update home-assistant demo to match new options
This commit is contained in:
parent
a5e9af27b5
commit
107d57ae89
3 changed files with 84 additions and 29 deletions
|
@ -3,8 +3,9 @@
|
||||||
**This whole demo is highly insecure as all the private keys are available publicly. This is
|
**This whole demo is highly insecure as all the private keys are available publicly. This is
|
||||||
only done for convenience as it is just a demo. Do not expose the VM to the internet.**
|
only done for convenience as it is just a demo. Do not expose the VM to the internet.**
|
||||||
|
|
||||||
The [`flake.nix`](./flake.nix) file sets up Home Assistant server that uses a LDAP server to
|
The [`flake.nix`](./flake.nix) file sets up a Home Assistant server in only about [15
|
||||||
setup users in only about [15 lines](./flake.nix#L29-L45) of related code.
|
lines](./flake.nix#L31-L37) of related code. It also defines a Home Assistant server that integrates with
|
||||||
|
a [LDAP server](./flake.nix#L58-L94).
|
||||||
|
|
||||||
This guide will show how to deploy this setup to a Virtual Machine, like showed
|
This guide will show how to deploy this setup to a Virtual Machine, like showed
|
||||||
[here](https://nixos.wiki/wiki/NixOS_modules#Developing_modules), in 4 commands.
|
[here](https://nixos.wiki/wiki/NixOS_modules#Developing_modules), in 4 commands.
|
||||||
|
@ -15,7 +16,7 @@ Build the VM and start it:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
rm nixos.qcow2; \
|
rm nixos.qcow2; \
|
||||||
nixos-rebuild build-vm-with-bootloader --fast -I nixos-config=./configuration.nix -I nixpkgs=. \
|
nixos-rebuild build-vm-with-bootloader --fast -I nixos-config=./configuration.nix -I nixpkgs=. ; \
|
||||||
QEMU_NET_OPTS="hostfwd=tcp::2222-:2222,hostfwd=tcp::8080-:80" ./result/bin/run-nixos-vm
|
QEMU_NET_OPTS="hostfwd=tcp::2222-:2222,hostfwd=tcp::8080-:80" ./result/bin/run-nixos-vm
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -28,7 +29,7 @@ appear in `git status` but you don't need to commit this.
|
||||||
```bash
|
```bash
|
||||||
SOPS_AGE_KEY_FILE=keys.txt \
|
SOPS_AGE_KEY_FILE=keys.txt \
|
||||||
nix run --impure nixpkgs#sops -- --config sops.yaml -r -i \
|
nix run --impure nixpkgs#sops -- --config sops.yaml -r -i \
|
||||||
--add-age $(nix shell nixpkgs#ssh-to-age --command sh -c 'ssh-keyscan -p 2222 -t ed25519 -4 localhost 2>/dev/null | ssh-to-age') ; \
|
--add-age $(nix shell nixpkgs#ssh-to-age --command sh -c 'ssh-keyscan -p 2222 -t ed25519 -4 localhost 2>/dev/null | ssh-to-age') \
|
||||||
secrets.yaml
|
secrets.yaml
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -54,10 +55,16 @@ You can ssh into the VM with, but this is not required for the demo:
|
||||||
ssh -F ssh_config example
|
ssh -F ssh_config example
|
||||||
```
|
```
|
||||||
|
|
||||||
Finally, deploy with:
|
Finally, we can deploy. To deploy a Home Assistant server, run:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply
|
SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply --on basic
|
||||||
|
```
|
||||||
|
|
||||||
|
To deploy a Home Assistant server integrated with a LDAP service, run:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply --on ldap
|
||||||
```
|
```
|
||||||
|
|
||||||
The deploy will take a few minutes the first time and subsequent deploys will take around 15
