From 107d57ae898818468d358e43378f0f34120a221d Mon Sep 17 00:00:00 2001 From: ibizaman Date: Mon, 8 Jan 2024 00:36:23 -0800 Subject: [PATCH] update home-assistant demo to match new options --- demo/homeassistant/README.md | 38 ++++++++++++++++++++++------- demo/homeassistant/flake.lock | 30 +++++++++++------------ demo/homeassistant/flake.nix | 45 +++++++++++++++++++++++++++++++---- 3 files changed, 84 insertions(+), 29 deletions(-) diff --git a/demo/homeassistant/README.md b/demo/homeassistant/README.md index 5ccbd02..f35de80 100644 --- a/demo/homeassistant/README.md +++ b/demo/homeassistant/README.md @@ -3,8 +3,9 @@ **This whole demo is highly insecure as all the private keys are available publicly. This is only done for convenience as it is just a demo. Do not expose the VM to the internet.** -The [`flake.nix`](./flake.nix) file sets up Home Assistant server that uses a LDAP server to -setup users in only about [15 lines](./flake.nix#L29-L45) of related code. +The [`flake.nix`](./flake.nix) file sets up a Home Assistant server in only about [15 +lines](./flake.nix#L31-L37) of related code. It also defines a Home Assistant server that integrates with +a [LDAP server](./flake.nix#L58-L94). This guide will show how to deploy this setup to a Virtual Machine, like showed [here](https://nixos.wiki/wiki/NixOS_modules#Developing_modules), in 4 commands. @@ -15,7 +16,7 @@ Build the VM and start it: ```bash rm nixos.qcow2; \ - nixos-rebuild build-vm-with-bootloader --fast -I nixos-config=./configuration.nix -I nixpkgs=. \ + nixos-rebuild build-vm-with-bootloader --fast -I nixos-config=./configuration.nix -I nixpkgs=. ; \ QEMU_NET_OPTS="hostfwd=tcp::2222-:2222,hostfwd=tcp::8080-:80" ./result/bin/run-nixos-vm ``` @@ -28,7 +29,7 @@ appear in `git status` but you don't need to commit this. ```bash SOPS_AGE_KEY_FILE=keys.txt \ nix run --impure nixpkgs#sops -- --config sops.yaml -r -i \ - --add-age $(nix shell nixpkgs#ssh-to-age --command sh -c 'ssh-keyscan -p 2222 -t ed25519 -4 localhost 2>/dev/null | ssh-to-age') ; \ + --add-age $(nix shell nixpkgs#ssh-to-age --command sh -c 'ssh-keyscan -p 2222 -t ed25519 -4 localhost 2>/dev/null | ssh-to-age') \ secrets.yaml ``` @@ -54,10 +55,16 @@ You can ssh into the VM with, but this is not required for the demo: ssh -F ssh_config example ``` -Finally, deploy with: +Finally, we can deploy. To deploy a Home Assistant server, run: ```bash -SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply +SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply --on basic +``` + +To deploy a Home Assistant server integrated with a LDAP service, run: + +```bash +SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply --on ldap ``` The deploy will take a few minutes the first time and subsequent deploys will take around 15 @@ -69,7 +76,7 @@ Add the following entry to your `/etc/hosts` file: ```nix networking.hosts = { - "127.0.0.1" = [ "ha.example.com" "ldap.example.com" ]; + "127.0.0.1" = [ "ha.example.com" ]; }; ``` @@ -77,10 +84,23 @@ Which produces: ```bash $ cat /etc/hosts -127.0.0.1 ha.example.com ldap.example.com +127.0.0.1 ha.example.com ``` -Go to [http://ldap.example.com:8080](http://ldap.example.com:8080) and login with: +If you deployed the `ldap` target host, add instead: + +```nix +networking.hosts = { + "127.0.0.1" = [ "ha.example.com" "ldap.example.com" ]; +}; +``` + +If you deployed the `basic` target host, go to +[http://ha.example.com:8080](http://ha.example.com:8080) and you will be greeted with the Home +Assistant setup wizard which will allow you to create an admin user: + +And that's the end of the demo. Otherwise if you deployed the `ldap` target host, go first to +[http://ldap.example.com:8080](http://ldap.example.com:8080) and login with: - username: `admin` - password: the value of the field `lldap.user_password` in the `secrets.yaml` file which is `fccb94f0f64bddfe299c81410096499a`. diff --git a/demo/homeassistant/flake.lock b/demo/homeassistant/flake.lock index 59b9b72..8069c75 100644 --- a/demo/homeassistant/flake.lock +++ b/demo/homeassistant/flake.lock @@ -35,11 +35,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1703255338, - "narHash": "sha256-Z6wfYJQKmDN9xciTwU3cOiOk+NElxdZwy/FiHctCzjU=", + "lastModified": 1704194953, + "narHash": "sha256-RtDKd8Mynhe5CFnVT8s0/0yqtWFMM9LmCzXv/YKxnq4=", "owner": "nixos", "repo": "nixpkgs", - "rev": "6df37dc6a77654682fe9f071c62b4242b5342e04", + "rev": "bd645e8668ec6612439a9ee7e71f7eac4099d4f6", "type": "github" }, "original": { @@ -51,11 +51,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1703351344, - "narHash": "sha256-9FEelzftkE9UaJ5nqxidaJJPEhe9TPhbypLHmc2Mysc=", + "lastModified": 1704290814, + "narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7790e078f8979a9fcd543f9a47427eeaba38f268", + "rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421", "type": "github" }, "original": { @@ -67,11 +67,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1703134684, - "narHash": "sha256-SQmng1EnBFLzS7WSRyPM9HgmZP2kLJcPAz+Ug/nug6o=", + "lastModified": 1704161960, + "narHash": "sha256-QGua89Pmq+FBAro8NriTuoO/wNaUtugt29/qqA8zeeM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d6863cbcbbb80e71cecfc03356db1cda38919523", + "rev": "63143ac2c9186be6d9da6035fa22620018c85932", "type": "github" }, "original": { @@ -111,11 +111,11 @@ "sops-nix": "sops-nix" }, "locked": { - "lastModified": 1703575610, - "narHash": "sha256-W22MujiE5xxibKu9M7usXhGD04ntrLXegMxuY6FYCX4=", + "lastModified": 1704702906, + "narHash": "sha256-VUMQJjwjUAjqBC4lcZHRJctSzaO99mLphRQ6zGSs75g=", "owner": "ibizaman", "repo": "selfhostblocks", - "rev": "7a62b5b89c406fbf80ac6dfb678c0d5c62a771ea", + "rev": "a5e9af27b5b3c379a2155467dd4faa7dcb3659b9", "type": "github" }, "original": { @@ -130,11 +130,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1703387502, - "narHash": "sha256-JnWuQmyanPtF8c5yAEFXVWzaIlMxA3EAZCh8XNvnVqE=", + "lastModified": 1704596510, + "narHash": "sha256-tupdwwg1WeX2hNMOQrvtyafTaTVty0QC/gQp7yaYJic=", "owner": "Mic92", "repo": "sops-nix", - "rev": "e523e89763ff45f0a6cf15bcb1092636b1da9ed3", + "rev": "f5fbcc0f50e7fc60c4f806fa7a09abccf0826d8a", "type": "github" }, "original": { diff --git a/demo/homeassistant/flake.nix b/demo/homeassistant/flake.nix index 33c5359..7e48d4f 100644 --- a/demo/homeassistant/flake.nix +++ b/demo/homeassistant/flake.nix @@ -14,7 +14,37 @@ specialArgs = inputs; }; - myserver = { config, ... }: { + basic = { config, ... }: { + imports = [ + ./configuration.nix + selfhostblocks.inputs.sops-nix.nixosModules.default + selfhostblocks.nixosModules.x86_64-linux.default + ]; + + # Used by colmena to know which target host to deploy to. + deployment = { + targetHost = "example"; + targetUser = "nixos"; + targetPort = 2222; + }; + + shb.home-assistant = { + enable = true; + domain = "example.com"; + subdomain = "ha"; + sopsFile = ./secrets.yaml; + }; + + nixpkgs.config.permittedInsecurePackages = [ + "openssl-1.1.1w" + ]; + + # Set to true for more debug info with `journalctl -f -u nginx`. + shb.nginx.accessLog = false; + shb.nginx.debugLog = false; + }; + + ldap = { config, ... }: { imports = [ ./configuration.nix selfhostblocks.inputs.sops-nix.nixosModules.default @@ -56,14 +86,19 @@ shb.home-assistant = { enable = true; domain = "example.com"; - ldapEndpoint = "http://127.0.0.1:${builtins.toString config.shb.ldap.webUIListenPort}"; + ldap = { + enable = true; + host = "127.0.0.1"; + port = config.shb.ldap.webUIListenPort; + userGroup = "homeassistant_user"; + }; subdomain = "ha"; sopsFile = ./secrets.yaml; }; - # Set to true for more debug info with `journalctl -f -u nginx`. - shb.nginx.accessLog = false; - shb.nginx.debugLog = false; + nixpkgs.config.permittedInsecurePackages = [ + "openssl-1.1.1w" + ]; }; }; };