update home-assistant demo to match new options

demo/homeassistant/README.md

@@ -3,8 +3,9 @@
 **This whole demo is highly insecure as all the private keys are available publicly. This is
 only done for convenience as it is just a demo. Do not expose the VM to the internet.**
 
-The [`flake.nix`](./flake.nix) file sets up Home Assistant server that uses a LDAP server to
-setup users in only about [15 lines](./flake.nix#L29-L45) of related code.
+The [`flake.nix`](./flake.nix) file sets up a Home Assistant server in only about [15
+lines](./flake.nix#L31-L37) of related code. It also defines a Home Assistant server that integrates with
+a [LDAP server](./flake.nix#L58-L94).
 
 This guide will show how to deploy this setup to a Virtual Machine, like showed
 [here](https://nixos.wiki/wiki/NixOS_modules#Developing_modules), in 4 commands.
@@ -15,7 +16,7 @@ Build the VM and start it:
 
 ```bash
 rm nixos.qcow2; \
-  nixos-rebuild build-vm-with-bootloader --fast -I nixos-config=./configuration.nix -I nixpkgs=. \
+  nixos-rebuild build-vm-with-bootloader --fast -I nixos-config=./configuration.nix -I nixpkgs=. ; \
   QEMU_NET_OPTS="hostfwd=tcp::2222-:2222,hostfwd=tcp::8080-:80" ./result/bin/run-nixos-vm
 ```
 
@@ -28,7 +29,7 @@ appear in `git status` but you don't need to commit this.
 ```bash
 SOPS_AGE_KEY_FILE=keys.txt \
   nix run --impure nixpkgs#sops -- --config sops.yaml -r -i \
-  --add-age $(nix shell nixpkgs#ssh-to-age --command sh -c 'ssh-keyscan -p 2222 -t ed25519 -4 localhost 2>/dev/null | ssh-to-age') ; \
+  --add-age $(nix shell nixpkgs#ssh-to-age --command sh -c 'ssh-keyscan -p 2222 -t ed25519 -4 localhost 2>/dev/null | ssh-to-age') \
   secrets.yaml
 ```
 
@@ -54,10 +55,16 @@ You can ssh into the VM with, but this is not required for the demo:
 ssh -F ssh_config example
 ```
 
-Finally, deploy with:
+Finally, we can deploy. To deploy a Home Assistant server, run:
 
 ```bash
-SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply
+SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply --on basic
+```
+
+To deploy a Home Assistant server integrated with a LDAP service, run:
+
+```bash
+SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply --on ldap
 ```
 
 The deploy will take a few minutes the first time and subsequent deploys will take around 15
@@ -69,7 +76,7 @@ Add the following entry to your `/etc/hosts` file:
 
 ```nix
 networking.hosts = {
-  "127.0.0.1" = [ "ha.example.com" "ldap.example.com" ];
+  "127.0.0.1" = [ "ha.example.com" ];
 };
 ```
 
@@ -77,10 +84,23 @@ Which produces:
 