|
The deploy will take a few minutes the first time and subsequent deploys will take around 15
|
||||||
|
@ -69,7 +76,7 @@ Add the following entry to your `/etc/hosts` file:
|
||||||
|
|
||||||
```nix
|
```nix
|
||||||
networking.hosts = {
|
networking.hosts = {
|
||||||
"127.0.0.1" = [ "ha.example.com" "ldap.example.com" ];
|
"127.0.0.1" = [ "ha.example.com" ];
|
||||||
};
|
};
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -77,10 +84,23 @@ Which produces:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
$ cat /etc/hosts
|
$ cat /etc/hosts
|
||||||
127.0.0.1 ha.example.com ldap.example.com
|
127.0.0.1 ha.example.com
|
||||||
```
|
```
|
||||||
|
|
||||||
Go to [http://ldap.example.com:8080](http://ldap.example.com:8080) and login with:
|
If you deployed the `ldap` target host, add instead:
|
||||||
|
|
||||||
|
```nix
|
||||||
|
networking.hosts = {
|
||||||
|
"127.0.0.1" = [ "ha.example.com" "ldap.example.com" ];
|
||||||
|
};
|
||||||
|
```
|
||||||
|
|
||||||
|
If you deployed the `basic` target host, go to
|
||||||
|
[http://ha.example.com:8080](http://ha.example.com:8080) and you will be greeted with the Home
|
||||||
|
Assistant setup wizard which will allow you to create an admin user:
|
||||||
|
|
||||||
|
And that's the end of the demo. Otherwise if you deployed the `ldap` target host, go first to
|
||||||
|
[http://ldap.example.com:8080](http://ldap.example.com:8080) and login with:
|
||||||
|
|
||||||
- username: `admin`
|
- username: `admin`
|
||||||
- password: the value of the field `lldap.user_password` in the `secrets.yaml` file which is `fccb94f0f64bddfe299c81410096499a`.
|
- password: the value of the field `lldap.user_password` in the `secrets.yaml` file which is `fccb94f0f64bddfe299c81410096499a`.
|
||||||
|
|
|
@ -35,11 +35,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1703255338,
|
"lastModified": 1704194953,
|
||||||
"narHash": "sha256-Z6wfYJQKmDN9xciTwU3cOiOk+NElxdZwy/FiHctCzjU=",
|
"narHash": "sha256-RtDKd8Mynhe5CFnVT8s0/0yqtWFMM9LmCzXv/YKxnq4=",
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "6df37dc6a77654682fe9f071c62b4242b5342e04",
|
"rev": "bd645e8668ec6612439a9ee7e71f7eac4099d4f6",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -51,11 +51,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs-stable": {
|
"nixpkgs-stable": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1703351344,
|
"lastModified": 1704290814,
|
||||||
"narHash": "sha256-9FEelzftkE9UaJ5nqxidaJJPEhe9TPhbypLHmc2Mysc=",
|
"narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "7790e078f8979a9fcd543f9a47427eeaba38f268",
|
"rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -67,11 +67,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs_2": {
|
"nixpkgs_2": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1703134684,
|
"lastModified": 1704161960,
|
||||||
"narHash": "sha256-SQmng1EnBFLzS7WSRyPM9HgmZP2kLJcPAz+Ug/nug6o=",
|
"narHash": "sha256-QGua89Pmq+FBAro8NriTuoO/wNaUtugt29/qqA8zeeM=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "d6863cbcbbb80e71cecfc03356db1cda38919523",
|
"rev": "63143ac2c9186be6d9da6035fa22620018c85932",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -111,11 +111,11 @@
|
||||||
"sops-nix": "sops-nix"
|
