diff --git a/demo/homeassistant/README.md b/demo/homeassistant/README.md index 348f5b1..7b5b835 100644 --- a/demo/homeassistant/README.md +++ b/demo/homeassistant/README.md @@ -230,21 +230,16 @@ SOPS_AGE_KEY_FILE=keys.txt nix run --impure nixpkgs#sops -- \ The `secrets.yaml` file must follow the format: ```yaml -home-assistant: | - name: "My Instance" +home-assistant: country: "US" - latitude_home: "0.100" - longitude_home: "-0.100" + latitude: "0.100" + longitude: "-0.100" time_zone: "America/Los_Angeles" - unit_system: "metric" lldap: user_password: XXX... jwt_secret: YYY... ``` -> Important: the value of the `home-assistant` field is a string that looks like yaml. Do _not_ -> remove the pipe (|) sign. - You can generate random secrets with: ```bash diff --git a/demo/homeassistant/flake.lock b/demo/homeassistant/flake.lock index 6bf946d..fcd21e0 100644 --- a/demo/homeassistant/flake.lock +++ b/demo/homeassistant/flake.lock @@ -5,11 +5,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1705309234, - "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=", + "lastModified": 1709126324, + "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=", "owner": "numtide", "repo": "flake-utils", - "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26", + "rev": "d465f4819400de7c8d874d50b982301f28a84605", "type": "github" }, "original": { @@ -35,11 +35,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1707092692, - "narHash": "sha256-ZbHsm+mGk/izkWtT4xwwqz38fdlwu7nUUKXTOmm4SyE=", + "lastModified": 1709150264, + "narHash": "sha256-HofykKuisObPUfj0E9CJVfaMhawXkYx3G8UIFR/XQ38=", "owner": "nixos", "repo": "nixpkgs", - "rev": "faf912b086576fd1a15fca610166c98d47bc667e", + "rev": "9099616b93301d5cf84274b184a3a5ec69e94e08", "type": "github" }, "original": { @@ -51,27 +51,27 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1705957679, - "narHash": "sha256-Q8LJaVZGJ9wo33wBafvZSzapYsjOaNjP/pOnSiKVGHY=", + "lastModified": 1708819810, + "narHash": "sha256-1KosU+ZFXf31GPeCBNxobZWMgHsSOJcrSFA6F2jhzdE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9a333eaa80901efe01df07eade2c16d183761fa3", + "rev": "89a2a12e6c8c6a56c72eb3589982c8e2f89c70ea", "type": "github" }, "original": { "owner": "NixOS", - "ref": "release-23.05", + "ref": "release-23.11", "repo": "nixpkgs", "type": "github" } }, "nixpkgs_2": { "locked": { - "lastModified": 1706925685, - "narHash": "sha256-hVInjWMmgH4yZgA4ZtbgJM1qEAel72SYhP5nOWX4UIM=", + "lastModified": 1708751719, + "narHash": "sha256-0uWOKSpXJXmXswOvDM5Vk3blB74apFB6rNGWV5IjoN0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "79a13f1437e149dc7be2d1290c74d378dad60814", + "rev": "f63ce824cd2f036216eb5f637dfef31e1a03ee89", "type": "github" }, "original": { @@ -111,11 +111,11 @@ "sops-nix": "sops-nix" }, "locked": { - "lastModified": 1707374005, - "narHash": "sha256-W3p8hBLUdlHAG7yxT250jImnFmXe83tN119/jRiBYdo=", + "lastModified": 1709267447, + "narHash": "sha256-5Q467FhpS18L/+5iB3wsWaR9tBqdzNt0fpdkZJNqNxc=", "owner": "ibizaman", "repo": "selfhostblocks", - "rev": "7d0276e9f2509bc6f175358c318374fedfc64422", + "rev": "fa206d0e1515fb0e49393e7ada6d7e5c6ec1df58", "type": "github" }, "original": { @@ -130,11 +130,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1707015547, - "narHash": "sha256-YZr0OrqWPdbwBhxpBu69D32ngJZw8AMgZtJeaJn0e94=", + "lastModified": 1708987867, + "narHash": "sha256-k2lDaDWNTU5sBVHanYzjDKVDmk29RHIgdbbXu5sdzBA=", "owner": "Mic92", "repo": "sops-nix", - "rev": "23f61b897c00b66855074db471ba016e0cda20dd", + "rev": "a1c8de14f60924fafe13aea66b46157f0150f4cf", "type": "github" }, "original": { diff --git a/demo/homeassistant/flake.nix b/demo/homeassistant/flake.nix