mjallen/nix-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

config upd

Browse Source
This commit is contained in:
mjallen18
2025-07-16 12:46:52 -05:00
parent 6c3de9beb4
commit cdcd102d8c
7 changed files with 213 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
hosts/nuc/configuration.nix
View File

@@ -11,6 +11,8 @@
./networking.nix
./users.nix
./sops.nix
../../modules/homeassistant/homeassistant.nix
];
security.tpm2 = {
@@ -52,4 +54,4 @@
];
};
};
}
}

5
hosts/nuc/impermanence.nix
View File

@@ -9,6 +9,11 @@
"/var/lib/bluetooth"
"/var/lib/nixos"
"/var/lib/tailscale"
"/var/lib/homeassistant"
"/var/lib/mosquitto"
"/var/lib/music-assistant"
"/var/lib/postgresql"
"/var/lib/zigbee2mqtt"
"/var/lib/systemd/coredump"
"/etc/NetworkManager/system-connections"
"/etc/secureboot"

5
hosts/nuc/sops.nix
View File

@@ -18,7 +18,7 @@ in
# Either the group id or group name representation of the secret group
# It is recommended to get the group name from `config.users.users.<?name>.group` to avoid misconfiguration
sops = {
defaultSopsFile = ../../secrets/nas-secrets.yaml;
defaultSopsFile = ../../secrets/nuc-secrets.yaml;
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
# ------------------------------
@@ -69,9 +69,6 @@ in
path = "/etc/secureboot/keys/PK/PK.pem";
mode = "0640";
};
"jallen-nas/attic-key" = {
# owner = "atticd";
};
};
# ------------------------------

2
modules/homeassistant/hacs/gehome.nix
View File

@@ -23,7 +23,7 @@ let
src = pkgs.fetchFromGitHub {
owner = owner;
repo = domain;
repo = "ha_gehome";
rev = version;
hash = "sha256-NlUkM70yvBeC5s7S5BkNxIC2GztfEq8xYrQZr4pkaGU=";
};

35
modules/homeassistant/hass.nix
View File

@@ -1,8 +1,8 @@
{ dream2nix, ... }:
let
hostAddress = "10.0.1.3";
localAddress = "10.0.2.3";
hassPort = 8192;
hostAddress = "10.0.1.4";
localAddress = "10.0.4.2";
hassPort = 8123;
in
{
containers.homeassistant = {
@@ -11,13 +11,23 @@ in
hostAddress = hostAddress;
localAddress = localAddress;
bindMounts = {
"/var/lib/homeassistant" = {
hostPath = "/var/lib/homeassistant";
isReadOnly = false;
};
USB0 = {
hostPath = "/dev/ttyUSB0";
mountPoint = "/dev/ttyUSB0";
isReadOnly = false;
};
};
config = { lib, ... }:
{
imports = [
./homeassistant.nix
({ ... }: { _module.args.dream2nix = dream2nix; })
./homeassistant.nix
];
# inherit dream2nix;
networking = {
firewall = {
@@ -30,13 +40,10 @@ in
};
# Create and set permissions for required directories
system.activationScripts.gitea-dirs = ''
mkdir -p /var/lib/gitea
chown -R gitea:gitea /var/lib/gitea
chmod -R 775 /var/lib/gitea
mkdir -p /run/secrets/jallen-nas
chown -R gitea:gitea /run/secrets/jallen-nas
chmod -R 775 /run/secrets/jallen-nas
system.activationScripts.hass-dirs = ''
mkdir -p /var/lib/homeassistant
chown -R homeassistant:homeassistant /var/lib/homeassistat
chmod -R 775 /var/lib/homeassistant
'';
services.resolved.enable = true;
@@ -52,4 +59,4 @@ in
}
];
};
}
}