"sops-nix": "sops-nix"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1703575610,
|
"lastModified": 1704702906,
|
||||||
"narHash": "sha256-W22MujiE5xxibKu9M7usXhGD04ntrLXegMxuY6FYCX4=",
|
"narHash": "sha256-VUMQJjwjUAjqBC4lcZHRJctSzaO99mLphRQ6zGSs75g=",
|
||||||
"owner": "ibizaman",
|
"owner": "ibizaman",
|
||||||
"repo": "selfhostblocks",
|
"repo": "selfhostblocks",
|
||||||
"rev": "7a62b5b89c406fbf80ac6dfb678c0d5c62a771ea",
|
"rev": "a5e9af27b5b3c379a2155467dd4faa7dcb3659b9",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -130,11 +130,11 @@
|
||||||
"nixpkgs-stable": "nixpkgs-stable"
|
"nixpkgs-stable": "nixpkgs-stable"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1703387502,
|
"lastModified": 1704596510,
|
||||||
"narHash": "sha256-JnWuQmyanPtF8c5yAEFXVWzaIlMxA3EAZCh8XNvnVqE=",
|
"narHash": "sha256-tupdwwg1WeX2hNMOQrvtyafTaTVty0QC/gQp7yaYJic=",
|
||||||
"owner": "Mic92",
|
"owner": "Mic92",
|
||||||
"repo": "sops-nix",
|
"repo": "sops-nix",
|
||||||
"rev": "e523e89763ff45f0a6cf15bcb1092636b1da9ed3",
|
"rev": "f5fbcc0f50e7fc60c4f806fa7a09abccf0826d8a",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|
|
@ -14,7 +14,37 @@
|
||||||
specialArgs = inputs;
|
specialArgs = inputs;
|
||||||
};
|
};
|
||||||
|
|
||||||
myserver = { config, ... }: {
|
basic = { config, ... }: {
|
||||||
|
imports = [
|
||||||
|
./configuration.nix
|
||||||
|
selfhostblocks.inputs.sops-nix.nixosModules.default
|
||||||
|
selfhostblocks.nixosModules.x86_64-linux.default
|
||||||
|
];
|
||||||
|
|
||||||
|
# Used by colmena to know which target host to deploy to.
|
||||||
|
deployment = {
|
||||||
|
targetHost = "example";
|
||||||
|
targetUser = "nixos";
|
||||||
|
targetPort = 2222;
|
||||||
|
};
|
||||||
|
|
||||||
|
shb.home-assistant = {
|
||||||
|
enable = true;
|
||||||
|
domain = "example.com";
|
||||||
|
subdomain = "ha";
|
||||||
|
sopsFile = ./secrets.yaml;
|
||||||
|
};
|
||||||
|
|
||||||
|
nixpkgs.config.permittedInsecurePackages = [
|
||||||
|
"openssl-1.1.1w"
|
||||||
|
];
|
||||||
|
|
||||||
|
# Set to true for more debug info with `journalctl -f -u nginx`.
|
||||||
|
shb.nginx.accessLog = false;
|
||||||
|
shb.nginx.debugLog = false;
|
||||||
|
};
|
||||||
|
|
||||||
|
ldap = { config, ... }: {
|
||||||
imports = [
|
imports = [
|
||||||
./configuration.nix
|
./configuration.nix
|
||||||
selfhostblocks.inputs.sops-nix.nixosModules.default
|
selfhostblocks.inputs.sops-nix.nixosModules.default
|
||||||
|
@ -56,14 +86,19 @@
|
||||||
shb.home-assistant = {
|
shb.home-assistant = {
|
||||||
enable = true;
|
enable = true;
|
||||||
domain = "example.com";
|
domain = "example.com";
|
||||||
ldapEndpoint = "http://127.0.0.1:${builtins.toString config.shb.ldap.webUIListenPort}";
|
ldap = {
|
||||||
|
enable = true;
|
||||||
|
host = "127.0.0.1";
|
||||||
|
port = config.shb.ldap.webUIListenPort;
|
||||||
|
userGroup = "homeassistant_user";
|
||||||
|
};
|
||||||
subdomain = "ha";
|
subdomain = "ha";
|
||||||
sopsFile = ./secrets.yaml;
|
sopsFile = ./secrets.yaml;
|
||||||
};
|
};
|
||||||
|
|
||||||
# Set to true for more debug info with `journalctl -f -u nginx`.
|
nixpkgs.config.permittedInsecurePackages = [
|
||||||
shb.nginx.accessLog = false;
|
"openssl-1.1.1w"
|
||||||
shb.nginx.debugLog = false;
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in a new issue