index bc20515..e8d5eba 100644 --- a/demo/homeassistant/flake.nix +++ b/demo/homeassistant/flake.nix @@ -18,7 +18,42 @@ enable = true; domain = "example.com"; subdomain = "ha"; + config = { + name = "SHB Home Assistant"; + country.source = config.sops.secrets."home-assistant/country".path; + latitude.source = config.sops.secrets."home-assistant/latitude".path; + longitude.source = config.sops.secrets."home-assistant/longitude".path; + time_zone.source = config.sops.secrets."home-assistant/time_zone".path; + unit_system = "metric"; + }; + }; + sops.secrets."home-assistant/country" = { sopsFile = ./secrets.yaml; + mode = "0440"; + owner = "hass"; + group = "hass"; + restartUnits = [ "home-assistant.service" ]; + }; + sops.secrets."home-assistant/latitude" = { + sopsFile = ./secrets.yaml; + mode = "0440"; + owner = "hass"; + group = "hass"; + restartUnits = [ "home-assistant.service" ]; + }; + sops.secrets."home-assistant/longitude" = { + sopsFile = ./secrets.yaml; + mode = "0440"; + owner = "hass"; + group = "hass"; + restartUnits = [ "home-assistant.service" ]; + }; + sops.secrets."home-assistant/time_zone" = { + sopsFile = ./secrets.yaml; + mode = "0440"; + owner = "hass"; + group = "hass"; + restartUnits = [ "home-assistant.service" ]; }; nixpkgs.config.permittedInsecurePackages = [ diff --git a/demo/homeassistant/secrets.yaml b/demo/homeassistant/secrets.yaml index e0e488c..5b1900d 100644 --- a/demo/homeassistant/secrets.yaml +++ b/demo/homeassistant/secrets.yaml @@ -1,4 +1,8 @@ -home-assistant: ENC[AES256_GCM,data:acEXqx3bdQp0zB5FnHCBsic/kgu2L8Q6h/fsfrLmdk7SOfzEibPpPLCCv8eYmh4D5VuIAsq/PeJ3k+uqWGbTrJt7EIcxt0kYTLRuWZRG8YJH1+HCxoKcO/mx9bwbRd3LtXiVscgP9zIZLoLPK2XieFKOeg==,iv:dJ7FUkquMI4g4K2Nnv3kFFQk/va2QgwfgGoWif5f2tU=,tag:6LIBt9whdRPVsoF1RY3Pew==,type:str] +home-assistant: + country: ENC[AES256_GCM,data:2Ng=,iv:/VMB6yi3e8piAx8DzLGGhLsozxWUWX2R7NcmACFng8Q=,tag:Tx0Iy1AnLmPrnYu7XtbesA==,type:str] + latitude: ENC[AES256_GCM,data:p/O1HW4=,iv:CRgL4wcM3gMNu/OAHVoQuLcRD9J3SbkxsjvobiabQ0g=,tag:uIo5Rv7geOtVcarp4Qkqww==,type:str] + longitude: ENC[AES256_GCM,data:sVyww6F7,iv:9EZYXSkv+rhD77lqmC+c8i+wf46KPYloVoK+ok3bWYY=,tag:c+lmtcGvULtMdu9ZTDewjA==,type:str] + time_zone: ENC[AES256_GCM,data:JKXdsQZrtB1B77klxuemw1tZbg==,iv:nItJfpwp2XWmBHbohrjNMWQ8TpL2Xsv22UujZRgDscw=,tag:wrHbA1yycutUUn79F9wy6Q==,type:str] lldap: user_password: ENC[AES256_GCM,data:JrFraqFSqAhRVjB5fagIoB864aejt24q+qqWeu8ySC0=,iv:RS7VS+9tsSknn9SwpfyYVi41m3lN4SkZ4CSwrzH/Eso=,tag:5L7fx6/KhDtjHPruwac/sw==,type:str] jwt_secret: ENC[AES256_GCM,data:W1T/QoxuzMD+2AL7sP5KkMcC+GvFdd4kfd70rHLnQD+jWNs9G0igkC/BxxgbIfnSASwtSnBaaiU6/pxLFOcUVh0Nyd0Zmb/KTbagpUvSl//AZnTt/WKF9Q/8sqKzsGv0QdMyZKWi4cxiEILcTbxOsgwriFGgOJ1k5N8JEif15ig=,iv:rHlRt6nWMz8rVmU0aKH6VWWVXunOfJcDvZOxgWbK1FI=,tag:qC6N61rE8CfPSXrsEqFoIQ==,type:str] @@ -26,8 +30,8 @@ sops: VlJpS1BYd2UrZU1mZTEwU1BYODhqM2sKvQnFV8xsy1tEmYZu4izBYb7XQqTPOLTL bRkU6n17uiyXNbiXDAbX0Png/XmVG96/+Zl38BBXPQvARX8c2tzq6w== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-23T00:46:58Z" - mac: ENC[AES256_GCM,data:kBkUCStabQ32JK/UDPATgOz3HoI/dVkNLsl6uEhHk8ODbF+ZBg6BDEaxtMFFh0bV+71klAmF0KsL/kHKiHlbNuoNWOxwbsANGeL8xtV6JCU58zTF0nfgAP/3KJYveridgylRRZS5hYl5Mg+z6Zdgw+43r3Iiizf86BZVc5OaDyY=,iv:ZXWLXQUrVIwYCCVnXI0jTf5paOWNuujG/Pw+Nf/M34A=,tag:+P/UJqBI3prcxEUO4Zqu/A==,type:str] + lastmodified: "2024-02-12T05:07:51Z" + mac: ENC[AES256_GCM,data:MOmvK0g6Wj+fND154QUhmXujsDOKMO5CRRckru+eDRPeHcJZUnI/jjolcI8y+LEdhUVf0Ln8E38GSxZT/8EW3CfCNkOUikGFdfxuQ2uzNp/1wMvNaF988lrXMBfQ7Il18AiYVK0QhGReGXJa6wBVUb2Qfrg41WC65UvQtMOByqI=,iv:Rscvq1l7YgNapC0NkabQHBzirzsPEr8ykAQqx+qGoi0=,tag:ud+K72bnUV1hnsjcewNrsw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1