patrick/nix-config
1
1
Fork 0
Code Issues Pull requests Projects Wiki Activity

feat: more homeassistant

Browse source
This commit is contained in:
Patrick 2025-01-07 21:23:06 +01:00
parent 0a11ac5c48
commit b2256f2459
Signed by: patrick
GPG key ID: 451F95EFB8BECD0F
9 changed files with 81 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
config/services/adguardhome.nix
View file

@ -7,7 +7,12 @@
{ {
wireguard.services = { wireguard.services = {
client.via = "nucnix"; client.via = "nucnix";
firewallRuleForNode.nucnix-nginx.allowedTCPPorts = [ config.services.adguardhome.port ]; firewallRuleForNode.${globals.services.nginx.host}.allowedTCPPorts = [
config.services.adguardhome.port
];
firewallRuleForNode.${globals.services.homeassistant.host}.allowedTCPPorts = [
config.services.adguardhome.port
];
}; };
services.adguardhome = { services.adguardhome = {
enable = true; enable = true;

10
config/services/homeassistant.nix
View file

@ -1,5 +1,6 @@
{ {
config, config,
globals,
nodes, nodes,
lib, lib,
... ...
@ -24,9 +25,11 @@
"met" "met"
"esphome" "esphome"
"fritzbox" "fritzbox"
"homematic"
"soundtouch" "soundtouch"
"spotify" "spotify"
"matter" "matter"
"esphome"
#"zha" #"zha"
"mqtt" "mqtt"
]; ];
@ -75,8 +78,15 @@
python3Packages: with python3Packages; [ python3Packages: with python3Packages; [
psycopg2 psycopg2
gtts gtts
fritzconnection
adguardhome
]; ];
}; };
networking.hosts = {
"${nodes.${globals.services.adguardhome.host}.config.wireguard.services.ipv4}" = [
"adguardhome.internal"
];
};
age.secrets."home-assistant-secrets.yaml" = { age.secrets."home-assistant-secrets.yaml" = {
rekeyFile = "${config.node.secretsDir}/secrets.yaml.age"; rekeyFile = "${config.node.secretsDir}/secrets.yaml.age";
owner = "hass"; owner = "hass";

23
config/services/nginx.nix
View file

@ -116,6 +116,29 @@ in
enable = true; enable = true;
recommendedSetup = true; recommendedSetup = true;
virtualHosts."${globals.services.netbird.domain}".useACMEHost = "web"; virtualHosts."${globals.services.netbird.domain}".useACMEHost = "web";
upstreams.fritz = {
servers."${lib.net.cidr.host 1 "10.99.2.0/24"}" = { };
extraConfig = ''
zone fritz 64k ;
keepalive 5 ;
'';
};
virtualHosts.${globals.services.fritz.domain} = {
forceSSL = true;
useACMEHost = "web";
locations."/" = {
proxyPass = "https://fritz";
proxyWebsockets = true;
X-Frame-Options = "SAMEORIGIN";
};
extraConfig = ''
client_max_body_size 512M ;
proxy_ssl_verify off ;
allow ${globals.net.vlans.home.cidrv4} ;
allow ${globals.net.vlans.home.cidrv6} ;
deny all ;
'';
};
} }
(blockOf "vaultwarden" { maxBodySize = "1G"; }) (blockOf "vaultwarden" { maxBodySize = "1G"; })
(blockOf "forgejo" { maxBodySize = "1G"; }) (blockOf "forgejo" { maxBodySize = "1G"; })

2
config/services/samba.nix
View file

@ -8,6 +8,8 @@ let
shares = lib.removeAttrs config.services.samba.settings [ "global" ]; shares = lib.removeAttrs config.services.samba.settings [ "global" ];
in in
{ {
# allow direct access to shares
networking.nftables.firewall.zones.untrusted.interfaces = [ "mv-home" ];
services.samba-wsdd = { services.samba-wsdd = {
enable = true; # make shares visible for windows 10 clients enable = true; # make shares visible for windows 10 clients
openFirewall = true; openFirewall = true;

