diff --git a/hosts/faunus-ater/modules/home-assistant.nix b/hosts/faunus-ater/modules/home-assistant.nix index 2987ac9..5e569e8 100644 --- a/hosts/faunus-ater/modules/home-assistant.nix +++ b/hosts/faunus-ater/modules/home-assistant.nix @@ -1,23 +1,110 @@ { pkgs, + lib, config, ... }: { virtualisation.oci-containers.containers.home-assistant = { - volumes = ["/data/dirty/home-assistant:/config"]; + volumes = [ + "/data/dirty/home-assistant:/config" + "${config.sops.secrets.power-management-key.path}:/root/.ssh/power-management-key" + ]; environment.TZ = "Europe/Berlin"; image = "ghcr.io/home-assistant/home-assistant:2024.10"; ports = [ - "8123:8123" + "127.0.0.1:8123:8123" ]; extraOptions = [ # TODO: Fix the path of the zigbee controller using udev "--device=/dev/serial/by-id/usb-Silicon_Labs_Sonoff_Zigbee_3.0_USB_Dongle_Plus_0001-if00-port0" "--device=/dev/ttyUSB0" "--cap-add=CAP_NET_RAW,CAP_NET_BIND_SERVICE" + "--network=home-assistant" + "--ip=192.168.1.10" + "--dns=192.168.1.1" ]; }; + # Podman network for home-assistant + # + # Use 192.168.1.8/28 as a subnet, because my router already reserves the first 100 addresses + # of 192.168.1.0/24, so 192.168.1.8/28 - 192.168.1.15/28 should be good + environment.etc."containers/networks/home-assistant.json" = { + source = (pkgs.formats.json {}).generate "home-assistant.json" { + dns_enabled = false; + driver = "macvlan"; + id = "0000000000000000000000000000000000000000000000000000000000000001"; + internal = false; + ipam_options = {driver = "host-local";}; + ipv6_enabled = false; + name = "home-assistant"; + network_interface = "eno1"; + subnets = [ + { + subnet = "192.168.1.0/24"; + gateway = "192.168.1.1"; + "lease_range" = { + "start_ip" = "192.168.1.10"; + "end_ip" = "192.168.1.14"; + }; + } + ]; + }; + }; + + # TODO: This does not work without manually creating the device using `ip link add ha-shim link eno1 type macvlan mode bridge` from [here](https://blog.oddbit.com/post/2018-03-12-using-docker-macvlan-networks/) + systemd.network = { + enable = true; + netdevs."50-home-assistant-shim" = { + enable = true; + macvlanConfig.Mode = "bridge"; + netdevConfig = { + Name = "ha-shim"; + Description = "A shim for communicating with the home-assistant podman network"; + Kind = "macvlan"; + }; + }; + networks."60-home-assistant-shim" = { + enable = true; + name = "ha-shim"; + matchConfig.Name = "ha-shim"; + networkConfig = { + Description = "A shim for communicating with the home-assistant podman network"; + Address = ["192.168.1.9/28"]; + DNS = ["192.168.1.1"]; + }; + routes = lib.singleton { + Destination = "192.168.1.8/28"; + }; + linkConfig.RequiredFamilyForOnline = "ipv4"; + }; + + links."60-eno1" = { + enable = true; + matchConfig.Name = "eno1"; + # linkConfig seems broken + extraConfig = '' + [Link] + MACVLAN=ha-shim + RequiredForOnline=no + ''; + }; + }; + # TODO: Fix for the above + # TODO: This might just work with networking.useNetworkd being true.. + systemd.services.create-ha-shim-netdev = { + enable = true; + description = "Create the ha-shim device because systemd-networkd fails"; + wantedBy = ["network.target"]; + script = '' + #!/bin/sh + ${pkgs.iproute2}/bin/ip link add ha-shim link eno1 type macvlan mode bridge + ''; + serviceConfig = { + Type = "simple"; + }; + }; + # Configure nginx reverse proxy services.nginx.virtualHosts."config.tammena.me" = { addSSL = true; @@ -30,7 +117,7 @@ ]; locations."/" = { - proxyPass = "http://127.0.0.1:8123"; + proxyPass = "http://192.168.1.10:8123"; proxyWebsockets = true; }; }; @@ -40,4 +127,8 @@ owner = config.users.users.nginx.name; mode = "0400"; }; + sops.secrets.power-management-key = { + owner = config.users.users.root.name; + mode = "0400"; + }; } diff --git a/secrets/hosts/faunus-ater/secrets.yaml b/secrets/hosts/faunus-ater/secrets.yaml index ab3fee7..0244b9f 100644 --- a/secrets/hosts/faunus-ater/secrets.yaml +++ b/secrets/hosts/faunus-ater/secrets.yaml @@ -4,6 +4,7 @@ photoprism-admin-password: ENC[AES256_GCM,data:/qEeUto3e6CUTsfhlbUjCckP4DB17yeP/ internal-restic-password: ENC[AES256_GCM,data:TJvbnuPgrCCRznqHAs7R/WYTgZ+hKiNUnpHTqroNgw9p0w==,iv:JtcaM2bCtZzM91IdkYrmbBhWQ/wWdFzX2fxDGuFIWrY=,tag:5HesBXgxu28QOGYS6WjJdg==,type:str] hydra-admin-password: ENC[AES256_GCM,data:VzZdQDAspirq2Ad5cd3KV3+06966aSEHrXTQ6A0=,iv:06fFTSaH1o+q+PioSbEMU/VutYwj+Jin/wXnAWOiV/w=,tag:cjoPs0oUJ437URwBpE5vVA==,type:str] nix-store-signing-key: ENC[AES256_GCM,data:crx32AFBIwM1AS9aBUzocK6YHWfNqoJuY3N6S4NepuVOYwOj+IgcGc2o1V1rFRyrfAFYo/eok2HE0et1VTVMMgkVLvSuCpH6B+Ehv/EIXZNA4EsvSinLaU0POsDZw6LkmGqX,iv:icNWx1l2j6yHRrby1TbVBXNpKrz9vyqwZ//Vlb0sJzI=,tag:zAg7jl6w8pTlwrG/ENFtvQ==,type:str] +power-management-key: ENC[AES256_GCM,data:hUkeJLYRYSYGFpFTCn8vZqvAqq/19NKX2KiK/mze12/Gb2AuBq6kICJo83vzAISw6iuVNM9rNtLmQK4YHfOvSbMHO//5dlhXTTpRSrae4GyNVKbyXcqbswvZZgka1+cOzjxnSFtwYi+DZ8EhjyDSmcnS8y0TiI5qrJoO/necRW+BYJE6ZaO4XzG8vJiNSRyLskZQy2WS4pLVGQZn2wMIpLWeNuqyGbsqsUGmjgv/cFOQHrvEtaABTqQgORei98u4XK1mt/Gys3sTCLhJ9qo/0g9XMvzZvT6CYrKILCg0Mv+LfijxOxjHdNVvHCwemcLkLDSsBifqYzFE5HhWaMpTMjx6xfxPHQJPjoRBr9LyWBrFX6kSEaz4zyaMdOeU/fZJoJNqmWUIoe6bF306ttwvbF9iF5OjLv88GzQCMr60Csql4piWpjf7alyQD+6nw8/Q8lmi7sjxMV9l3wjVSsFB51oyhAs1jsNpK4YG6l9ht2HkEyjHxN6ot3tRjgTh0F+TMtVzKqe2d6gMvgxJ1/pbUVQfh6vF98E3idFV,iv:uQ8xESfCo8na9pKQo33Gyw48IMTem79skeoO1qb3qVk=,tag:cnfIlqUoW0tcYOT9WFxW5A==,type:str] hydra-overseer-key: ENC[AES256_GCM,data:x0rp0SMYvQcbivYFz4H2gyEoQbiVm0kCKmeYu8n2ALPMR10Q0ynOkj16UkfJIVAXnI8j8NhGScBjXWiwxi2WUhZI0r5HiAF+BvBFp1mkcWrP+N5/ulLuR2YS71bJpb5OSiJ4q1F4nmO1Kmhv2rylcQWB1BeKj2WLXsxo2W/J+9wOcJ10BU77vgfpdgE+7W2kVPbaX6C2F85t1wu4mVy9gdSp2U4r7j/+T5ZZ8DFAiHUAhZ8OoVSDuwHj1Ud8siEHff07ACsnQlSO0Xt+1m0hq03gY26LnepzdkFkncb/D9K7NlbWZzVO659fW4262wQ2dJHO7+dIMy4tK4/KdYv5UX3kTK734UEYruRRHRcRcWzLjFq1MpQBAdratCmDHxfuyFa3nkPhO8twqN4b51w0J7stp0uTAD/YF/dmuv0vUFPqbPzH+grGEhfs/qp1vnrDz0G5kj/78jp6IdQP52I2ukEMZ29pz81o9WA6AWrALwgaHG+UPyskSLFNBuY/Mux+kXCZ+rZtsLqiEp1PIt1vxGUMtKhVIN6knLOcOahVuja39KINczNytB20nsxL8H3pTsIQV3XXRPFz7bikBLWoqA74zq6IxT5wCZtTwoYmE5PiPLCCDUETwPEHJqW1tpDOLEBpn+3bnQbX35vwz+w0qAad0ndXYOiVIZK4vBbkjH3AEYWCCfm+KuduqdVU01E8kZakB15oK5IGHSMeNrz9iEv4hpG54FK5lh6eqS2iVeqj4uKN0jEUzVSjTBoI3iZbgZKEjxD+Xz1napErAtuZu1iCt5cW6HCeKBOVJQk8WsMpmgrB6wT4pOFvY5zPfRv+4cs8Cm8jD+i59G+S5J+TD+rlRSSPLPUSka1pPNeUXieP53TTkoB5LV3sSfn88+SBkNFbOIoy2Nce6eNzkYvE2auGZ91GcHqbH1OEnzutQqBqdZUmDmLlHqtfKWA4oaGCv0yTOxouzqDfokeMklsXBnWRs7UsfCkR+1qrG9IaFJxOYFEKR7yAsqnmkLlVgmH3GYhgAOwNugRXwNzD3UaQ16b9xlE8Oe7DZZdDliOLZbCUpjvg6Ud/EwbYudH1nNGidKrgz+6dY4zfw4MQm/Gl9XHg7euTJRSVTZQxbw3DyPIykXA50HmnPZi9B4AFvUI6sZtu3e2ZgWo1D+SasAh44fiQYGwVPWLvONiWO/3EIwiL1wO6kGxCARhcUmyYGazwwgjVVr1NuSgmri6hSeuJLXbat/S2p69zIKx3NBTFUZ5xiVLxiB+XCPttcoAckauTghubmT0HvINwaZmec7ABZxEUP6rJUTfhuZihOywDopTp8KoAlHXJjNm9+f2EJzxphOyG2Ke1MBIR0IU4551dERmwdQTrQdMTMEIooRMT4IDbW6b+JUYgQvV3WLujQ6YLuHDuwQ/tivIcegIkwsc+ZUOYiZ+naoTIkgjSQsXrsgOjULKZDgFcnMwY+fJ2lAcm3pu3wse9qYDKyhxpf6/fZJ1JD/9hvEyJaH+h69TKsRRkJo+PlFGb2DjaYUi3j9lujjDvNNX0MLidguQw9Mi9jYXCo6o4MwQXKMizjtTXEVRg8RSi28BsHijanLXnXhSwgFnAo3Usb67xzP11rKBG9af8kJBNvXaVR0pjhC6un+JI0LuJxiu3dVBnZMB18z5C+rqX3RJsyGIL/RLN/xhSG9i4R5hdzaO08G1qdcLtzK1ym6j5oDwXQVchPAeY//BxNtgIo3oqHSDpPJqnXg2rjK62WIMBZxya/0QSyjTHu06L7z0rjSLv/YI/vsbIn1OxsVw4fu1lDG/o5CnQKr/9FDEsZd/PHBJSAhjmg5fVl6n0E38pXuiXNIU8Rr9SVimvER3muJXc6yIU7uXpnMwkH/ZEwWMnT0o6p+SlaxzU10e67PGbW1ovGGCUemz3yg0qjAnIxwnYxtDPTwFVl8BhEIXcN6MzMC7Ncq5JlNr2rjqrbwYO8LeagfDiq8KWygGKP+sZZL7eVkPIJB8cK1NIS22uXNzvsVXKSeksh14jRs/QAAiRM0hfm3CFIdULu5k8DNSmGgjxLf9gNjS8Ej3x9/V828aPyGrBrwZm3Tri66eufuxnNNteBAuzTjU5Pzf/hEai737PZTeRq8sizAn501ZiBUvslalsOw1VB2c+MukgCKzCKga3TUqnSx7HIkWv0C9TXJeXRuPs+czu/9/0SidA1p4mv6woK66+EHXJiTLXbb78DT390e3EHs/5rTkP5udVOpLLP7b4fjGVU959fIQLH5MOTIdINfj8XCQ1Ujts63Jor1RZeNErWADOVBcdnqjT03uh63G0d3A3RUBS+fUu6evx0ChEntbX3QbkDwV0P2rBtDhipccE1rW6tWPJhv278HysTPiwwsQadmdkLGMrJm4XQsYvAaTDtKnNzJUuVSKlnUilzEHEpBfiH4kKBgoXz06ZMEL8ameDfYFEyQwVU+NgRHtJtYE8lZErGYz0a+JJCgHPUiR13VGiNsO5eGBK04Wu4QjxCz4Wu347NOY0bR4Dj/d9td+TMeBPjfID1Ru5txZkuNzhee/qzU7Nqdw7BoOnOxf3QPWNv89vgnpQawsDPfGV6oIPs9hddlsxiNWFaQ4r+a6KdVBYw45XaHZ1MVdHUaV4SfIm30oRWkHWwiFjnlvi1VMxfXvpTu1CxkCSbtyWBRIcVDsypdv+QECsYwYY