 ```bash
 $ cat /etc/hosts
-127.0.0.1 ha.example.com ldap.example.com
+127.0.0.1 ha.example.com
 ```
 
-Go to [http://ldap.example.com:8080](http://ldap.example.com:8080) and login with:
+If you deployed the `ldap` target host, add instead:
+
+```nix
+networking.hosts = {
+  "127.0.0.1" = [ "ha.example.com" "ldap.example.com" ];
+};
+```
+
+If you deployed the `basic` target host, go to
+[http://ha.example.com:8080](http://ha.example.com:8080) and you will be greeted with the Home
+Assistant setup wizard which will allow you to create an admin user:
+
+And that's the end of the demo. Otherwise if you deployed the `ldap` target host, go first to
+[http://ldap.example.com:8080](http://ldap.example.com:8080) and login with:
 
 - username: `admin`
 - password: the value of the field `lldap.user_password` in the `secrets.yaml` file which is `fccb94f0f64bddfe299c81410096499a`.

demo/homeassistant/flake.lock

@@ -35,11 +35,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1703255338,
-        "narHash": "sha256-Z6wfYJQKmDN9xciTwU3cOiOk+NElxdZwy/FiHctCzjU=",
+        "lastModified": 1704194953,
+        "narHash": "sha256-RtDKd8Mynhe5CFnVT8s0/0yqtWFMM9LmCzXv/YKxnq4=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "6df37dc6a77654682fe9f071c62b4242b5342e04",
+        "rev": "bd645e8668ec6612439a9ee7e71f7eac4099d4f6",
         "type": "github"
       },
       "original": {
@@ -51,11 +51,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1703351344,
-        "narHash": "sha256-9FEelzftkE9UaJ5nqxidaJJPEhe9TPhbypLHmc2Mysc=",
+        "lastModified": 1704290814,
+        "narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "7790e078f8979a9fcd543f9a47427eeaba38f268",
+        "rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421",
         "type": "github"
       },
       "original": {
@@ -67,11 +67,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1703134684,
-        "narHash": "sha256-SQmng1EnBFLzS7WSRyPM9HgmZP2kLJcPAz+Ug/nug6o=",
+        "lastModified": 1704161960,
+        "narHash": "sha256-QGua89Pmq+FBAro8NriTuoO/wNaUtugt29/qqA8zeeM=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "d6863cbcbbb80e71cecfc03356db1cda38919523",
+        "rev": "63143ac2c9186be6d9da6035fa22620018c85932",
         "type": "github"
       },
       "original": {
@@ -111,11 +111,11 @@
         "sops-nix": "sops-nix"
       },
       "locked": {
-        "lastModified": 1703575610,
-        "narHash": "sha256-W22MujiE5xxibKu9M7usXhGD04ntrLXegMxuY6FYCX4=",
+        "lastModified": 1704702906,
+        "narHash": "sha256-VUMQJjwjUAjqBC4lcZHRJctSzaO99mLphRQ6zGSs75g=",
         "owner": "ibizaman",
         "repo": "selfhostblocks",
-        "rev": "7a62b5b89c406fbf80ac6dfb678c0d5c62a771ea",
+        "rev": "a5e9af27b5b3c379a2155467dd4faa7dcb3659b9",
         "type": "github"
       },
       "original": {
@@ -130,11 +130,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1703387502,
-        "narHash": "sha256-JnWuQmyanPtF8c5yAEFXVWzaIlMxA3EAZCh8XNvnVqE=",
+        "lastModified": 1704596510,
+        "narHash": "sha256-tupdwwg1WeX2hNMOQrvtyafTaTVty0QC/gQp7yaYJic=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "e523e89763ff45f0a6cf15bcb1092636b1da9ed3",
+        "rev": "f5fbcc0f50e7fc60c4f806fa7a09abccf0826d8a",
         "type": "github"
       },
       "original": {

demo/homeassistant/flake.nix

@@ -14,7 +14,37 @@
         specialArgs = inputs;
       };
 
-      myserver = { config, ... }: {
+      basic = { config, ... }: {
+        imports = [
+          ./configuration.nix
+          selfhostblocks.inputs.sops-nix.nixosModules.default
+          selfhostblocks.nixosModules.x86_64-linux.default
+        ];
+
+        # Used by colmena to know which target host to deploy to.
+        deployment = {
+          targetHost = "example";
+          targetUser = "nixos";
+          targetPort = 2222;
+        };
+
+        shb.home-assistant = {
+          enable = true;
+          domain = "example.com";
+          subdomain = "ha";
+          sopsFile = ./secrets.yaml;
+        };
+
+        nixpkgs.config.permittedInsecurePackages = [
+          "openssl-1.1.1w"
+        ];
+
+        # Set to true for more debug info with `journalctl -f -u nginx`.
+        shb.nginx.accessLog = false;
+        shb.nginx.debugLog = false;
+      };
+
+      ldap = { config, ... }: {
         imports = [
           ./configuration.nix
           selfhostblocks.inputs.sops-nix.nixosModules.default
@@ -56,14 +86,19 @@
         shb.home-assistant = {
           enable = true;
           domain = "example.com";
-          ldapEndpoint = "http://127.0.0.1:${builtins.toString config.shb.ldap.webUIListenPort}";
+          ldap = {
+            enable = true;
+            host = "127.0.0.1";
+            port = config.shb.ldap.webUIListenPort;
+            userGroup = "homeassistant_user";
+          };
           subdomain = "ha";
           sopsFile = ./secrets.yaml;
         };
 
-        # Set to true for more debug info with `journalctl -f -u nginx`.
-        shb.nginx.accessLog = false;
-        shb.nginx.debugLog = false;
+        nixpkgs.config.permittedInsecurePackages = [
+          "openssl-1.1.1w"
+        ];
       };
     };
   };