4
globals.nix
View file

@ -38,6 +38,7 @@ in
id = 40; id = 40;
cidrv4 = "10.99.${toString id}.0/24"; cidrv4 = "10.99.${toString id}.0/24";
cidrv6 = "fd${toString id}::/64"; cidrv6 = "fd${toString id}::/64";
internet = false;
}; };
guests = rec { guests = rec {
id = 50; id = 50;
@ -72,6 +73,9 @@ in
domain = "ppl.${globals.domains.web}"; domain = "ppl.${globals.domains.web}";
host = "elisabeth-paperless"; host = "elisabeth-paperless";
}; };
fritz = {
domain = "fritz.${globals.domains.web}";
};
ttrss = { ttrss = {
domain = "rss.${globals.domains.web}"; domain = "rss.${globals.domains.web}";
host = "elisabeth-ttrss"; host = "elisabeth-ttrss";

18
hosts/elisabeth/guests.nix
View file

@ -53,9 +53,7 @@
../../config/services/${guestName}.nix ../../config/services/${guestName}.nix
{ {
node.secretsDir = config.node.secretsDir + "/${guestName}"; node.secretsDir = config.node.secretsDir + "/${guestName}";
networking.nftables.firewall.zones.untrusted.interfaces = lib.mkIf ( networking.nftables.firewall.zones.untrusted.interfaces = [ "mv-services" ];
lib.length config.guests.${guestName}.networking.links == 1
) config.guests.${guestName}.networking.links;
systemd.network.networks = lib.mkIf (globals.services.${guestName}.ip != null) ( systemd.network.networks = lib.mkIf (globals.services.${guestName}.ip != null) (
lib.listToAttrs ( lib.listToAttrs (
lib.flip map vlans ( lib.flip map vlans (
@ -67,7 +65,7 @@
(lib.net.cidr.hostCidr globals.services.${guestName}.ip globals.net.vlans.${name}.cidrv4) (lib.net.cidr.hostCidr globals.services.${guestName}.ip globals.net.vlans.${name}.cidrv4)
(lib.net.cidr.hostCidr globals.services.${guestName}.ip globals.net.vlans.${name}.cidrv6) (lib.net.cidr.hostCidr globals.services.${guestName}.ip globals.net.vlans.${name}.cidrv6)
]; ];
gateway = [ gateway = lib.optionals globals.net.vlans.${name}.internet [
(lib.net.cidr.host 1 globals.net.vlans.${name}.cidrv4) (lib.net.cidr.host 1 globals.net.vlans.${name}.cidrv4)
(lib.net.cidr.host 1 globals.net.vlans.${name}.cidrv6) (lib.net.cidr.host 1 globals.net.vlans.${name}.cidrv6)
]; ];
@ -127,7 +125,13 @@
// mkContainer "netbird" { } // mkContainer "netbird" { }
// mkContainer "blog" { } // mkContainer "blog" { }
// mkContainer "kanidm" { } // mkContainer "kanidm" { }
// mkContainer "homeassistant" { } // mkContainer "homeassistant" {
vlans = [
"services"
"devices"
"iot"
];
}
// mkContainer "nextcloud" { enablePanzer = true; } // mkContainer "nextcloud" { enablePanzer = true; }
// mkContainer "paperless" { enableSharedPaperless = true; } // mkContainer "paperless" { enableSharedPaperless = true; }
// mkContainer "forgejo" { enablePanzer = true; } // mkContainer "forgejo" { enablePanzer = true; }
@ -137,6 +141,8 @@
enableRenaultFT = true; enableRenaultFT = true;
enableBunker = true; enableBunker = true;
enableSharedPaperless = true; enableSharedPaperless = true;
vlans = [ "home" ]; vlans = [
"home"
];
}; };
} }

