initial deconz implementation

2023-12-10 10:03:51 +01:00
parent 027be96f9c
commit b330d4610e
2 changed files with 54 additions and 4 deletions
--- a/hosts/fw.cloonar.com/modules/home-assistant/default.nix
+++ b/hosts/fw.cloonar.com/modules/home-assistant/default.nix
@@ -1,8 +1,17 @@
 { config, pkgs, ... }:
 let
  domain = "home-assistant.cloonar.com";
+  deconzDomain = "deconz.cloonar.com";
 in
 {
+  users.users.deconz = {
+    home = "/var/lib/deocnz";
+    createHome = true;
+    isSystemUser = true;
+    group = "deconz";
+  };
+  users.groups.deconz = {};
+
  users.users.hass = {
    home = "/var/lib/hass";
    createHome = true;
@@ -14,6 +23,9 @@ in
  security.acme.certs."${domain}" = {
    group = "nginx";
  };
+  security.acme.certs."${deconzDomain}" = {
+    group = "nginx";
+  };

  sops.secrets."home-assistant-secrets.yaml" = {
    owner = "hass";
@@ -29,6 +41,14 @@ in
    ephemeral = true; # because of ssh key
    macvlans = [ "vserver" ];
    bindMounts = {
+      "/var/lib/deconz" = {
+        hostPath = "/var/lib/deconz/";
+        isReadOnly = false;
+      };
+      "/var/lib/acme/deconz/" = {
+        hostPath = "${config.security.acme.certs.${deconzDomain}.directory}";
+        isReadOnly = true;
+      };
      "/var/lib/hass" = {
        hostPath = "/var/lib/hass/";
        isReadOnly = false;
@@ -78,6 +98,40 @@ in
        };
      };

+      nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
+        "deconz"
+      ];
+
+      services.nginx.virtualHosts."${deconzDomain}" = {
+        sslCertificate = "/var/lib/acme/deconz/fullchain.pem";
+        sslCertificateKey = "/var/lib/acme/deconz/key.pem";
+        sslTrustedCertificate = "/var/lib/acme/deconz/chain.pem";
+        forceSSL = true;
+        extraConfig = ''
+          proxy_buffering off;
+        '';
+        locations."/".extraConfig = ''
+          set $p 8080;
+          if ($http_upgrade = "websocket") {
+              set $p 8081;
+          }
+          proxy_pass http://127.0.0.1:$p;
+          proxy_set_header Host $host;
+          proxy_redirect http:// https://;
+          proxy_http_version 1.1;
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection $connection_upgrade;
+        '';
+      };
+
+      services.deconz = {
+        enable = true;
+        httpPort = 8080;
+        wsPort = 8081;
+        device = "/dev/ttyACM0";
+      };
+
      services.nginx.enable = true;
      services.nginx.virtualHosts."${domain}" = {
        sslCertificate = "/var/lib/acme/hass/fullchain.pem";
--- a/hosts/fw.cloonar.com/modules/unbound.nix
+++ b/hosts/fw.cloonar.com/modules/unbound.nix
@@ -30,13 +30,9 @@ let
        "\"fw A 10.42.97.1\""

        "\"switch.cloonar.com IN A 10.42.97.10\""
-        "\"drone.cloonar.com IN A 10.42.97.118\""
-        "\"hv-02.cloonar.com IN A 10.42.97.3\""
        "\"deconz.cloonar.com IN A 10.42.97.20\""
        "\"mopidy.cloonar.com IN A 10.42.97.20\""
        "\"snapcast.cloonar.com IN A 10.42.97.20\""
-        "\"cl-storage-01.cloonar.com IN A 10.42.97.9\""
-        "\"git.cloonar.old IN A 10.44.97.118\""

        "\"stage.wsw.at IN A 10.254.235.22\""
        "\"prod.wsw.at IN A 10.254.217.23\""