From b330d4610ea83bebdf82af5f465374d34e7c86ab Mon Sep 17 00:00:00 2001 From: Dominik Polakovics Date: Sun, 10 Dec 2023 10:03:51 +0100 Subject: [PATCH] initial deconz implementation --- .../modules/home-assistant/default.nix | 54 +++++++++++++++++++ hosts/fw.cloonar.com/modules/unbound.nix | 4 -- 2 files changed, 54 insertions(+), 4 deletions(-) diff --git a/hosts/fw.cloonar.com/modules/home-assistant/default.nix b/hosts/fw.cloonar.com/modules/home-assistant/default.nix index b1d48ab..d878fbe 100644 --- a/hosts/fw.cloonar.com/modules/home-assistant/default.nix +++ b/hosts/fw.cloonar.com/modules/home-assistant/default.nix @@ -1,8 +1,17 @@ { config, pkgs, ... }: let domain = "home-assistant.cloonar.com"; + deconzDomain = "deconz.cloonar.com"; in { + users.users.deconz = { + home = "/var/lib/deocnz"; + createHome = true; + isSystemUser = true; + group = "deconz"; + }; + users.groups.deconz = {}; + users.users.hass = { home = "/var/lib/hass"; createHome = true; @@ -14,6 +23,9 @@ in security.acme.certs."${domain}" = { group = "nginx"; }; + security.acme.certs."${deconzDomain}" = { + group = "nginx"; + }; sops.secrets."home-assistant-secrets.yaml" = { owner = "hass"; @@ -29,6 +41,14 @@ in ephemeral = true; # because of ssh key macvlans = [ "vserver" ]; bindMounts = { + "/var/lib/deconz" = { + hostPath = "/var/lib/deconz/"; + isReadOnly = false; + }; + "/var/lib/acme/deconz/" = { + hostPath = "${config.security.acme.certs.${deconzDomain}.directory}"; + isReadOnly = true; + }; "/var/lib/hass" = { hostPath = "/var/lib/hass/"; isReadOnly = false; @@ -78,6 +98,40 @@ in }; }; + nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ + "deconz" + ]; + + services.nginx.virtualHosts."${deconzDomain}" = { + sslCertificate = "/var/lib/acme/deconz/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/deconz/key.pem"; + sslTrustedCertificate = "/var/lib/acme/deconz/chain.pem"; + forceSSL = true; + extraConfig = '' + proxy_buffering off; + ''; + locations."/".extraConfig = '' + set $p 8080; + if ($http_upgrade = "websocket") { + set $p 8081; + } + proxy_pass http://127.0.0.1:$p; + proxy_set_header Host $host; + proxy_redirect http:// https://; + proxy_http_version 1.1; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + ''; + }; + + services.deconz = { + enable = true; + httpPort = 8080; + wsPort = 8081; + device = "/dev/ttyACM0"; + }; + services.nginx.enable = true; services.nginx.virtualHosts."${domain}" = { sslCertificate = "/var/lib/acme/hass/fullchain.pem"; diff --git a/hosts/fw.cloonar.com/modules/unbound.nix b/hosts/fw.cloonar.com/modules/unbound.nix index 2ca6827..96da4f4 100644 --- a/hosts/fw.cloonar.com/modules/unbound.nix +++ b/hosts/fw.cloonar.com/modules/unbound.nix @@ -30,13 +30,9 @@ let "\"fw A 10.42.97.1\"" "\"switch.cloonar.com IN A 10.42.97.10\"" - "\"drone.cloonar.com IN A 10.42.97.118\"" - "\"hv-02.cloonar.com IN A 10.42.97.3\"" "\"deconz.cloonar.com IN A 10.42.97.20\"" "\"mopidy.cloonar.com IN A 10.42.97.20\"" "\"snapcast.cloonar.com IN A 10.42.97.20\"" - "\"cl-storage-01.cloonar.com IN A 10.42.97.9\"" - "\"git.cloonar.old IN A 10.44.97.118\"" "\"stage.wsw.at IN A 10.254.235.22\"" "\"prod.wsw.at IN A 10.254.217.23\""