From cdcd102d8c618b064fef2a4c99e9878a309dbbe8 Mon Sep 17 00:00:00 2001 From: mjallen18 Date: Wed, 16 Jul 2025 12:46:52 -0500 Subject: [PATCH] config upd --- hosts/nuc/configuration.nix | 4 +- hosts/nuc/impermanence.nix | 5 + hosts/nuc/sops.nix | 5 +- modules/homeassistant/hacs/gehome.nix | 2 +- modules/homeassistant/hass.nix | 35 ++++--- modules/homeassistant/homeassistant.nix | 61 ++++++++--- secrets/nuc-secrets.yaml | 133 ++++++++++++++++++++++++ 7 files changed, 213 insertions(+), 32 deletions(-) create mode 100644 secrets/nuc-secrets.yaml diff --git a/hosts/nuc/configuration.nix b/hosts/nuc/configuration.nix index e3a18b8..7c20df9 100644 --- a/hosts/nuc/configuration.nix +++ b/hosts/nuc/configuration.nix @@ -11,6 +11,8 @@ ./networking.nix ./users.nix ./sops.nix + + ../../modules/homeassistant/homeassistant.nix ]; security.tpm2 = { @@ -52,4 +54,4 @@ ]; }; }; -} \ No newline at end of file +} diff --git a/hosts/nuc/impermanence.nix b/hosts/nuc/impermanence.nix index 2d21877..62b1e37 100755 --- a/hosts/nuc/impermanence.nix +++ b/hosts/nuc/impermanence.nix @@ -9,6 +9,11 @@ "/var/lib/bluetooth" "/var/lib/nixos" "/var/lib/tailscale" + "/var/lib/homeassistant" + "/var/lib/mosquitto" + "/var/lib/music-assistant" + "/var/lib/postgresql" + "/var/lib/zigbee2mqtt" "/var/lib/systemd/coredump" "/etc/NetworkManager/system-connections" "/etc/secureboot" diff --git a/hosts/nuc/sops.nix b/hosts/nuc/sops.nix index aa16d43..e91b5e5 100755 --- a/hosts/nuc/sops.nix +++ b/hosts/nuc/sops.nix @@ -18,7 +18,7 @@ in # Either the group id or group name representation of the secret group # It is recommended to get the group name from `config.users.users..group` to avoid misconfiguration sops = { - defaultSopsFile = ../../secrets/nas-secrets.yaml; + defaultSopsFile = ../../secrets/nuc-secrets.yaml; age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; # ------------------------------ @@ -69,9 +69,6 @@ in path = "/etc/secureboot/keys/PK/PK.pem"; mode = "0640"; }; - "jallen-nas/attic-key" = { -# owner = "atticd"; - }; }; # ------------------------------ diff --git a/modules/homeassistant/hacs/gehome.nix b/modules/homeassistant/hacs/gehome.nix index 8fb26af..d6a9950 100644 --- a/modules/homeassistant/hacs/gehome.nix +++ b/modules/homeassistant/hacs/gehome.nix @@ -23,7 +23,7 @@ let src = pkgs.fetchFromGitHub { owner = owner; - repo = domain; + repo = "ha_gehome"; rev = version; hash = "sha256-NlUkM70yvBeC5s7S5BkNxIC2GztfEq8xYrQZr4pkaGU="; }; diff --git a/modules/homeassistant/hass.nix b/modules/homeassistant/hass.nix index 2def729..972ad64 100644 --- a/modules/homeassistant/hass.nix +++ b/modules/homeassistant/hass.nix @@ -1,8 +1,8 @@ { dream2nix, ... }: let - hostAddress = "10.0.1.3"; - localAddress = "10.0.2.3"; - hassPort = 8192; + hostAddress = "10.0.1.4"; + localAddress = "10.0.4.2"; + hassPort = 8123; in { containers.homeassistant = { @@ -11,13 +11,23 @@ in hostAddress = hostAddress; localAddress = localAddress; + bindMounts = { + "/var/lib/homeassistant" = { + hostPath = "/var/lib/homeassistant"; + isReadOnly = false; + }; + USB0 = { + hostPath = "/dev/ttyUSB0"; + mountPoint = "/dev/ttyUSB0"; + isReadOnly = false; + }; + }; + config = { lib, ... }: { imports = [ - ./homeassistant.nix - ({ ... }: { _module.args.dream2nix = dream2nix; }) + ./homeassistant.nix ]; - # inherit dream2nix; networking = { firewall = { @@ -30,13 +40,10 @@ in }; # Create and set permissions for required directories - system.activationScripts.gitea-dirs = '' - mkdir -p /var/lib/gitea - chown -R gitea:gitea /var/lib/gitea - chmod -R 775 /var/lib/gitea - mkdir -p /run/secrets/jallen-nas - chown -R gitea:gitea /run/secrets/jallen-nas - chmod -R 775 /run/secrets/jallen-nas + system.activationScripts.hass-dirs = '' + mkdir -p /var/lib/homeassistant + chown -R homeassistant:homeassistant /var/lib/homeassistat + chmod -R 775 /var/lib/homeassistant ''; services.resolved.enable = true; @@ -52,4 +59,4 @@ in } ]; }; -} \ No newline at end of file +} diff --git a/modules/homeassistant/homeassistant.nix b/modules/homeassistant/homeassistant.nix index 0099049..44ca0e6 100755 --- a/modules/homeassistant/homeassistant.nix +++ b/modules/homeassistant/homeassistant.nix @@ -24,14 +24,44 @@ in services.home-assistant = { enable = true; openFirewall = true; + configDir = "/var/lib/homeassistant"; configWritable = true; # todo extraComponents = [ - # Components required to complete the onboarding + "adguard" + "apple_tv" "analytics" + "bluetooth" + "bluetooth_adapters" + "bluetooth_le_tracker" + "bluetooth_tracker" + "brother" + "caldav" + "calendar" + "cloudflare" + "co2signal" + "color_extractor" + "holiday" + "jellyfin" + "music_assistant" + "nut" + "nextcloud" + "nws" + "ollama" + "onedrive" + "ping" + "samsungtv" + "season" + "simplefin" + "smartthings" + "upnp" + "workday" + "wyoming" + "google_translate" "met" "radio_browser" "shopping_list" + "esphome" # Recommended for fast zlib compression # https://www.home-assistant.io/integrations/isal "isal" @@ -147,6 +177,18 @@ in python-roborock python-steam apple-weatherkit + + samsungctl + samsungtvws + + aiohomekit + + icmplib + aioelectricitymaps + wyoming + pysmartthings + wakeonlan + ephem ]; config = { @@ -160,15 +202,17 @@ in themes = "!include_dir_merge_named themes"; }; - "automation ui" = "!include /etc/nixos/hosts/homeassistant/automations.yaml"; - "scene