1
0
Fork 0

update home-assistant demo to match new options

This commit is contained in:
ibizaman 2024-01-08 00:36:23 -08:00 committed by Pierre Penninckx
parent a5e9af27b5
commit 107d57ae89
3 changed files with 84 additions and 29 deletions

View file

@ -3,8 +3,9 @@
**This whole demo is highly insecure as all the private keys are available publicly. This is **This whole demo is highly insecure as all the private keys are available publicly. This is
only done for convenience as it is just a demo. Do not expose the VM to the internet.** only done for convenience as it is just a demo. Do not expose the VM to the internet.**
The [`flake.nix`](./flake.nix) file sets up Home Assistant server that uses a LDAP server to The [`flake.nix`](./flake.nix) file sets up a Home Assistant server in only about [15
setup users in only about [15 lines](./flake.nix#L29-L45) of related code. lines](./flake.nix#L31-L37) of related code. It also defines a Home Assistant server that integrates with
a [LDAP server](./flake.nix#L58-L94).
This guide will show how to deploy this setup to a Virtual Machine, like showed This guide will show how to deploy this setup to a Virtual Machine, like showed
[here](https://nixos.wiki/wiki/NixOS_modules#Developing_modules), in 4 commands. [here](https://nixos.wiki/wiki/NixOS_modules#Developing_modules), in 4 commands.
@ -15,7 +16,7 @@ Build the VM and start it:
```bash ```bash
rm nixos.qcow2; \ rm nixos.qcow2; \
nixos-rebuild build-vm-with-bootloader --fast -I nixos-config=./configuration.nix -I nixpkgs=. \ nixos-rebuild build-vm-with-bootloader --fast -I nixos-config=./configuration.nix -I nixpkgs=. ; \
QEMU_NET_OPTS="hostfwd=tcp::2222-:2222,hostfwd=tcp::8080-:80" ./result/bin/run-nixos-vm QEMU_NET_OPTS="hostfwd=tcp::2222-:2222,hostfwd=tcp::8080-:80" ./result/bin/run-nixos-vm
``` ```
@ -28,7 +29,7 @@ appear in `git status` but you don't need to commit this.
```bash ```bash
SOPS_AGE_KEY_FILE=keys.txt \ SOPS_AGE_KEY_FILE=keys.txt \
nix run --impure nixpkgs#sops -- --config sops.yaml -r -i \ nix run --impure nixpkgs#sops -- --config sops.yaml -r -i \
--add-age $(nix shell nixpkgs#ssh-to-age --command sh -c 'ssh-keyscan -p 2222 -t ed25519 -4 localhost 2>/dev/null | ssh-to-age') ; \ --add-age $(nix shell nixpkgs#ssh-to-age --command sh -c 'ssh-keyscan -p 2222 -t ed25519 -4 localhost 2>/dev/null | ssh-to-age') \
secrets.yaml secrets.yaml
``` ```
@ -54,10 +55,16 @@ You can ssh into the VM with, but this is not required for the demo:
ssh -F ssh_config example ssh -F ssh_config example
``` ```
Finally, deploy with: Finally, we can deploy. To deploy a Home Assistant server, run:
```bash ```bash
SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply --on basic
```
To deploy a Home Assistant server integrated with a LDAP service, run:
```bash
SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply --on ldap
``` ```
The deploy will take a few minutes the first time and subsequent deploys will take around 15 The deploy will take a few minutes the first time and subsequent deploys will take around 15
@ -69,7 +76,7 @@ Add the following entry to your `/etc/hosts` file:
```nix ```nix
networking.hosts = { networking.hosts = {
"127.0.0.1" = [ "ha.example.com" "ldap.example.com" ]; "127.0.0.1" = [ "ha.example.com" ];
}; };
``` ```
@ -77,10 +84,23 @@ Which produces:
```bash ```bash
$ cat /etc/hosts $ cat /etc/hosts
127.0.0.1 ha.example.com ldap.example.com 127.0.0.1 ha.example.com
``` ```
Go to [http://ldap.example.com:8080](http://ldap.example.com:8080) and login with: If you deployed the `ldap` target host, add instead:
```nix
networking.hosts = {
"127.0.0.1" = [ "ha.example.com" "ldap.example.com" ];
};
```
If you deployed the `basic` target host, go to
[http://ha.example.com:8080](http://ha.example.com:8080) and you will be greeted with the Home
Assistant setup wizard which will allow you to create an admin user:
And that's the end of the demo. Otherwise if you deployed the `ldap` target host, go first to
[http://ldap.example.com:8080](http://ldap.example.com:8080) and login with:
- username: `admin` - username: `admin`