61
modules/homeassistant/homeassistant.nix
View File

@@ -24,14 +24,44 @@ in
services.home-assistant = {
enable = true;
openFirewall = true;
configDir = "/var/lib/homeassistant";
configWritable = true; # todo
extraComponents = [
# Components required to complete the onboarding
"adguard"
"apple_tv"
"analytics"
"bluetooth"
"bluetooth_adapters"
"bluetooth_le_tracker"
"bluetooth_tracker"
"brother"
"caldav"
"calendar"
"cloudflare"
"co2signal"
"color_extractor"
"holiday"
"jellyfin"
"music_assistant"
"nut"
"nextcloud"
"nws"
"ollama"
"onedrive"
"ping"
"samsungtv"
"season"
"simplefin"
"smartthings"
"upnp"
"workday"
"wyoming"
"google_translate"
"met"
"radio_browser"
"shopping_list"
"esphome"
# Recommended for fast zlib compression
# https://www.home-assistant.io/integrations/isal
"isal"
@@ -147,6 +177,18 @@ in
python-roborock
python-steam
apple-weatherkit
samsungctl
samsungtvws
aiohomekit
icmplib
aioelectricitymaps
wyoming
pysmartthings
wakeonlan
ephem
];
config = {
@@ -160,15 +202,17 @@ in
themes = "!include_dir_merge_named themes";
};
"automation ui" = "!include /etc/nixos/hosts/homeassistant/automations.yaml";
"scene ui" = "!include /etc/nixos/hosts/homeassistant/scenes.yaml";
"script ui" = "!include /etc/nixos/hosts/homeassistant/scripts.yaml";
"automation ui" = "!include automations.yaml";
"scene ui" = "!include scenes.yaml";
"script ui" = "!include scripts.yaml";
http = {
use_x_forwarded_for = true;
trusted_proxies = [
"172.30.33.0/24"
"10.0.1.3"
"10.0.1.4"
"10.0.4.2"
"10.0.1.18"
"10.0.1.0/24"
];
};
@@ -195,13 +239,6 @@ in
# This bypasses the component validation and places it directly in HA's data directory
system.activationScripts.installCustomComponents = ''
mkdir -p ${config.services.home-assistant.configDir}/custom_components
ln -sf /etc/nixos/hosts/homeassistant/automations.yaml ${config.services.home-assistant.configDir}/automations.yaml
ln -sf /etc/nixos/hosts/homeassistant/scenes.yaml ${config.services.home-assistant.configDir}/scenes.yaml
ln -sf /etc/nixos/hosts/homeassistant/scripts.yaml ${config.services.home-assistant.configDir}/scripts.yaml
chown -R hass:hass ${config.services.home-assistant.configDir}
chmod -R 750 ${config.services.home-assistant.configDir}
'';

