many changes and more modularizing

hosts/fw-new/modules/home-assistant/ldap.nix

@@ -0,0 +1,56 @@
+{ pkgs
+, config
+, lib
+, ... }:
+let
+  ldap-auth-sh = pkgs.stdenv.mkDerivation {
+    name = "ldap-auth-sh";
+
+    src = pkgs.fetchFromGitHub {
+      owner = "efficiosoft";
+      repo = "ldap-auth-sh";
+      rev = "93b2c00413942908139e37c7432a12bcb705ac87";
+      sha256 = "1pymp6ki353aqkigr89g7hg5x1mny68m31c3inxf1zr26n5s2kz8";
+    };
+
+    nativeBuildInputs = [ pkgs.makeWrapper ];
+    installPhase = ''
+      mkdir -p $out/etc
+      cat > $out/etc/home-assistant.cfg << 'EOF'
+      CLIENT="ldapsearch"
+      SERVER="ldaps://ldap.cloonar.com:636"
+      USERDN="cn=home-assistant,ou=system,ou=users,dc=cloonar,dc=com"
+      PW="$(</run/secrets/home-assistant-ldap)"
+      BASEDN="ou=users,dc=cloonar,dc=com"
+      SCOPE="one"
+      FILTER="(&(objectClass=cloonarUser)(memberOf=cn=HomeAssistant,ou=groups,dc=cloonar,dc=com)(mail=$(ldap_dn_escape "$username")))"
+      USERNAME_PATTERN='^[a-z|A-Z|0-9|_|-|.|@]+$'
+      on_auth_success() {
+        # print the meta entries for use in HA
+        if echo "$output" | grep -qE '^(dn|DN):: '; then
+            # ldapsearch base64 encodes non-ascii
+            output=$(echo "$output" | sed -n -e "s/^\(dn\|DN\)\s*::\s*\(.*\)$/\2/p" | base64 -d)
+        else
+            output=$(echo "$output" | sed -n -e "s/^\(dn\|DN\)\s*:\s*\(.*\)$/\2/p")
+        fi
+        name=$(echo "$output" | sed -nr 's/^cn=([^,]+).*/\1/Ip')
+        [ -z "$name" ] || echo "name=$name"
+      }
+      EOF
+      install -D -m755 ldap-auth.sh $out/bin/ldap-auth.sh
+      wrapProgram $out/bin/ldap-auth.sh \
+        --prefix PATH : ${lib.makeBinPath [pkgs.openldap pkgs.coreutils pkgs.gnused pkgs.gnugrep]} \
+        --add-flags "$out/etc/home-assistant.cfg"
+    '';
+  };
+in
+{
+  services.home-assistant.config.homeassistant.auth_providers = [
+    {
+      type = "command_line";
+      command = "${ldap-auth-sh}/bin/ldap-auth.sh";
+      meta = true;
+    }
+  ];
+}
+