diff --git a/flake.lock b/flake.lock index 9fd8c0c..6582f24 100644 --- a/flake.lock +++ b/flake.lock @@ -378,11 +378,11 @@ "secrets": { "flake": false, "locked": { - "lastModified": 1725637263, - "narHash": "sha256-BSm/HKTPBSk50KN81ZBnjeMvcrGZVZvsEmJHykOcse0=", + "lastModified": 1725641701, + "narHash": "sha256-bTnYSs06iwnS6a1jYLpwjwVpFcP/iDs/6q5gnFcO+sQ=", "ref": "refs/heads/main", - "rev": "b9c55a92921b5dc02d548c00ec226bc49e129088", - "revCount": 67, + "rev": "25576ffa753b96e2289380feb81d3ed82e00cbc7", + "revCount": 68, "type": "git", "url": "file:./secrets" }, diff --git a/hosts/Hevana/default.nix b/hosts/Hevana/default.nix index 4430d3a..f7b1e33 100644 --- a/hosts/Hevana/default.nix +++ b/hosts/Hevana/default.nix @@ -144,6 +144,12 @@ in token = config.secrets.services.forgejo.runner-token; }; }; + home-assistant = { + enable = false; + home = "${services-root}/home-assistant"; + domain = config.secrets.networking.domains.primary; + url = config.secrets.services.home-assistant.url; + }; jellyfin = { enable = true; home = "${services-root}/jellyfin"; @@ -174,7 +180,7 @@ in return = "301 https://${config.secrets.services.forgejo.url}"; }; }; - "${config.secrets.networking.domains.blog}" = { + "]${config.secrets.networking.domains.blog}" = { useACMEHost = config.secrets.networking.domains.blog; forceSSL = true; root = "${services-root}/nginx/sites/${config.secrets.networking.domains.blog}"; diff --git a/modules/services/home-assistant.nix b/modules/services/home-assistant.nix new file mode 100644 index 0000000..79c97f8 --- /dev/null +++ b/modules/services/home-assistant.nix @@ -0,0 +1,72 @@ +{ config, lib, ... }: + +let + cfg = config.aux.system.services.home-assistant; +in +{ + options = { + aux.system.services.home-assistant = { + enable = lib.mkEnableOption (lib.mdDoc "Enables Home Assistant."); + domain = lib.mkOption { + default = ""; + type = lib.types.str; + description = "The root domain that Home Assistant will be hosted on."; + example = "example.com"; + }; + home = lib.mkOption { + default = "/etc/home-assistant"; + type = lib.types.str; + description = "Where to store Home Assistant's files"; + example = "/home/home-assistant"; + }; + url = lib.mkOption { + default = ""; + type = lib.types.str; + description = "The complete URL where Home Assistant is hosted."; + example = "https://home-assistant.example.com"; + }; + }; + + }; + + config = lib.mkIf cfg.enable { + services = { + home-assistant = { + # opt-out from declarative configuration management + config = null; + lovelaceConfig = null; + # configure the path to your config directory + configDir = cfg.home; + # specify list of components required by your configuration + extraComponents = [ + "esphome" + "eufy" + "govee_light_local" + "met" + "radio_browser" + "tplink" + ]; + }; + nginx.virtualHosts."${cfg.url}" = { + useACMEHost = cfg.domain; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8123"; + proxyWebsockets = true; + extraConfig = '' + # Security / XSS Mitigation Headers + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-Content-Type-Options "nosniff"; + + proxy_ssl_server_name on; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Real-IP $remote_addr; + + proxy_buffering off; + ''; + }; + }; + }; + }; +} diff --git a/secrets b/secrets index b9c55a9..25576ff 160000 --- a/secrets +++ b/secrets @@ -1 +1 @@ -Subproject commit b9c55a92921b5dc02d548c00ec226bc49e129088 +Subproject commit 25576ffa753b96e2289380feb81d3ed82e00cbc7