feat: add updns, add unbound, change hass and firewall

2025-04-27 23:03:07 +02:00
parent 2318855dd3
commit 5de8b96816
6 changed files with 183 additions and 88 deletions
--- a/modules/cloonar-assistant/home-assistant/default.nix
+++ b/modules/cloonar-assistant/home-assistant/default.nix
@@ -1,34 +1,51 @@
 { config, pkgs, ... }:
 let
-  domain = "home-assistant.${config.cloonar-assistant.domain}";
+  domain = config.cloonar-assistant.domain;
  pkgs-with-home-assistant = import (builtins.fetchGit {
    name = "new-home-assistant";
    url = "https://github.com/nixos/nixpkgs/";
    rev = "18dd725c29603f582cf1900e0d25f9f1063dbf11";
  }) {};
-  networkPrefix = config.networkPrefix;
+
  home-assistant-config = config.home-assistant;
  home-assistant-config.package = pkgs-with-home-assistant.home-assistant;
-
-
-  certDir = "/var/lib/ssl/home-assistant";
-  certFile = "${certDir}/selfsigned.crt";
-  keyFile = "${certDir}/selfsigned.key";
+  uid = config.ids.uids.hass;
+  gid = config.ids.gids.hass;
 in
 {
  users.users.hass = {
    home = "/var/lib/hass";
    createHome = true;
    group = "hass";
-    uid = config.ids.uids.hass;
+    uid = uid;
    extraGroups = [ "dialout" ];
  };
-  users.groups.hass.gid = config.ids.gids.hass;
+  users.groups.hass.gid = gid;
+
+  services.nginx.enable = true;
+  services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    extraConfig = ''
+      proxy_buffering off;
+    '';
+    locations."/".extraConfig = ''
+      proxy_pass http://10.233.0.2:8123;
+      proxy_set_header Host $host;
+      proxy_redirect http:// https://;
+      proxy_http_version 1.1;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection $connection_upgrade;
+    '';
+  };

  security.acme.certs."${domain}" = {
-    group = "nginx";
+    group = "ssl-users";
+    allowKeysForGroup = true; 
  };

+  users.groups.ssl-users = {};
+
  sops.secrets."home-assistant-secrets.yaml" = {
    owner = "hass";
    restartUnits = [ "container@hass.service" ];
@@ -38,13 +55,8 @@ in
    autoStart = true;
    ephemeral = false;
    privateNetwork = true;
-    hostBridge = "server";
-    hostAddress = "${networkPrefix}.97.1";
-    localAddress = "${networkPrefix}.97.20/24";
-    extraFlags = [
-      "--capability=CAP_NET_ADMIN"
-      "--capability=CAP_MKNOD"
-    ];
+    hostAddress = "10.233.0.1";
+    localAddress = "10.233.0.2";
    bindMounts = {
      "/etc/localtime" = {
        hostPath = "/etc/localtime";
@@ -53,85 +65,18 @@ in
        hostPath = "/var/lib/hass/";
        isReadOnly = false;
      };
-      "/var/lib/acme/hass/" = {
-        hostPath = "${config.security.acme.certs.${domain}.directory}";
-      };
      "/var/lib/hass/secrets.yaml" = {
        hostPath = config.sops.secrets."home-assistant-secrets.yaml".path;
      };
    };
    config = { lib, config, pkgs, ... }: {
-      networkPrefix = networkPrefix;
      imports = [
      ];

-      networking = {
-        hostName = "home-assistant";
-        useHostResolvConf = false;
-        defaultGateway = {
-          address = "${networkPrefix}.96.1";
-          interface = "eth0";
-        };
-        firewall.enable = false;
-        nameservers = [ "${networkPrefix}.97.1" ];
-      };
-
      environment.systemPackages = [
        pkgs.mariadb
      ];

-      systemd.services.generate-selfsigned-cert = {
-        description = "Generate/renew self-signed SSL certificate";
-        wantedBy = [ "nginx.service" ];
-        path = [ pkgs.openssl pkgs.gnugrep ];
-        
-        script = ''
-          if [ -f ${certFile} ]; then
-            expiry=$(openssl x509 -enddate -noout -in ${certFile} | cut -d= -f2)
-            expiry_epoch=$(date -d "$expiry" +%s)
-            current_epoch=$(date +%s)
-            days_left=$(( (expiry_epoch - current_epoch) / 86400 ))
-            
-            if [ $days_left -lt 30 ]; then  # Regenerate if expiring in <30 days
-              echo "Certificate expiring soon, regenerating..."
-              rm ${certFile} ${keyFile}
-            fi
-          fi
-
-          if [ ! -f ${certFile} ] || [ ! -f ${keyFile} ]; then
-            openssl req -x509 -nodes -days 365 \
-              -newkey rsa:2048 \
-              -keyout ${keyFile} \
-              -out ${certFile} \
-              -subj "/CN=${domain}"
-          fi
-        '';
-
-        serviceConfig = {
-          Type = "oneshot";
-          RemainAfterExit = true;
-        };
-      };
-
-      services.nginx.enable = true;
-      services.nginx.virtualHosts."${domain}" = {
-        sslCertificate = certFile;
-        sslCertificateKey = keyFile;
-        forceSSL = true;
-        extraConfig = ''
-          proxy_buffering off;
-        '';
-        locations."/".extraConfig = ''
-          proxy_pass http://127.0.0.1:8123;
-          proxy_set_header Host $host;
-          proxy_redirect http:// https://;
-          proxy_http_version 1.1;
-          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-          proxy_set_header Upgrade $http_upgrade;
-          proxy_set_header Connection $connection_upgrade;
-        '';
-      };
-
      services.home-assistant = home-assistant-config;

      services.home-assistant.extraComponents = [
@@ -243,6 +188,7 @@ in
        };

      users.users.hass.extraGroups = [ "dialout" ];
+      networking.firewall.allowedTCPPorts = [ 8123 ];
      system.stateVersion = "23.05";
    };
  };