feat: more homeassistant

feat: avahi zeroconfig
fix: printer smb
2025-01-07 21:23:06 +01:00 · 2025-01-06 19:57:05 +01:00
12 changed files with 93 additions and 31 deletions
--- a/config/services/adguardhome.nix
+++ b/config/services/adguardhome.nix
@ -7,7 +7,12 @@
 {
  wireguard.services = {
    client.via = "nucnix";
-    firewallRuleForNode.nucnix-nginx.allowedTCPPorts = [ config.services.adguardhome.port ];
+    firewallRuleForNode.${globals.services.nginx.host}.allowedTCPPorts = [
+      config.services.adguardhome.port
+    ];
+    firewallRuleForNode.${globals.services.homeassistant.host}.allowedTCPPorts = [
+      config.services.adguardhome.port
+    ];
  };
  services.adguardhome = {
    enable = true;
--- a/config/services/homeassistant.nix
+++ b/config/services/homeassistant.nix
@ -1,8 +1,8 @@
 {
  config,
+  globals,
  nodes,
  lib,
-  pkgs,
  ...
 }:
 {
@ -25,9 +25,11 @@
      "met"
      "esphome"
      "fritzbox"
+      "homematic"
      "soundtouch"
      "spotify"
      "matter"
+      "esphome"
      #"zha"
      "mqtt"
    ];
@ -76,6 +78,13 @@
      python3Packages: with python3Packages; [
        psycopg2
        gtts
+        fritzconnection
+        adguardhome
+      ];
+  };
+  networking.hosts = {
+    "${nodes.${globals.services.adguardhome.host}.config.wireguard.services.ipv4}" = [
+      "adguardhome.internal"
    ];
  };
  age.secrets."home-assistant-secrets.yaml" = {
@ -83,15 +92,15 @@
    owner = "hass";
  };
  systemd.services.home-assistant = {
+    # Update influxdb token
+    # We don't use -i because it would require chown with is a @privileged syscall
+    # INFLUXDB_TOKEN="$(cat ${config.age.secrets.hass-influxdb-token.path})" \
+    #   ${lib.getExe pkgs.yq-go} '.influxdb_token = strenv(INFLUXDB_TOKEN)'
    preStart = lib.mkBefore ''
      if [[ -e ${config.services.home-assistant.configDir}/secrets.yaml ]]; then
        rm ${config.services.home-assistant.configDir}/secrets.yaml
      fi

-      # Update influxdb token
-      # We don't use -i because it would require chown with is a @privileged syscall
-      # INFLUXDB_TOKEN="$(cat ${config.age.secrets.hass-influxdb-token.path})" \
-      #   ${lib.getExe pkgs.yq-go} '.influxdb_token = strenv(INFLUXDB_TOKEN)'
        cat ${
          config.age.secrets."home-assistant-secrets.yaml".path
        } > ${config.services.home-assistant.configDir}/secrets.yaml
--- a/config/services/nginx.nix
+++ b/config/services/nginx.nix
@ -116,6 +116,29 @@ in
        enable = true;
        recommendedSetup = true;
        virtualHosts."${globals.services.netbird.domain}".useACMEHost = "web";
+        upstreams.fritz = {
+          servers."${lib.net.cidr.host 1 "10.99.2.0/24"}" = { };
+          extraConfig = ''
+            zone fritz 64k ;
+            keepalive 5 ;
+          '';
+        };
+        virtualHosts.${globals.services.fritz.domain} = {
+          forceSSL = true;
+          useACMEHost = "web";
+          locations."/" = {
+            proxyPass = "https://fritz";
+            proxyWebsockets = true;
+            X-Frame-Options = "SAMEORIGIN";
+          };
+          extraConfig = ''
+            client_max_body_size 512M ;
+            proxy_ssl_verify off ;
+            allow ${globals.net.vlans.home.cidrv4} ;
+            allow ${globals.net.vlans.home.cidrv6} ;
+            deny all ;
+          '';
+        };
      }
      (blockOf "vaultwarden" { maxBodySize = "1G"; })
      (blockOf "forgejo" { maxBodySize = "1G"; })
--- a/config/services/samba.nix
+++ b/config/services/samba.nix
@ -8,6 +8,8 @@ let
  shares = lib.removeAttrs config.services.samba.settings [ "global" ];
 in
 {
+  # allow direct access to shares
+  networking.nftables.firewall.zones.untrusted.interfaces = [ "mv-home" ];
  services.samba-wsdd = {
    enable = true; # make shares visible for windows 10 clients
    openFirewall = true;
