add home-assistant nix configuration

2023-12-09 22:55:41 +01:00
parent bdca649697
commit 027be96f9c
22 changed files with 1450 additions and 60 deletions
--- a/hosts/fw.cloonar.com/modules/home-assistant/ldap.nix
+++ b/hosts/fw.cloonar.com/modules/home-assistant/ldap.nix
@@ -0,0 +1,59 @@
+{ pkgs
+, config
+, lib
+, ... }:
+let
+  ldap-auth-sh = pkgs.stdenv.mkDerivation {
+    name = "ldap-auth-sh";
+
+    src = pkgs.fetchFromGitHub {
+      owner = "efficiosoft";
+      repo = "ldap-auth-sh";
+      rev = "93b2c00413942908139e37c7432a12bcb705ac87";
+      sha256 = "1pymp6ki353aqkigr89g7hg5x1mny68m31c3inxf1zr26n5s2kz8";
+    };
+
+    nativeBuildInputs = [ pkgs.makeWrapper ];
+    installPhase = ''
+      mkdir -p $out/etc
+      cat > $out/etc/home-assistant.cfg << 'EOF'
+      CLIENT="ldapsearch"
+      SERVER="ldaps://ldap.cloonar.com:636"
+      USERDN="cn=home-assistant,ou=system,ou=users,dc=cloonar,dc=com"
+      PW="$(</run/secrets/home-assistant-ldap)"
+      BASEDN="ou=users,dc=cloonar,dc=com"
+      SCOPE="one"
+      FILTER="(&(objectClass=cloonarUser)(memberOf=cn=HomeAssistant,ou=groups,dc=cloonar,dc=com)(mail=$(ldap_dn_escape "$username")))"
+      USERNAME_PATTERN='^[a-z|A-Z|0-9|_|-|.|@]+$'
+      on_auth_success() {
+        # print the meta entries for use in HA
+        if echo "$output" | grep -qE '^(dn|DN):: '; then
+            # ldapsearch base64 encodes non-ascii
+            output=$(echo "$output" | sed -n -e "s/^\(dn\|DN\)\s*::\s*\(.*\)$/\2/p" | base64 -d)
+        else
+            output=$(echo "$output" | sed -n -e "s/^\(dn\|DN\)\s*:\s*\(.*\)$/\2/p")
+        fi
+        name=$(echo "$output" | sed -nr 's/^cn=([^,]+).*/\1/Ip')
+        [ -z "$name" ] || echo "name=$name"
+      }
+      EOF
+      install -D -m755 ldap-auth.sh $out/bin/ldap-auth.sh
+      wrapProgram $out/bin/ldap-auth.sh \
+        --prefix PATH : ${lib.makeBinPath [pkgs.openldap pkgs.coreutils pkgs.gnused pkgs.gnugrep]} \
+        --add-flags "$out/etc/home-assistant.cfg"
+    '';
+  };
+in
+{
+  services.home-assistant.config.homeassistant.auth_providers = [
+    {
+      type = "homeassistant";
+    }
+    {
+      type = "command_line";
+      command = "${ldap-auth-sh}/bin/ldap-auth.sh";
+      meta = true;
+    }
+  ];
+}
+