2KDFZETTm8Vva4SgGJohpprOlgUNuINSA31vHERg48Qbi4XrZeyi61B3I/1GWTOQ4WGAQ/HNnI9VnxTgcC9IcincadoRadhk7qHAtnZA8W52vxbjydJRQxnP+lxWkayxYhxXwAEn0eYP0t1qvhF6V6iaD69s9ZEqhhQkKpjwDrtKnJgPvv31YOCr6lLYmkzp+oqIYSeDzpf3Z0DimNFzL/URtPzeFt2VSAw56eXPze6lHe3+I5RbL7AIDhKwlqeUC3qOZvYm810vAeCmU74IIZ7C11tgIIK16Cwq8CF1CPRlthEfFI+76Q+3/4Hot6ev4naBFVxjqfays6CwoGaA7IYKkYX8yZvCZhi3y/lnO70yt8KFrVQKOgAUTaxdv6Y80uGvburcuHH3N7XmVljJFz8htbD0/qv6O7hfdm69g01V2dIuHXosUuqUT/RQgV+IeLJniMrKLxN1m1PHMncumA6nF9af6a4ua2H1thNjt0OwIBzx0mifWl511YyoUFZYmypVvdqHmo3ljns7GEA0RycAZxpeiVwwiQO6h9WbgbtVwAJnh1t1H37JkNNX+tSAd7n032ZWpczDQUpjxgM6wGPbiZYl7T6tR6ecEV8w+kGUaV+u7AV97p45tG7KMeqYFSItE7kJE1yoAaK4C8hcct7pK6ehdyyy4zjMtOzAKaql5z1oVrjC0OkQ/WI8BmOk39GKOGlrJFVbS1XKrOXRKZP+vet0IRPUhwQ2l90r7O30MmtWgNuPorIUgeY+D7/PJIGehx20azEIOBclJbwxG9UalUhorZiREMakgvocSw54NUXcZcMAVVYB45j+yXSuLVI/zGaMn8IzC13tAf+E3LKrUgeDa5nFPq5GNprqEKnjj3+fl5CwZb9vZYXNeLq7FY5/3deWwiPsJG1e4M8H4a0bPFbyQscj93bD1QiL8eauy2NtoGpopXnEteWtjOiMXV2oJ0soHsDPhEu0xiIlSS9QloDdNfYeJLRuQOHy8DCNLCaRp491998truKk8zMUOpQPFKEi1o8CcoIUvADF7i+EcNPMBhdy5+HgVZHus82mPv/e0+GYi/wQ+MIc93BT2R5KslAfBpSKw+VCv4dKP3TXkkH3krsbu2V6k15bhyEB22UCWQ854drhqFL0JtLOx1IzNElHi7r/jZg6Gd+XSrKll3it3BRyY2XKDEsvfaDTpn47y2ae2htzF8adIe9YNPVzcqVyAfY1+xjmXdiNRRVtq3L2+hNLIedtsG6vbnWXmqUWLeptTbshUckQ77O/hw4wfkqMDa0yxRDFMZUbRiGyFLwz1GmhI5TZ2b2cL3HCO4p1vQeLdKFWsCKFrjeJ6BzYRBn6Ba1U4cb4ZNknxtuJ33J5YzE2WiT7uV8VcAYLxwdAhGktfu1LDMIgztCamkZGlpqkzT9VcHT4QWLi0/WL/7ff0ukL3QwL3O0H9NDXciCTR2HQsPPXq7fzv4D9oE0wAibmJbsI0P0cwnfgeTlJLY0ffN7+ZPs1SzWz7YpaBoxKm4g5rRClh23JCXqtPD65VPtZijaoB7gafGvkBWNy7ryyqSJc1TeCJ5qa8bRHajkaDv9PuEIA9AJ/SODVIdRxyJj8wbXMQuGohXLESLZxPcJE/JBKWfrVAcl0ctkRNXWrbFeQo89NgdT8MWMYiWMfNE3EJqBP5h16FkRagrDUq8HlOpHtFG3EU1VSNaNGlRPmirgDTdQHOvj8kSpnGdyXOrptiWSdMgYWqhqlXRaK8yTMyb0Aot8wg6NuuICsuHZ3rhzi55jcCC9htT3lionJ2qh8eD705mF/c5j9,iv:hQyOucsZMBQoWJXDWs18C9pzcBtk69RaHjD4vZFqzCk=,tag:ncYl3yfCOgUsFTBdoCVypg==,type:str] certificate-key-foto-tammena-me: ENC[AES256_GCM,data:BNabWgck7TKuH9lRdmdqiBrN4nFHXNsWey1B+o3sIFRbKZGzNDxsfOBm0WH3W8m0IGq/pls/dZhfoWegZdxcKoSjv/41XOP6+feB7XONGkQI3a8Hn88JttoY5OV0VoLP93kDFqWQchFDpsd5JR3g7Mpci5YB8YXJPSLyZnsTmDH97I6yoXTw40fwy5IfjnXhPWTzPKMNkfUFEZqDUiMBRs1+/mYeaNMu0LVObutjY4YgUi9jN1CPhyhOdpqQwOQ/jhvxmyqyNmWikmlyTi+BiySz3baQggIW43Ef9Zc6a+d5RE9Qo9zw7C7jNce0hR0R4yJ5lOt7C4bXpZPYYYGrsgyCTRaeF3P5PX+9OgvJJY7a7x+mCROeRxGdP9Rj/3qaO9B6fsDM5O1gpBIXBYw=,iv:DPOKS7NTqkXDhGaJt34CPlhw+wkjg9jh4ABe2153Trc=,tag:M6GLgUBosz9YcuFDeRogYg==,type:str] certificate-key-config-tammena-me: ENC[AES256_GCM,data:0+iGC4CzS9iYSXyk9IU5Wz7W3LSrzM0lbaMIUNZ90dV4/njlXkUVXaolouRK0taMgIS8OT4QmRaOD6LlHQfyy512oKoWw6y6So599Qj3jlZiRLGVrrJ8MlRJ4Fnl0tZa9YPOEKquNo1VBpoPhazk743YUqVIySxOOynl+P9qv5f4bDXCG6Nj78cWj75QcB4to3Zzkx+yVeTc2jKwWtLxSxdCGgJtxgCokkVZW/bU78g8Th+zdICXYweZsmj0MuSD1+j4akauHJykyvjt5Lu74laR6vwDQ0EC/ThJr7OiaBKzihYcfAO7zh4EkF7gBTZfiDEcBoxEcLwB6A8NXxFqdg7lTvkhyloVLN0yTOAh3nnkBaVmLAO8n19qOuPLRfhf9FFYJmAR48XZCHT20kM=,iv:kT9DEeX5yDpA4UpPHnrd1vFOD3QvXKrYetO0Ssz62tQ=,tag:49P+3XqjlwZT54KHyJjKQg==,type:str] @@ -43,8 +44,8 @@ sops: ZzFxdmlXaTRCY2tUZndBSDlNeUVROVUKH1CxbcdwHR3ELn9YlGvO6YbGGg++wGZv 97ez/ErXEOq/6IF6HzV3I9BsVV4WCJI2VTP8Lbiwt59qg5riH7CGJQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-06-17T15:29:44Z" - mac: ENC[AES256_GCM,data:iQCnc/f+fOPbhHxxxnaFf8Tz6GuEaebYR1ROzin1XbC9J0WO0G3yK3atOsamQlaUwkZqt1/eQCVtUWs2D8xOpwNK6tPJc1rrKIo5AyKqwWXt5OCvL1KD2VWWnDmq8ZVl2CMgZpsLeQM8Om0EMXzo9fFRZSJEZ8qt/1E3GFOn6jM=,iv:1oF0lcymgPVq69tb4KpnhFU9l5LMsUDi/4B12dAGdoQ=,tag:zFYdalBtRxC0rf1puWdnSQ==,type:str] + lastmodified: "2024-11-08T09:36:13Z" + mac: ENC[AES256_GCM,data:KNx+WYUoyNeVOXuvCrqPebLztUEc+kxD40eqa4qftq/RCE+EBB4zvweepnozBmhHfcbZFuu4Hge8ZDRuydk5QQppslhsyAJEW77lnPTiJmCZwIIqkqW8hOfQaR1x3Hm8TuE8iL16sla1KFx98o/5yquxhBC2Ny+n0Npi0xl8bUg=,iv:sLzfQg+6soqLLxjMyurmYRbH7mU1L5N8Ryupbeq6TR0=,tag:r0RuDBH/ZtFcuLbgzCbZNg==,type:str] pgp: - created_at: "2023-11-06T16:58:30Z" enc: | @@ -78,4 +79,4 @@ sops: -----END PGP MESSAGE----- fp: D5FEA546C06B3AEC97EB7F5A437B3369EAE401C4 unencrypted_suffix: _unencrypted - version: 3.8.1 + version: 3.9.1