133
secrets/nuc-secrets.yaml Normal file
View File

@@ -0,0 +1,133 @@
hass: ENC[AES256_GCM,data:WfnVfA==,iv:fv66AU1oNjqWSlUmfBIM+i9oyNBZE2OYycGA01RFq30=,tag:fsMd8SoNcBD7wVkbp6AxnQ==,type:bool]
sops:
age:
- recipient: age157jemphjzg6zmk373vpccuguyw6e75qnkqmz8pcnn2yue85p939swqqhy0
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYc1hzeHNNSVJ4Z0tQMDl6
d2h5QUsxOUV5QXRPTUtmcm92dmhKelVJT0ZJCkRGTnl3YjJKemFudnBvL3RZek5z
L0lPeWRka3BLMFN4MEdmY1NPZ3R4OXMKLS0tIDVZUTNLYU5XU2w4U0N5bC93Y3li
V01wRFVyNm1FaHFCVXZFMXNVQ1A4cUkKsAg9RPtIdR7EQCaIp4BMAF+FiGYEXiKc
edQYpLr3bzT859rhINoDuKLBrWA4rIJn9+B+X+AqxUsC1/Exad2iyA==
-----END AGE ENCRYPTED FILE-----
- recipient: age13g9a4d4jrvckfddpgn8sm4kjtzajr67le56pfdg78ktr5pd09phq32j89u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYcERPajRmTjRkUWRuVkV1
aDM4bzdJV2tmaC84OVNkdUNnT3NvS1hGcTNBCjI1OGg1a1ptbkhqTXBlQUVZMUgz
amdVRktuS0NmZG5mOUVGckl2T2Z5eGMKLS0tIGNDaFcrUFRLQjVBSS9TZHNacFBJ
NkhDQVdyL1daaXhNY3BMWEVvN3NrT00KCTXTBkKweE+0EWDi93zV0zCfBkkd2Y8Z
GPSk0/Yj5RqNsLBhAMQI+Rpy+KgFLzpLsa9pvEzpnnvlUlB6kFigQA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1wpvfpv5n32lruk7c0da4uaeapsmhjxdvg8z4ljehn06l6g2y0e0sum404l
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0amE0NWdQVE9zOXhxOFpT
ZTNNMy9Sek9WclpwWTJ6djI3bmVlUzB1blNFCnJScjlWYUE5UkM1TG1DM3RUeUpC
V1FCNGxUWE0zSFYxTnFYdUFJaDM4VGcKLS0tIEsyR3VuOWg4azMwUHNHY2plbFha
OXAyVURIbkRXRG1JYWQ3SGpkSzRMVTQKsjsU+2wHnnIoHr5PT8L+0X/UKEefKJBz
pNTK+M5AyZdsXnuHR4XrTv0MFR5a3+i8FYYKyiudKF0fglCk1Gs35w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1jv8ap5zwa49ftv0gg7wqf5ps0e68uuwxe2fekjsn0zkyql964unqyc58rf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuaVFMSmlQU0NsMXlud1dw
VS9PRStieWRMemtwd3BOUUxoQU0zaTFRUERNCng1TkYydU5XTnI3eFdBRHYwdUsx
T1FPRzJNdEYzVGlkTzBjNHBPaTVRUGsKLS0tIE5Bdnp0UC9RQ3RFSERIdit6bXpq
Wk9YYitHS2twVjJLRFM1OVB1d1g2REkKnIT5VdT3ol9WNQ2H1KwJvFtgume58uq4
JBVC0QekOTvaP1WyI1A8ULKIEqkTpFVXUd+6h2xoRkglmILY/YRqWQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1pm3fehmmk0vmnrscz9vm96rakn46aaldr5ydpscmde3v9x0k3faswwdzxs
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0QUNUb2N0dHE1N2RmWGN3
Umd0dHZad2JxU0cxUjE2dXBIa1hOWWdRV0FjCmREMDk1RHlkQ3F6bVlwTVdWVjF3
dFpUYyswNno0aDhsdXJ2V0pqbG1ueGcKLS0tIEY3dFVsa1JjL3ByU2kyVVg0bmFJ
VEFXUU41ZCtNQkl1Z1U1TWxQQWwwSmMKyHDo6WHoKyizY4TSZ+foB413ueDlIQ7K
B1CX89nk5FyBjILZp3Ub8+a2Lekj+ul94X6ONL8dQeXb3BVSx90OwA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1mn2afyp9my7y7hcyzum0wdwt49zufnkt8swnyy8pj30cwzs4zvgsthj0lt
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoMHhLOWRzTHJPVmlmdUZa
OTlmMDBIcTJ5Y3FXcWdNRjc0YmxLNk80dlhFCkMxU2N6ZytoeENuc1o5czR0YmFj
SXQyUmpzNGQwZFZTTGozUjk2cURpLzQKLS0tIHNCK0RXUmQzNGpaa0hDOVg4RkFt
d21uZzQ1MEdITlVKMldBQXFBaWlsazAKH+Y+4DPxYN5YpMZkff6AZoK2dwiem2Mr
Lj4HqsO/AvOTiCJTSAALLKbmdYHekC3BbMDTtV80ntGDTxUfH+GQVg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ykkjw57t3z3deup3gtp7dujyaslskn74e0d9hsmqaha2pj3rvazqgndw5a
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzUElIQytMazlQNWtLS0RB
V1RzNG9sd3ZIWHlQVktIeDFHZUVibGJYVEFZCmVQZS9paDl6bTZuYmo4MEx0b2wy
TE1tRFN5VWsvZ3ViVFQ0d0J6MTlvVDAKLS0tIExMR3RHa0k4L1hsV01FaTRCWXUy
SHI3WDBudUt6bE9uN0tOZDZsZHkvNXcKbwwhKX45jFrzghmwOxVJGXqQnpZ2Aaj5
R8MbFqlvtgjnUxy/xoKgb1pJkOc2zccbUTP6RvXTc5MzXruAhhg6DA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1t2d5scrukk0guva5sr97a8tge5j8kd865adezrcru7p269pzwvpsamkgje