@ -119,7 +121,8 @@ in
            # clients hardcode the host and share names.
            "disable netbios" = "yes";
            # Allow access to local network
-            "hosts allow" = "10.99.10. localhost";
+            # Also allow printer access
+            "hosts allow" = "10.99.10. ${lib.net.cidr.host 32 globals.net.vlans.devices.cidrv4} localhost";

            "guest account" = "nobody";
            "map to guest" = "bad user";
@ -176,8 +179,6 @@ in
            group = "printer";
          }
          {
-            # Also allow printer access
-            "hosts allow" = "10.99.10. ${lib.net.cidr.host 32 globals.net.vlans.home.cidrv4} localhost";
          }
        )
        (mkShare {
--- a/config/support/secureboot.nix
+++ b/config/support/secureboot.nix
@ -16,8 +16,8 @@ lib.optionalAttrs (!minimal) {
    text = ''
      rm -r /var/lib/sbctl || true
      mkdir -p /var/lib/sbctl
-      chmod 700 /var/lib/sbctl
      ${pkgs.gnutar}/bin/tar xf ${config.age.secrets.secureboot.path} -C /var/lib/sbctl || true
+      chmod 700 /var/lib/sbctl
    '';
    deps = [ "agenix" ];
  };
--- a/globals.nix
+++ b/globals.nix
@ -38,6 +38,7 @@ in
        id = 40;
        cidrv4 = "10.99.${toString id}.0/24";
        cidrv6 = "fd${toString id}::/64";
+        internet = false;
      };
      guests = rec {
        id = 50;
@ -72,6 +73,9 @@ in
        domain = "ppl.${globals.domains.web}";
        host = "elisabeth-paperless";
      };
+      fritz = {
+        domain = "fritz.${globals.domains.web}";
+      };
      ttrss = {
        domain = "rss.${globals.domains.web}";
        host = "elisabeth-ttrss";
--- a/hosts/elisabeth/guests.nix
+++ b/hosts/elisabeth/guests.nix
@ -53,9 +53,7 @@
            ../../config/services/${guestName}.nix
            {
              node.secretsDir = config.node.secretsDir + "/${guestName}";
-              networking.nftables.firewall.zones.untrusted.interfaces = lib.mkIf (
-                lib.length config.guests.${guestName}.networking.links == 1
-              ) config.guests.${guestName}.networking.links;
+              networking.nftables.firewall.zones.untrusted.interfaces = [ "mv-services" ];
              systemd.network.networks = lib.mkIf (globals.services.${guestName}.ip != null) (
                lib.listToAttrs (
                  lib.flip map vlans (
@ -67,7 +65,7 @@
                        (lib.net.cidr.hostCidr globals.services.${guestName}.ip globals.net.vlans.${name}.cidrv4)
                        (lib.net.cidr.hostCidr globals.services.${guestName}.ip globals.net.vlans.${name}.cidrv6)
                      ];
-                      gateway = [
+                      gateway = lib.optionals globals.net.vlans.${name}.internet [
                        (lib.net.cidr.host 1 globals.net.vlans.${name}.cidrv4)
                        (lib.net.cidr.host 1 globals.net.vlans.${name}.cidrv6)
                      ];
@ -127,7 +125,13 @@
    // mkContainer "netbird" { }
    // mkContainer "blog" { }
    // mkContainer "kanidm" { }
-    // mkContainer "homeassistant" { }
+    // mkContainer "homeassistant" {
+      vlans = [
+        "services"
+        "devices"
+        "iot"
+      ];
+    }
    // mkContainer "nextcloud" { enablePanzer = true; }
    // mkContainer "paperless" { enableSharedPaperless = true; }
    // mkContainer "forgejo" { enablePanzer = true; }
@ -137,6 +141,8 @@
      enableRenaultFT = true;
      enableBunker = true;
      enableSharedPaperless = true;
-      vlans = [ "home" ];
+      vlans = [
+        "home"
+      ];
    };
 }
--- a/hosts/elisabeth/secrets/homeassistant/host.pub
+++ b/hosts/elisabeth/secrets/homeassistant/host.pub
@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPs0YXOrMxHFly+lpB0NtZWuuz1JwRKU2ZCOe4Xhz1T5
--- a/hosts/nucnix/guests.nix
+++ b/hosts/nucnix/guests.nix
@ -38,9 +38,7 @@ in
            ../../config/services/${guestName}.nix
            {
              node.secretsDir = config.node.secretsDir + "/${guestName}";
