add ldap support to home-assistant

2023-07-19 23:19:08 -07:00 · 2023-07-19 23:19:08 -07:00 · 88c9fabcb9
commit 88c9fabcb9
parent 4d56e9782a
2 changed files with 33 additions and 0 deletions
--- a/modules/home-assistant.nix
+++ b/modules/home-assistant.nix
@ -4,6 +4,18 @@ let
  cfg = config.shb.home-assistant;

  fqdn = "${cfg.subdomain}.${cfg.domain}";
+
+  ldap_auth_script_repo = pkgs.fetchFromGitHub {
+    owner = "lldap";
+    repo = "lldap";
+    rev = "7d1f5abc137821c500de99c94f7579761fc949d8";
+    sha256 = "sha256-8D+7ww70Ja6Qwdfa+7MpjAAHewtCWNf/tuTAExoUrg0=";
+  };
+
+  ldap_auth_script = pkgs.writeShellScriptBin "ldap_auth.sh" ''
+    export PATH=${pkgs.gnused}/bin:${pkgs.curl}/bin:${pkgs.jq}/bin
+    exec ${pkgs.bash}/bin/bash ${ldap_auth_script_repo}/example_configs/lldap-ha-auth.sh $@
+  '';
 in
 {
  options.shb.home-assistant = {
@ -21,6 +33,12 @@ in
      example = "mydomain.com";
    };

+    ldapEndpoint = lib.mkOption {
+      type = lib.types.str;
+      description = "host serving the LDAP server";
+      example = "http://127.0.0.1:389";
+    };
+
    sopsFile = lib.mkOption {
      type = lib.types.path;
      description = "Sops file location";
@ -80,6 +98,17 @@ in
          latitude = "!secret latitude_home";
          longitude = "!secret longitude_home";
          time_zone = "America/Los_Angeles";
+          auth_providers = [
+            # Ensure you have the homeassistant provider enabled if you want to continue using your existing accounts
+            { type = "homeassistant"; }
+            { type = "command_line";
+              command = ldap_auth_script + "/bin/ldap_auth.sh";
+              # Only allow users in the 'homeassistant_user' group to login.
+              # Change to ["https://lldap.example.com"] to allow all users
+              args = [ cfg.ldapEndpoint "homeassistant_user" ];
+              meta = true;
+            }
+          ];
        };
        "automation ui" = "!include automations.yaml";
        "scene ui" = "!include scenes.yaml";
--- a/modules/ldap.nix
+++ b/modules/ldap.nix
@ -83,6 +83,8 @@ in
      environment = {
        LLDAP_JWT_SECRET_FILE = "/run/secrets/lldap/jwt_secret";
        LLDAP_LDAP_USER_PASS_FILE = "/run/secrets/lldap/user_password";
+
+        # RUST_LOG = "debug";
      };

      settings = {
@ -94,6 +96,8 @@ in
        ldap_port = 3890;

        ldap_base_dn = cfg.dcdomain;
+
+        # verbose = true;
      };
    };