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKclI1MzcxWU1JY0YxZm9X
RHNRNE95THdrY2I0SWNZM0pjcHNVblRTbWxzCkw5ZjFkTEpRQjZGSldBaW54bjQy
NTFmY21GZG9XVHhaMm1lSnF3NGp1NTQKLS0tIERHWXdHbUh1RWhxRStWODZ4TW1G
RzM5cVlWR3VKZFFjVUcrOExvaGFPWjgKtD+Z/5IkB3l93A4mSFXilGlpm8maxOB1
2pJep9K4+sRNw8dXKYHXhlQFENaSGSGHmZdr+1jEmR7pUT1Ult9osA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1c8qw59ffcq9l77gfmtyc3djtvt3md0u6dwhrjcgsm98ntyf72ufqugj7cg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVOXR6SXFXbTl3RC9oU3cy
ZXVYcEZwS0F0ZWpkSWxRTUdoQWpiUXNOaFY0CkQwMmd3dUFZQkxKbUNRKzRQNXJj
SjNGaGMweFBTK2hXc0t0aFVBT1RGRm8KLS0tIHYvT1o1VTd3Si9EOE9ZckFRZnEy
TWdDRmRyclRNc2UzUFVmcnd3WDFSSGMKXGmd7G+MVDgTNNAwvJjW3Lso85c/pQZX
cG6d+cdFNmS2t0Or2LiSO+VBVkX3pq5I5noU4LYU8frieBd07h9Fng==
-----END AGE ENCRYPTED FILE-----
- recipient: age1er5qucsc2mugrzrr7n3xhzv7kemkrqrw4m84r544fkk7nkg5g5eswxkqj0
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlNmwvN2ovRXVydkNPc3pw
V0U3NlNJUlNsN1VzSkdkUStnWnN3dHF6UjFZCkdINEM3TTFyMnlKOWZSSEMwcWk4
aFpXMTBHcjhDRW5HeWpOUnViWnRZVUUKLS0tIFBqTktkaFZMaVpKZTYvS0lWVTZ4
V1d0RGdSSWVNaFhvZXVqN0diOERpbTQKX4XI8gXWaTVGZcJV5hx7874djNDmxmbY
sj5bdgQSAHqiJAcPvqwG3i9OWYBmZ6P22MkOOS/aiEH+PUfB6h4wzg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1xg6mvj3x6s3t8058c6rsk3q4kskvm6nsffwckxkkjzhyn7r6tczqgkj23p
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAySmxpMEltSFptQ01lYi9i
Rjh0YnBqU3pIQk1LYVZFV2kydzAxMnhzL3k4ClpwQXFLUnNHemdjRUR6QnAwNG1G
RVNHYmV0c09ORkQrL2hTYlVab3F3VE0KLS0tIEhHZzNMNS9TemFFNHNjS3gvdTY0
dFRyVk9jYnFIb3U5OGZZdmJHNk9vWFUK4YSyxFAfCt5PhBak1aQTMRFVa650FuP/
Y5w19CYl1rwQKcU/RIiV5vx0o246cztf68qfopKF9uI2+yp+nJHfhw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1rdn39ywgzmc8wlsl5lrfe77e652wzjmjx58gx4k2ydghd35kdqvqscrf3h
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5NVNkc3h5VTVlMEFvZk4v
YksrckoxOTUvcGNycWQ4enQ1TnVvcGZhUXdZCnlSa3MvNGtPR3VKcXpFQVJXN3Fw
NE80dnJGc0V0SXVzY0pKa1o4QTE3WW8KLS0tIGsxdmYwbW9ZL291V20wOFI4U0xk
eTd5UTdKaXN4NDJpMUc3YXMyL2hmQmsKWEen1DEeEy4XHcNGdD41oa30QO/hZtWU
1B2zIov/c8vuFChoq+Jf0W2jCXsRYxKptBLb093mx6h2DLYWFpgK3w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1luyejgmqjj0esydlr2jxqkg48vexmx57gdz7cy5gq7rz8kf5cups2rnfa9
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhUVUwVGtQbHRKcEVSeVh4
Tk02eTRkQTRjWTloMENzY3ZaRFM2b2NtYUNRCnYvL2VITFdOdGhrK0lpNWh0ejNo
NytPQ3VSaVdhVjZMSDloTlN1ZkR0R3cKLS0tIGtKWHQvQjB2WWRXcmlRS3prRzE2
RHU2OVpmRnF4RTJLMkZsN0VnaWhxWDgKWtKSSjnn3YIcJ07I5fp8GzXkTcfyYZ42
f+FPBYbSOTRP95P7cqq6wnmUxWTo3HaIxr8zq6+JZRF6IKdfFzu5cw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1wurzgc20e6ye79wsg85vvqk4aj3mmc0llxshcy9532ex8f4c6dqql76c78
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNSFRiajB4VGhCNnI1N2c0
QjI2RW5XNS9BYTFla2ExbXl4SlI3NmYwWlNjCkNmb2FhQTB0OHZleDl0Rm5sNG5D
S2NkakliRVZVbTRzWHUxR2hDOGxhNEEKLS0tIEw1T2dJL0tQbksyd2RqSlBJeWNz
c0l1UjVOZUkyMCt6U01JQ1pkWGVOVEEK5j0vz++n4JVdYcj9CrMDPLsVZzW47J3I
amYFavQOE71G2JtCixOc4Gy4wJJ3On5WlZLgL2aCK6YT14jRH2PRSw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-07-16T02:28:31Z"
mac: ENC[AES256_GCM,data:c9bacPoSQ/6iQW6ICJfBRMPM4iPbXh4xPqU5XgGIYD9ssRV5sp2KI9eloTZNdxh5T49nfO8qkwlXsOFXTVjOlz8KAiRO0T6/Lq4mF8AsyRE0uPn2sZqrjDhcjTd3FYIVPCLna28UqvdO1dL8/6yI1t7Z2JrgrWxCqHG9dFtBWsA=,iv:54SRSm6WLe42EtvIm9vRzkq7xTiLYEItUyNuMyNsFas=,tag:ZTL0ON3s1TcNzEX/bLrmLw==,type:str]
unencrypted_suffix: _unencrypted
version: 3.10.2