-              networking.nftables.firewall.zones.untrusted.interfaces = lib.mkIf (
-                lib.length config.guests.${guestName}.networking.links == 1
-              ) config.guests.${guestName}.networking.links;
+              networking.nftables.firewall.zones.untrusted.interfaces = [ "mv-services" ];
              systemd.network.networks = lib.mkIf (globals.services.${guestName}.ip != null) (
                lib.listToAttrs (
                  lib.flip map vlans (
@ -52,7 +50,7 @@ in
                        (lib.net.cidr.hostCidr globals.services.${guestName}.ip globals.net.vlans.${name}.cidrv4)
                        (lib.net.cidr.hostCidr globals.services.${guestName}.ip globals.net.vlans.${name}.cidrv6)
                      ];
-                      gateway = [
+                      gateway = lib.optionals globals.net.vlans.${name}.internet [
                        (lib.net.cidr.host 1 globals.net.vlans.${name}.cidrv4)
                        (lib.net.cidr.host 1 globals.net.vlans.${name}.cidrv6)
                      ];
--- a/hosts/nucnix/kea.nix
+++ b/hosts/nucnix/kea.nix
@ -35,7 +35,12 @@ in
      };
      subnet4 = flip mapAttrsToList globals.net.vlans (
        name:
-        { id, cidrv4, ... }:
+        {
+          id,
+          cidrv4,
+          internet,
+          ...
+        }:
        rec {
          inherit id;
          interface = "lan-${name}";
@ -45,16 +50,17 @@ in
              pool = "${net.cidr.host 50 subnet} - ${net.cidr.host (-6) subnet}";
            }
          ];
-          option-data = [
-            {
-              name = "routers";
-              data = "${net.cidr.host 1 subnet}";
-            }
+          option-data =
+            [
              {
                name = "domain-name-servers";
                data = "${net.cidr.host globals.services.adguardhome.ip globals.net.vlans.services.cidrv4}";
              }
-          ];
+            ]
+            ++ lib.optional internet {
+              name = "routers";
+              data = "${net.cidr.host 1 subnet}";
+            };
          reservations = [
            {
              # homematic
--- a/hosts/nucnix/net.nix
+++ b/hosts/nucnix/net.nix
@ -29,6 +29,9 @@ in
      printer.ipv4Addresses = [
        (lib.net.cidr.host 32 globals.net.vlans.devices.cidrv4)
      ];
+      smb.ipv4Addresses = [
+        (lib.net.cidr.host globals.services.samba.ip globals.net.vlans.home.cidrv4)
+      ];
      adguard.ipv4Addresses = [
        (lib.net.cidr.host globals.services.adguardhome.ip globals.net.vlans.services.cidrv4)
      ];
@ -170,7 +173,7 @@ in
          "printer"
        ];
        to = [ "smb" ];
-        allowedUDPPorts = [ 445 ];
+        allowedTCPPorts = [ 445 ];
      };
      ssh = {
        from = [
--- a/modules/globals.nix
+++ b/modules/globals.nix
@ -109,6 +109,11 @@ in
                    default = null;
                    description = "The CIDRv6 of this vlan";
                  };
+                  internet = mkOption {
+                    type = types.bool;
+                    default = true;
+                    description = "Whether this vlan is connected to the internet";
+                  };

                  name = mkOption {
                    description = "The name of this VLAN";
@ -130,7 +135,8 @@ in
                    default = null;
                  };
                  host = mkOption {
-                    type = types.str;
+                    type = types.nullOr types.str;
+                    default = null;
                    description = "The node-name on which this service runs";
                  };
                  ip = mkOption {
Author	SHA1	Message	Date
Patrick	b2256f2459	feat: more homeassistant	2025-01-07 21:23:06 +01:00
Patrick	0a11ac5c48	feat: avahi zeroconfig fix: printer smb	2025-01-06 19:57:05 +01:00
				`@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPs0YXOrMxHFly+lpB0NtZWuuz1JwRKU2ZCOe4Xhz1T5`