ui" = "!include /etc/nixos/hosts/homeassistant/scenes.yaml"; - "script ui" = "!include /etc/nixos/hosts/homeassistant/scripts.yaml"; + "automation ui" = "!include automations.yaml"; + "scene ui" = "!include scenes.yaml"; + "script ui" = "!include scripts.yaml"; http = { use_x_forwarded_for = true; trusted_proxies = [ "172.30.33.0/24" - "10.0.1.3" + "10.0.1.4" + "10.0.4.2" + "10.0.1.18" "10.0.1.0/24" ]; }; @@ -195,13 +239,6 @@ in # This bypasses the component validation and places it directly in HA's data directory system.activationScripts.installCustomComponents = '' - mkdir -p ${config.services.home-assistant.configDir}/custom_components - - ln -sf /etc/nixos/hosts/homeassistant/automations.yaml ${config.services.home-assistant.configDir}/automations.yaml - ln -sf /etc/nixos/hosts/homeassistant/scenes.yaml ${config.services.home-assistant.configDir}/scenes.yaml - ln -sf /etc/nixos/hosts/homeassistant/scripts.yaml ${config.services.home-assistant.configDir}/scripts.yaml - - chown -R hass:hass ${config.services.home-assistant.configDir} chmod -R 750 ${config.services.home-assistant.configDir} ''; diff --git a/secrets/nuc-secrets.yaml b/secrets/nuc-secrets.yaml new file mode 100644 index 0000000..02dd3d0 --- /dev/null +++ b/secrets/nuc-secrets.yaml @@ -0,0 +1,133 @@ +hass: ENC[AES256_GCM,data:WfnVfA==,iv:fv66AU1oNjqWSlUmfBIM+i9oyNBZE2OYycGA01RFq30=,tag:fsMd8SoNcBD7wVkbp6AxnQ==,type:bool] +sops: + age: + - recipient: age157jemphjzg6zmk373vpccuguyw6e75qnkqmz8pcnn2yue85p939swqqhy0 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYc1hzeHNNSVJ4Z0tQMDl6 + d2h5QUsxOUV5QXRPTUtmcm92dmhKelVJT0ZJCkRGTnl3YjJKemFudnBvL3RZek5z + L0lPeWRka3BLMFN4MEdmY1NPZ3R4OXMKLS0tIDVZUTNLYU5XU2w4U0N5bC93Y3li + V01wRFVyNm1FaHFCVXZFMXNVQ1A4cUkKsAg9RPtIdR7EQCaIp4BMAF+FiGYEXiKc + edQYpLr3bzT859rhINoDuKLBrWA4rIJn9+B+X+AqxUsC1/Exad2iyA== + -----END AGE ENCRYPTED FILE----- + - recipient: age13g9a4d4jrvckfddpgn8sm4kjtzajr67le56pfdg78ktr5pd09phq32j89u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYcERPajRmTjRkUWRuVkV1 + aDM4bzdJV2tmaC84OVNkdUNnT3NvS1hGcTNBCjI1OGg1a1ptbkhqTXBlQUVZMUgz + amdVRktuS0NmZG5mOUVGckl2T2Z5eGMKLS0tIGNDaFcrUFRLQjVBSS9TZHNacFBJ + NkhDQVdyL1daaXhNY3BMWEVvN3NrT00KCTXTBkKweE+0EWDi93zV0zCfBkkd2Y8Z + GPSk0/Yj5RqNsLBhAMQI+Rpy+KgFLzpLsa9pvEzpnnvlUlB6kFigQA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1wpvfpv5n32lruk7c0da4uaeapsmhjxdvg8z4ljehn06l6g2y0e0sum404l + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0amE0NWdQVE9zOXhxOFpT + ZTNNMy9Sek9WclpwWTJ6djI3bmVlUzB1blNFCnJScjlWYUE5UkM1TG1DM3RUeUpC + V1FCNGxUWE0zSFYxTnFYdUFJaDM4VGcKLS0tIEsyR3VuOWg4azMwUHNHY2plbFha + OXAyVURIbkRXRG1JYWQ3SGpkSzRMVTQKsjsU+2wHnnIoHr5PT8L+0X/UKEefKJBz + pNTK+M5AyZdsXnuHR4XrTv0MFR5a3+i8FYYKyiudKF0fglCk1Gs35w== + -----END AGE ENCRYPTED FILE----- + - recipient: age1jv8ap5zwa49ftv0gg7wqf5ps0e68uuwxe2fekjsn0zkyql964unqyc58rf + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuaVFMSmlQU0NsMXlud1dw + VS9PRStieWRMemtwd3BOUUxoQU0zaTFRUERNCng1TkYydU5XTnI3eFdBRHYwdUsx + T1FPRzJNdEYzVGlkTzBjNHBPaTVRUGsKLS0tIE5Bdnp0UC9RQ3RFSERIdit6bXpq + Wk9YYitHS2twVjJLRFM1OVB1d1g2REkKnIT5VdT3ol9WNQ2H1KwJvFtgume58uq4 + JBVC0QekOTvaP1WyI1A8ULKIEqkTpFVXUd+6h2xoRkglmILY/YRqWQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1pm3fehmmk0vmnrscz9vm96rakn46aaldr5ydpscmde3v9x0k3faswwdzxs + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0QUNUb2N0dHE1N2RmWGN3 + Umd0dHZad2JxU0cxUjE2dXBIa1hOWWdRV0FjCmREMDk1RHlkQ3F6bVlwTVdWVjF3 + dFpUYyswNno0aDhsdXJ2V0pqbG1ueGcKLS0tIEY3dFVsa1JjL3ByU2kyVVg0bmFJ + VEFXUU41ZCtNQkl1Z1U1TWxQQWwwSmMKyHDo6WHoKyizY4TSZ+foB413ueDlIQ7K + B1CX89nk5FyBjILZp3Ub8+a2Lekj+ul94X6ONL8dQeXb3BVSx90OwA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1mn2afyp9my7y7hcyzum0wdwt49zufnkt8swnyy8pj30cwzs4zvgsthj0lt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoMHhLOWRzTHJPVmlmdUZa + OTlmMDBIcTJ5Y3FXcWdNRjc0YmxLNk80dlhFCkMxU2N6ZytoeENuc1o5czR0YmFj + SXQyUmpzNGQwZFZTTGozUjk2cURpLzQKLS0tIHNCK0RXUmQzNGpaa0hDOVg4RkFt + d21uZzQ1MEdITlVKMldBQXFBaWlsazAKH+Y+4DPxYN5YpMZkff6AZoK2dwiem2Mr + Lj4HqsO/AvOTiCJTSAALLKbmdYHekC3BbMDTtV80ntGDTxUfH+GQVg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ykkjw57t3z3deup3gtp7dujyaslskn74e0d9hsmqaha2pj3rvazqgndw5a + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzUElIQytMazlQNWtLS0RB + V1RzNG9sd3ZIWHlQVktIeDFHZUVibGJYVEFZCmVQZS9paDl6bTZuYmo4MEx0b2wy + TE1tRFN5VWsvZ3ViVFQ0d0J6MTlvVDAKLS0tIExMR3RHa0k4L1hsV01FaTRCWXUy + SHI3WDBudUt6bE9uN0tOZDZsZHkvNXcKbwwhKX45jFrzghmwOxVJGXqQnpZ2Aaj5 + R8MbFqlvtgjnUxy/xoKgb1pJkOc2zccbUTP6RvXTc5MzXruAhhg6DA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1t2d5scrukk0guva5sr97a8tge5j8kd865adezrcru7p269pzwvpsamkgje + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKclI1MzcxWU1JY0YxZm9X + RHNRNE95THdrY2I0SWNZM0pjcHNVblRTbWxzCkw5ZjFkTEpRQjZGSldBaW54bjQy + NTFmY21GZG9XVHhaMm1lSnF3NGp1NTQKLS0tIERHWXdHbUh1RWhxRStWODZ4TW1G + RzM5cVlWR3VKZFFjVUcrOExvaGFPWjgKtD+Z/5IkB3l93A4mSFXilGlpm8maxOB1 + 2pJep9K4+sRNw8dXKYHXhlQFENaSGSGHmZdr+1jEmR7pUT1Ult9osA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1c8qw59ffcq9l77gfmtyc3djtvt3md0u6dwhrjcgsm98ntyf72ufqugj7cg + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVOXR6SXFXbTl3RC9oU3cy + ZXVYcEZwS0F0ZWpkSWxRTUdoQWpiUXNOaFY0CkQwMmd3dUFZQkxKbUNRKzRQNXJj + SjNGaGMweFBTK2hXc0t0aFVBT1RGRm8KLS0tIHYvT1o1VTd3Si9EOE9ZckFRZnEy + TWdDRmRyclRNc2UzUFVmcnd3WDFSSGMKXGmd7G+MVDgTNNAwvJjW3Lso85c/pQZX + cG6d+cdFNmS2t0Or2LiSO+VBVkX3pq5I5noU4LYU8frieBd07h9Fng== + -----END AGE ENCRYPTED FILE----- + - recipient: age1er5qucsc2mugrzrr7n3xhzv7kemkrqrw4m84r544fkk7nkg5g5eswxkqj0 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlNmwvN2ovRXVydkNPc3pw + V0U3NlNJUlNsN1VzSkdkUStnWnN3dHF6UjFZCkdINEM3TTFyMnlKOWZSSEMwcWk4 + aFpXMTBHcjhDRW5HeWpOUnViWnRZVUUKLS0tIFBqTktkaFZMaVpKZTYvS0lWVTZ4 + V1d0RGdSSWVNaFhvZXVqN0diOERpbTQKX4XI8gXWaTVGZcJV5hx7874djNDmxmbY + sj5bdgQSAHqiJAcPvqwG3i9OWYBmZ6P22MkOOS/aiEH+PUfB6h4wzg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1xg6mvj3x6s3t8058c6rsk3q4kskvm6nsffwckxkkjzhyn7r6tczqgkj23p + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAySmxpMEltSFptQ01lYi9i + Rjh0YnBqU3pIQk1LYVZFV2kydzAxMnhzL3k4ClpwQXFLUnNHemdjRUR6QnAwNG1G + RVNHYmV0c09ORkQrL2hTYlVab3F3VE0KLS0tIEhHZzNMNS9TemFFNHNjS3gvdTY0 + dFRyVk9jYnFIb3U5OGZZdmJHNk9vWFUK4YSyxFAfCt5PhBak1aQTMRFVa650FuP/ + Y5w19CYl1rwQKcU/RIiV5vx0o246cztf68qfopKF9uI2+yp+nJHfhw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1rdn39ywgzmc8wlsl5lrfe77e652wzjmjx58gx4k2ydghd35kdqvqscrf3h + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5NVNkc3h5VTVlMEFvZk4v + YksrckoxOTUvcGNycWQ4enQ1TnVvcGZhUXdZCnlSa3MvNGtPR3VKcXpFQVJXN3Fw + NE80dnJGc0V0SXVzY0pKa1o4QTE3WW8KLS0tIGsxdmYwbW9ZL291V20wOFI4U0xk + eTd5UTdKaXN4NDJpMUc3YXMyL2hmQmsKWEen1DEeEy4XHcNGdD41oa30QO/hZtWU + 1B2zIov/c8vuFChoq+Jf0W2jCXsRYxKptBLb093mx6h2DLYWFpgK3w== + -----END AGE ENCRYPTED FILE----- + - recipient: age1luyejgmqjj0esydlr2jxqkg48vexmx57gdz7cy5gq7rz8kf5cups2rnfa9 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhUVUwVGtQbHRKcEVSeVh4 + Tk02eTRkQTRjWTloMENzY3ZaRFM2b2NtYUNRCnYvL2VITFdOdGhrK0lpNWh0ejNo + NytPQ3VSaVdhVjZMSDloTlN1ZkR0R3cKLS0tIGtKWHQvQjB2WWRXcmlRS3prRzE2 + RHU2OVpmRnF4RTJLMkZsN0VnaWhxWDgKWtKSSjnn3YIcJ07I5fp8GzXkTcfyYZ42 + f+FPBYbSOTRP95P7cqq6wnmUxWTo3HaIxr8zq6+JZRF6IKdfFzu5cw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1wurzgc20e6ye79wsg85vvqk4aj3mmc0llxshcy9532ex8f4c6dqql76c78 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNSFRiajB4VGhCNnI1N2c0 + QjI2RW5XNS9BYTFla2ExbXl4SlI3NmYwWlNjCkNmb2FhQTB0OHZleDl0Rm5sNG5D + S2NkakliRVZVbTRzWHUxR2hDOGxhNEEKLS0tIEw1T2dJL0tQbksyd2RqSlBJeWNz + c0l1UjVOZUkyMCt6U01JQ1pkWGVOVEEK5j0vz++n4JVdYcj9CrMDPLsVZzW47J3I + amYFavQOE71G2JtCixOc4Gy4wJJ3On5WlZLgL2aCK6YT14jRH2PRSw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-07-16T02:28:31Z" + mac: ENC[AES256_GCM,data:c9bacPoSQ/6iQW6ICJfBRMPM4iPbXh4xPqU5XgGIYD9ssRV5sp2KI9eloTZNdxh5T49nfO8qkwlXsOFXTVjOlz8KAiRO0T6/Lq4mF8AsyRE0uPn2sZqrjDhcjTd3FYIVPCLna28UqvdO1dL8/6yI1t7Z2JrgrWxCqHG9dFtBWsA=,iv:54SRSm6WLe42EtvIm9vRzkq7xTiLYEItUyNuMyNsFas=,tag:ZTL0ON3s1TcNzEX/bLrmLw==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2