nixos: rework home assistant

4 files changed, 83 insertions, 56 deletions

diff --git a/flake.lock b/flake.lock
index b74cdfa..1396c78 100644
--- a/flake.lock
+++ b/flake.lock
@@ -315,11 +315,11 @@
     },
     "personal-secret": {
       "locked": {
-        "lastModified": 1750422364,
-        "narHash": "sha256-+ok+HVwcAonP0QZXIvcH2Bc0L/EmZlXjkFhLOPMuNxM=",
+        "lastModified": 1753114457,
+        "narHash": "sha256-LXS93E46n/whB1iNfcA8l545pFGq8hbkD+QzwlOG5OM=",
         "ref": "refs/heads/master",
-        "rev": "a3d3d5200b06cd689be0b66b53faf43ed3ae1799",
-        "revCount": 134,
+        "rev": "27eb0905e0523eb2d4273b0f8bf41d02eff5610c",
+        "revCount": 135,
         "type": "git",
         "url": "ssh://git@cynerd.cz/nixos-personal-secret"
       },
diff --git a/nixos/configurations/spt-mox.nix b/nixos/configurations/spt-mox.nix
index 8af976c..a9f4965 100644
--- a/nixos/configurations/spt-mox.nix
+++ b/nixos/configurations/spt-mox.nix
@@ -75,25 +75,10 @@
               acl = ["read bigclown/node/#"];
               passwordFile = "/run/secrets/mosquitto.telegraf.pass";
             };
-            homeassistant = {
-              acl = [
-                "readwrite homeassistant/#"
-                "readwrite bigclown/#"
-                "readwrite zigbee2mqtt/#"
-              ];
-              passwordFile = "/run/secrets/mosquitto.homeassistant.pass";
-            };
             bigclown = {
               acl = ["readwrite bigclown/#"];
               passwordFile = "/run/secrets/mosquitto.bigclown.pass";
             };
-            zigbee2mqtt = {
-              acl = [
-                "readwrite homeassistant/#"
-                "readwrite zigbee2mqtt/#"
-              ];
-              passwordFile = "/run/secrets/mosquitto.zigbee2mqtt.pass";
-            };
           };
         }
       ];
diff --git a/nixos/configurations/spt-omnia.nix b/nixos/configurations/spt-omnia.nix
index 9abe74f..8449f0d 100644
--- a/nixos/configurations/spt-omnia.nix
+++ b/nixos/configurations/spt-omnia.nix
@@ -39,18 +39,20 @@ in {
     monitoring.speedtest = true;
   };
 
-  services.journald.extraConfig = ''
-    SystemMaxUse=8G
-  '';
+  services = {
+    journald.extraConfig = ''
+      SystemMaxUse=8G
+    '';
 
-  services.btrfs.autoScrub = {
-    enable = true;
-    fileSystems = ["/"];
-  };
+    btrfs.autoScrub = {
+      enable = true;
+      fileSystems = ["/"];
+    };
 
-  services.fail2ban = {
-    enable = true;
-    ignoreIP = ["10.8.1.0/24" "10.8.2.0/24"];
+    fail2ban = {
+      enable = true;
+      ignoreIP = ["10.8.1.0/24" "10.8.2.0/24"];
+    };
   };
 
   networking.useDHCP = false;
@@ -134,32 +136,11 @@ in {
   '';
 
   ##############################################################################
-  services = {
-    zigbee2mqtt = {
-      enable = true;
-      settings = {
-        serial.port = "/dev/serial/by-id/usb-ITEAD_SONOFF_Zigbee_3.0_USB_Dongle_Plus_V2_20220812153849-if00";
-        mqtt = {
-          server = "mqtt://${config.cynerd.hosts.spt.mox}:1883";
-          user = "zigbee2mqtt";
-          password = "!secret.yaml mqtt_password";
-        };
-        advanced = {
-          network_key = "!secret.yaml network_key";
-          homeassistant_legacy_entity_attributes = false;
-          legacy_api = false;
-          legacy_availability_payload = false;
-          last_seen = "epoch";
-        };
-        frontend = true;
-        availability = true;
-        homeassistant = {
-          legacy_triggers = false;
-        };
-        device_options.legacy = false;
-        permit_join = false;
-        devices = config.secrets.zigbee2mqttDevices;
-      };
-    };
+  cynerd.ha = {
+    enable = true;
+    domain = "spt.cynerd.cz";
+    extraOptions = [
+      "--device=/dev/serial/by-id/usb-ITEAD_SONOFF_Zigbee_3.0_USB_Dongle_Plus_V2_20220812153849-if00:/dev/ttyACM0"
+    ];
   };
 }
diff --git a/nixos/modules/homeassistant.nix b/nixos/modules/homeassistant.nix
new file mode 100644
index 0000000..000e6c4
--- /dev/null
+++ b/nixos/modules/homeassistant.nix
@@ -0,0 +1,61 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (lib) mkOption mkEnableOption types mkIf;
+  cnf = config.cynerd.ha;
+in {
+  options.cynerd.ha = {
+    enable = mkEnableOption "Home assistant setup on the primary router.";
+    domain = mkOption {
+      type = with types; str;
+      description = "The domain name of the system.";
+    };
+    extraOptions = mkOption {
+      type = with types; listOf str;
+      default = [];
+      description = "Extra options passed to the container.";
+    };
+  };
+
+  config = mkIf cnf.enable {
+    virtualisation.oci-containers = {
+      backend = "podman";
+      containers.homeassistant = {
+        volumes = ["home-assistant:/config" "/run/dbus:/run/dbus:ro"];
+        environment.TZ = "Europe/Prague";
+        image = "ghcr.io/home-assistant/armv7-homeassistant:stable";
+        extraOptions =
+          [
+            "--privileged"
+            "--pull=always"
+            "--network=host"
+          ]
+          ++ cnf.extraOptions;
+      };
+    };
+
+    services.nginx = {
+      enable = true;
+      virtualHosts = {
+        "${cnf.domain}" = {
+          forceSSL = true;
+          enableACME = true;
+          locations."/" = {
+            proxyPass = "http://localhost:8123";
+            proxyWebsockets = true;
+            recommendedProxySettings = true;
+          };
+        };
+      };
+    };
+    security.acme = {
+      acceptTerms = true;
+      defaults.email = "cynerd+acme@email.cz";
+      certs."${cnf.domain}" = {};
+    };
+
+    networking.firewall.allowedTCPPorts = [80 443];
+  };
+}