguardhome.host}.config.wireguard.services.ipv4}" = [
"adguardhome.internal"
];
};
age.secrets."home-assistant-secrets.yaml" = {
rekeyFile = "${config.node.secretsDir}/secrets.yaml.age";
owner = "hass";

View file

@ -116,6 +116,29 @@ in
enable = true;
recommendedSetup = true;
virtualHosts."${globals.services.netbird.domain}".useACMEHost = "web";
upstreams.fritz = {
servers."${lib.net.cidr.host 1 "10.99.2.0/24"}" = { };
extraConfig = ''
zone fritz 64k ;
keepalive 5 ;
'';
};
virtualHosts.${globals.services.fritz.domain} = {
forceSSL = true;
useACMEHost = "web";
locations."/" = {
proxyPass = "https://fritz";
proxyWebsockets = true;
X-Frame-Options = "SAMEORIGIN";
};
extraConfig = ''
client_max_body_size 512M ;
proxy_ssl_verify off ;
allow ${globals.net.vlans.home.cidrv4} ;
allow ${globals.net.vlans.home.cidrv6} ;
deny all ;
'';
};
}
(blockOf "vaultwarden" { maxBodySize = "1G"; })
(blockOf "forgejo" { maxBodySize = "1G"; })

View file

@ -8,6 +8,8 @@ let
shares = lib.removeAttrs config.services.samba.settings [ "global" ];
in
{
# allow direct access to shares
networking.nftables.firewall.zones.untrusted.interfaces = [ "mv-home" ];
services.samba-wsdd = {
enable = true; # make shares visible for windows 10 clients
openFirewall = true;

View file

@ -38,6 +38,7 @@ in
id = 40;
cidrv4 = "10.99.${toString id}.0/24";
cidrv6 = "fd${toString id}::/64";
internet = false;
};
guests = rec {
id = 50;
@ -72,6 +73,9 @@ in
domain = "ppl.${globals.domains.web}";
host = "elisabeth-paperless";
};
fritz = {
domain = "fritz.${globals.domains.web}";
};
ttrss = {
domain = "rss.${globals.domains.web}";
host = "elisabeth-ttrss";

View file

@ -53,9 +53,7 @@
../../config/services/${guestName}.nix
{
node.secretsDir = config.node.secretsDir + "/${guestName}";
networking.nftables.firewall.zones.untrusted.interfaces = lib.mkIf (
lib.length config.guests.${guestName}.networking.links == 1
) config.guests.${guestName}.networking.links;
networking.nftables.firewall.zones.untrusted.interfaces = [ "mv-services" ];
systemd.network.networks = lib.mkIf (globals.services.${guestName}.ip != null) (
lib.listToAttrs (
lib.flip map vlans (
@ -67,7 +65,7 @@
(lib.net.cidr.hostCidr globals.services.${guestName}.ip globals.net.vlans.${name}.cidrv4)
(lib.net.cidr.hostCidr globals.services.${guestName}.ip globals.net.vlans.${name}.cidrv6)
];
gateway = [
gateway = lib.optionals globals.net.vlans.${name}.internet [
(lib.net.cidr.host 1 globals.net.vlans.${name}.cidrv4)
(lib.net.cidr.host 1 globals.net.vlans.${name}.cidrv6)
];
@ -127,7 +125,13 @@
// mkContainer "netbird" { }
// mkContainer "blog" { }
// mkContainer "kanidm" { }
// mkContainer "homeassistant" { }
// mkContainer "homeassistant" {
vlans = [
"services"
"devices"
"iot"
];
}
// mkContainer "nextcloud" { enablePanzer = true; }
// mkContainer "paperless" { enableSharedPaperless = true; }
// mkContainer "forgejo" { enablePanzer = true; }
@ -137,6 +141,8 @@
enableRenaultFT = true;
enableBunker = true;
enableSharedPaperless = true;
vlans = [ "home" ];
vlans = [
"home"
];
};
}

View file

@ -38,9 +38,7 @@ in
../../config/services/${guestName}.nix
{
node.secretsDir = config.node.secretsDir + "/${guestName}";
networking.nftables.firewall.zones.untrusted.interfaces = lib.mkIf (
lib.length config.guests.${guestName}.networking.links == 1
) config.guests.${guestName}.networking.links;
networking.nftables.firewall.zones.untrusted.interfaces = [ "mv-services" ];
systemd.network.networks = lib.mkIf (globals.services.${guestName}.ip != null) (
lib.listToAttrs (
lib.flip map vlans (
@ -52,7 +50,7 @@ in
(lib.net.cidr.hostCidr globals.services.${guestName}.ip globals.net.vlans.${name}.cidrv4)
(lib.net.cidr.hostCidr globals.services.${guestName}.ip globals.net.vlans.${name}.cidrv6)
];
gateway = [
gateway = lib.optionals globals.net.vlans.${name}.internet [
(lib.net.cidr.host 1 globals.net.vlans.${name}.cidrv4)
(lib.net.cidr.host 1 globals.net.vlans.${name}.cidrv6)
];

View file

@ -35,7 +35,12 @@ in
};
subnet4 = flip mapAttrsToList globals.net.vlans (
name:
{ id, cidrv4, ... }:
{
id,
cidrv4,
internet,
...
}:
rec {
inherit id;
interface = "lan-${name}";
@ -45,16 +50,17 @@ in
pool = "${net.cidr.host 50 subnet} - ${net.cidr.host (-6) subnet}";
}
];
option-data = [
{
option-data =
[
{
name = "domain-name-servers";
data = "${net.cidr.host globals.services.adguardhome.ip globals.net.vlans.services.cidrv4}";
}
]
++ lib.optional internet {
name = "routers";
data = "${net.cidr.host 1 subnet}";
}
{
name = "domain-name-servers";
data = "${net.cidr.host globals.services.adguardhome.ip globals.net.vlans.services.cidrv4}";
}
];
};
reservations = [
{
# homematic

View file

@ -109,6 +109,11 @@ in
default = null;
description = "The CIDRv6 of this vlan";
};
internet = mkOption {
type = types.bool;
default = true;
description = "Whether this vlan is connected to the internet";
};
name = mkOption {
description = "The name of this VLAN";
@ -130,7 +135,8 @@ in
default = null;
};
host = mkOption {
type = types.str;
type = types.nullOr types.str;
default = null;
description = "The node-name on which this service runs";
};
ip = mkOption {