6
hosts/nucnix/guests.nix
View file

@ -38,9 +38,7 @@ in
../../config/services/${guestName}.nix ../../config/services/${guestName}.nix
{ {
node.secretsDir = config.node.secretsDir + "/${guestName}"; node.secretsDir = config.node.secretsDir + "/${guestName}";
networking.nftables.firewall.zones.untrusted.interfaces = lib.mkIf ( networking.nftables.firewall.zones.untrusted.interfaces = [ "mv-services" ];
lib.length config.guests.${guestName}.networking.links == 1
) config.guests.${guestName}.networking.links;
systemd.network.networks = lib.mkIf (globals.services.${guestName}.ip != null) ( systemd.network.networks = lib.mkIf (globals.services.${guestName}.ip != null) (
lib.listToAttrs ( lib.listToAttrs (
lib.flip map vlans ( lib.flip map vlans (
@ -52,7 +50,7 @@ in
(lib.net.cidr.hostCidr globals.services.${guestName}.ip globals.net.vlans.${name}.cidrv4) (lib.net.cidr.hostCidr globals.services.${guestName}.ip globals.net.vlans.${name}.cidrv4)
(lib.net.cidr.hostCidr globals.services.${guestName}.ip globals.net.vlans.${name}.cidrv6) (lib.net.cidr.hostCidr globals.services.${guestName}.ip globals.net.vlans.${name}.cidrv6)
]; ];
gateway = [ gateway = lib.optionals globals.net.vlans.${name}.internet [
(lib.net.cidr.host 1 globals.net.vlans.${name}.cidrv4) (lib.net.cidr.host 1 globals.net.vlans.${name}.cidrv4)
(lib.net.cidr.host 1 globals.net.vlans.${name}.cidrv6) (lib.net.cidr.host 1 globals.net.vlans.${name}.cidrv6)
]; ];

24
hosts/nucnix/kea.nix
View file

@ -35,7 +35,12 @@ in
}; };
subnet4 = flip mapAttrsToList globals.net.vlans ( subnet4 = flip mapAttrsToList globals.net.vlans (
name: name:
{ id, cidrv4, ... }: {
id,
cidrv4,
internet,
...
}:
rec { rec {
inherit id; inherit id;
interface = "lan-${name}"; interface = "lan-${name}";
@ -45,16 +50,17 @@ in
pool = "${net.cidr.host 50 subnet} - ${net.cidr.host (-6) subnet}"; pool = "${net.cidr.host 50 subnet} - ${net.cidr.host (-6) subnet}";
} }
]; ];
option-data = [ option-data =
{ [
{
name = "domain-name-servers";
data = "${net.cidr.host globals.services.adguardhome.ip globals.net.vlans.services.cidrv4}";
}
]
++ lib.optional internet {
name = "routers"; name = "routers";
data = "${net.cidr.host 1 subnet}"; data = "${net.cidr.host 1 subnet}";
} };
{
name = "domain-name-servers";
data = "${net.cidr.host globals.services.adguardhome.ip globals.net.vlans.services.cidrv4}";
}
];
reservations = [ reservations = [
{ {
# homematic # homematic

8
modules/globals.nix
View file

@ -109,6 +109,11 @@ in
default = null; default = null;
description = "The CIDRv6 of this vlan"; description = "The CIDRv6 of this vlan";
}; };
internet = mkOption {
type = types.bool;
default = true;
description = "Whether this vlan is connected to the internet";
};
name = mkOption { name = mkOption {
description = "The name of this VLAN"; description = "The name of this VLAN";
@ -130,7 +135,8 @@ in
default = null; default = null;
}; };
host = mkOption { host = mkOption {
type = types.str; type = types.nullOr types.str;
default = null;
description = "The node-name on which this service runs"; description = "The node-name on which this service runs";
}; };
ip = mkOption { ip = mkOption {