diff options
| author | Alejandro Soto <alejandro@34project.org> | 2024-07-21 16:37:28 -0600 |
|---|---|---|
| committer | Alejandro Soto <alejandro@34project.org> | 2024-07-21 16:42:16 -0600 |
| commit | 16eea6871447e2bda93800825c07468045731bdc (patch) | |
| tree | 6cadb480f72e2a878ee67c92babc84f87587cdb5 | |
| parent | b1f3d839adc88b024e3a79d09b54a1939b78edba (diff) | |
sys/home-assistant: enable proxy forwarding from dmz
| -rw-r--r-- | sys/home-assistant/default.nix | 60 | ||||
| -rw-r--r-- | sys/home-assistant/hass.nix | 58 | ||||
| -rw-r--r-- | sys/home-assistant/yaml-extra.nix | 22 | ||||
| -rw-r--r-- | sys/nspawn/dmz.nix | 113 |
4 files changed, 157 insertions, 96 deletions
diff --git a/sys/home-assistant/default.nix b/sys/home-assistant/default.nix index 631ba27..e997c08 100644 --- a/sys/home-assistant/default.nix +++ b/sys/home-assistant/default.nix @@ -1,58 +1,6 @@ -{ config, lib, pkgs, ... }: -with lib; let - cfg = config.local.home-assistant; -in { - options.local.home-assistant = { - enable = mkEnableOption "home-assistant"; - }; - - config = mkIf cfg.enable { - # https://nathan.gs/2024/06/22/fail2ban-to-secure-ha-on-nixos/ - environment.etc."fail2ban/filter.d/home-assistant.local".text = '' - [Definition] - failregex = ^.* \[homeassistant\.components\.http\.ban\] Login attempt or request with invalid authentication from <HOST>.*$ - - ignoreregex = - - journalmatch = _SYSTEMD_UNIT=home-assistant.service + _COMM=home-assistant - - datepattern = {^LN-BEG} - ''; - - local.boot.impermanence.directories = [ - { directory = "/var/lib/hass"; user = "hass"; group = "hass"; mode = "u=rwx,g=,o="; } - ]; - - services = { - fail2ban.jails.home-assistant = { }; - - home-assistant = { - enable = true; - - extraComponents = [ - "met" - "google_translate" - "radio_browser" - "tuya" - "xiaomi_miio" - ]; - - config = { - # Includes dependencies for a basic setup - # https://www.home-assistant.io/integrations/default_config/ - default_config = { }; - }; - - customComponents = with pkgs.home-assistant-custom-components; [ - dreame_vacuum - xiaomi_miot - ]; - - customLovelaceModules = with pkgs.home-assistant-custom-lovelace-modules; [ - xiaomi-vacuum-map-card - ]; - }; - }; - }; + imports = [ + ./hass.nix + ./yaml-extra.nix + ]; } diff --git a/sys/home-assistant/hass.nix b/sys/home-assistant/hass.nix new file mode 100644 index 0000000..631ba27 --- /dev/null +++ b/sys/home-assistant/hass.nix @@ -0,0 +1,58 @@ +{ config, lib, pkgs, ... }: +with lib; let + cfg = config.local.home-assistant; +in +{ + options.local.home-assistant = { + enable = mkEnableOption "home-assistant"; + }; + + config = mkIf cfg.enable { + # https://nathan.gs/2024/06/22/fail2ban-to-secure-ha-on-nixos/ + environment.etc."fail2ban/filter.d/home-assistant.local".text = '' + [Definition] + failregex = ^.* \[homeassistant\.components\.http\.ban\] Login attempt or request with invalid authentication from <HOST>.*$ + + ignoreregex = + + journalmatch = _SYSTEMD_UNIT=home-assistant.service + _COMM=home-assistant + + datepattern = {^LN-BEG} + ''; + + local.boot.impermanence.directories = [ + { directory = "/var/lib/hass"; user = "hass"; group = "hass"; mode = "u=rwx,g=,o="; } + ]; + + services = { + fail2ban.jails.home-assistant = { }; + + home-assistant = { + enable = true; + + extraComponents = [ + "met" + "google_translate" + "radio_browser" + "tuya" + "xiaomi_miio" + ]; + + config = { + # Includes dependencies for a basic setup + # https://www.home-assistant.io/integrations/default_config/ + default_config = { }; + }; + + customComponents = with pkgs.home-assistant-custom-components; [ + dreame_vacuum + xiaomi_miot + ]; + + customLovelaceModules = with pkgs.home-assistant-custom-lovelace-modules; [ + xiaomi-vacuum-map-card + ]; + }; + }; + }; +} diff --git a/sys/home-assistant/yaml-extra.nix b/sys/home-assistant/yaml-extra.nix new file mode 100644 index 0000000..6275e12 --- /dev/null +++ b/sys/home-assistant/yaml-extra.nix @@ -0,0 +1,22 @@ +{ lib, ... }: +with lib; { + options.services.home-assistant = { + config = mkOption { + type = with lib.types; nullOr (submodule { + options = { + http = { + use_x_forwarded_for = mkOption { + type = nullOr bool; + default = null; + }; + + trusted_proxies = mkOption { + type = nullOr (either str (listOf str)); + default = null; + }; + }; + }; + }); + }; + }; +} diff --git a/sys/nspawn/dmz.nix b/sys/nspawn/dmz.nix index af91f82..0192333 100644 --- a/sys/nspawn/dmz.nix +++ b/sys/nspawn/dmz.nix @@ -7,23 +7,29 @@ with lib; let hassEnable = config.local.home-assistant.enable; in { - options.local.nspawn.dmz = with types; { + options.local.nspawn.dmz = { enable = mkEnableOption "DMZ services in a container"; net = mkOption { - type = str; + type = types.str; }; netBits = mkOption { - type = int; + type = types.enum [ 30 ]; + }; + + dmzAddr = mkOption { + type = types.str; + readOnly = true; }; hostAddr = mkOption { - type = str; + type = types.str; + readOnly = true; }; system = mkOption { - type = attrs; + type = types.raw; }; }; @@ -49,49 +55,76 @@ in local = { mailHost.mdaListen = cfg.hostAddr; - nspawn.dmz.system = + nspawn.dmz = let - containerModule = { ... }: { - #TODO: urgente: bloquear puertos de dovecot a non-postfix con iptables - config = { - local = { - preset.dmz = { - enable = true; - container = true; - }; - - mta = { - mdaAddr = mailHost.mdaListen; - inherit (mailHost) saslPort lmtpPort; - }; - - web.sites.home = { - enable = hassEnable; - proxyUrl = "http://${cfg.hostAddr}:${toString hassPort}"; + incrementIpv4 = bytes: (incrementIpv4' bytes).tail; + + incrementIpv4' = bytes: + let + next = incrementIpv4' (tail bytes); + byteInc = (head bytes) + next.carry; + in + if bytes == [ ] + then { tail = [ ]; carry = 1; } + else if byteInc < 256 + then { tail = [ byteInc ] ++ next.tail; carry = 0; } + else { tail = [ 0 ] ++ next.tail; carry = 1; }; + + joinIpv4 = bytes: concatStringsSep "." (map toString bytes); + hostBytes = incrementIpv4 (map toInt (splitString "." cfg.net)); + in + { + dmzAddr = joinIpv4 (incrementIpv4 hostBytes); + hostAddr = joinIpv4 hostBytes; + + system = + let + containerModule = { ... }: { + #TODO: urgente: bloquear puertos de dovecot a non-postfix con iptables + config = { + local = { + preset.dmz = { + enable = true; + container = true; + }; + + mta = { + mdaAddr = mailHost.mdaListen; + inherit (mailHost) saslPort lmtpPort; + }; + + web.sites.home = { + enable = hassEnable; + proxyUrl = "http://${cfg.hostAddr}:${toString hassPort}"; + }; + }; + + nixpkgs = { + pkgs = mkDefault pkgs; + localSystem = mkDefault pkgs.stdenv.hostPlatform; + }; }; }; - - nixpkgs = { - pkgs = mkDefault pkgs; - localSystem = mkDefault pkgs.stdenv.hostPlatform; - }; + in + # Tomado de la definición de pkgs.nixos junto con definición de nixpkgs.{pkgs,localSystem} arriba + import "${flakes.nixpkgs}/nixos/lib/eval-config.nix" { + modules = [ + ../. + containerModule + ]; + + system = null; + specialArgs = { inherit flakes; }; }; - }; - in - # Tomado de la definición de pkgs.nixos junto con definición de nixpkgs.{pkgs,localSystem} arriba - import "${flakes.nixpkgs}/nixos/lib/eval-config.nix" { - modules = [ - ../. - containerModule - ]; - - system = null; - specialArgs = { inherit flakes; }; }; }; services = { - home-assistant.config.http.server_host = singleton cfg.hostAddr; + home-assistant.config.http = { + server_host = [ cfg.hostAddr ]; + trusted_proxies = [ cfg.dmzAddr ]; + use_x_forwarded_for = true; + }; }; systemd = { |