- password: the value of the field `lldap.user_password` in the `secrets.yaml` file which is `fccb94f0f64bddfe299c81410096499a`. - password: the value of the field `lldap.user_password` in the `secrets.yaml` file which is `fccb94f0f64bddfe299c81410096499a`.

View file

@ -35,11 +35,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1703255338, "lastModified": 1704194953,
"narHash": "sha256-Z6wfYJQKmDN9xciTwU3cOiOk+NElxdZwy/FiHctCzjU=", "narHash": "sha256-RtDKd8Mynhe5CFnVT8s0/0yqtWFMM9LmCzXv/YKxnq4=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "6df37dc6a77654682fe9f071c62b4242b5342e04", "rev": "bd645e8668ec6612439a9ee7e71f7eac4099d4f6",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -51,11 +51,11 @@
}, },
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1703351344, "lastModified": 1704290814,
"narHash": "sha256-9FEelzftkE9UaJ5nqxidaJJPEhe9TPhbypLHmc2Mysc=", "narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "7790e078f8979a9fcd543f9a47427eeaba38f268", "rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -67,11 +67,11 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1703134684, "lastModified": 1704161960,
"narHash": "sha256-SQmng1EnBFLzS7WSRyPM9HgmZP2kLJcPAz+Ug/nug6o=", "narHash": "sha256-QGua89Pmq+FBAro8NriTuoO/wNaUtugt29/qqA8zeeM=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "d6863cbcbbb80e71cecfc03356db1cda38919523", "rev": "63143ac2c9186be6d9da6035fa22620018c85932",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -111,11 +111,11 @@
"sops-nix": "sops-nix" "sops-nix": "sops-nix"
}, },
"locked": { "locked": {
"lastModified": 1703575610, "lastModified": 1704702906,
"narHash": "sha256-W22MujiE5xxibKu9M7usXhGD04ntrLXegMxuY6FYCX4=", "narHash": "sha256-VUMQJjwjUAjqBC4lcZHRJctSzaO99mLphRQ6zGSs75g=",
"owner": "ibizaman", "owner": "ibizaman",
"repo": "selfhostblocks", "repo": "selfhostblocks",
"rev": "7a62b5b89c406fbf80ac6dfb678c0d5c62a771ea", "rev": "a5e9af27b5b3c379a2155467dd4faa7dcb3659b9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -130,11 +130,11 @@
"nixpkgs-stable": "nixpkgs-stable" "nixpkgs-stable": "nixpkgs-stable"
}, },
"locked": { "locked": {
"lastModified": 1703387502, "lastModified": 1704596510,
"narHash": "sha256-JnWuQmyanPtF8c5yAEFXVWzaIlMxA3EAZCh8XNvnVqE=", "narHash": "sha256-tupdwwg1WeX2hNMOQrvtyafTaTVty0QC/gQp7yaYJic=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "e523e89763ff45f0a6cf15bcb1092636b1da9ed3", "rev": "f5fbcc0f50e7fc60c4f806fa7a09abccf0826d8a",
"type": "github" "type": "github"
}, },
"original": { "original": {

View file

@ -14,7 +14,37 @@
specialArgs = inputs; specialArgs = inputs;
}; };
myserver = { config, ... }: { basic = { config, ... }: {
imports = [
./configuration.nix
selfhostblocks.inputs.sops-nix.nixosModules.default
selfhostblocks.nixosModules.x86_64-linux.default
];
# Used by colmena to know which target host to deploy to.
deployment = {
targetHost = "example";
targetUser = "nixos";
targetPort = 2222;
};
shb.home-assistant = {
enable = true;
domain = "example.com";
subdomain = "ha";
sopsFile = ./secrets.yaml;
};
nixpkgs.config.permittedInsecurePackages = [
"openssl-1.1.1w"
];
# Set to true for more debug info with `journalctl -f -u nginx`.
shb.nginx.accessLog = false;
shb.nginx.debugLog = false;
};
ldap = { config, ... }: {
imports = [ imports = [
./configuration.nix ./configuration.nix
selfhostblocks.inputs.sops-nix.nixosModules.default selfhostblocks.inputs.sops-nix.nixosModules.default
@ -56,14 +86,19 @@
shb.home-assistant = { shb.home-assistant = {
enable = true; enable = true;
domain = "example.com"; domain = "example.com";
ldapEndpoint = "http://127.0.0.1:${builtins.toString config.shb.ldap.webUIListenPort}"; ldap = {
enable = true;
host = "127.0.0.1";
port = config.shb.ldap.webUIListenPort;
userGroup = "homeassistant_user";
};
subdomain = "ha"; subdomain = "ha";
sopsFile = ./secrets.yaml; sopsFile = ./secrets.yaml;
}; };
# Set to true for more debug info with `journalctl -f -u nginx`. nixpkgs.config.permittedInsecurePackages = [
shb.nginx.accessLog = false; "openssl-1.1.1w"
shb.nginx.debugLog = false; ];
}; };
}; };
}; };