add home-assistant example

.gitignore

@@ -0,0 +1,2 @@
+*.qcow2
+result

examples/homeassistant/README.md

@@ -0,0 +1,51 @@
+# Use a VM to run this example
+
+Build VM with:
+
+```bash
+nixos-rebuild build-vm --fast -I nixos-config=./configuration.nix -I nixpkgs=.
+```
+
+Start VM with:
+
+```bash
+QEMU_NET_OPTS="hostfwd=tcp::2222-:22" ./result/bin/run-nixos-vm
+```
+
+User is `nixos`, password is `nixos`.
+
+Ssh into VM with `ssh -p 2222 nixos@localhost`.
+
+If you get into issues with ssh trying too many public keys and failing, try instead: `ssh -o PasswordAuthentication=yes -o PreferredAuthentications=keyboard-interactive,password -o PubkeyAuthentication=no  -p 2222 nixos@localhost`.
+
+For more information about running this example in a vm, see [NixOS_modules#Developing_modules](https://nixos.wiki/wiki/NixOS_modules#Developing_modules).
+
+For more information about writing tests, see [the manual](https://nixos.org/manual/nixos/stable/index.html#sec-nixos-tests).
+
+Create your secret key which prints the public key used for `admin`:
+
+```bash
+nix-shell -p age --run 'age-keygen -o keys.txt'
+```
+
+Get target host age key which prints the public key used for `vm`:
+
+```bash
+nix-shell -p ssh-to-age --run 'ssh-keyscan -p 2222 -4 localhost | ssh-to-age'
+```
+
+Update `admin` and `vm` keys in sops.yaml.
+
+Edit secret itself with:
+
+```bash
+nix-shell -p sops --run 'sops --config sops.yaml secrets.yaml'
+```
+
+Deploy with:
+
+```bash
+nix-shell -p colmena --run 'colmena apply'
+```
+
+Took 12 minutes for first deploy on my machine. Next deploys take about 12 seconds.

examples/homeassistant/configuration.nix

@@ -0,0 +1,36 @@
+{ config, pkgs, ... }:
+
+{
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.kernelModules = [ "kvm-intel" ];
+  fileSystems."/" =
+    { device = "/dev/vda";
+      fsType = "ext4";
+    };
+  system.stateVersion = "22.11";
+
+  # As we intend to run this example using `nixos-rebuild build-vm`, we need to setup the user
+  # ourselves, see https://nixos.wiki/wiki/NixOS:nixos-rebuild_build-vm
+  users.users.nixos = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
+    initialPassword = "nixos";
+  };
+
+  security.sudo.extraRules = [
+    { users = [ "nixos" ];
+      commands = [
+        { command = "ALL";
+          options = [ "NOPASSWD" ];
+        }
+      ];
+    }
+  ];
+
+  services.openssh.enable = true;
+  services.openssh = {
+    permitRootLogin = "no";
+    passwordAuthentication = true;
+  };
+}

examples/homeassistant/flake.lock

@@ -0,0 +1,100 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1687681650,
+        "narHash": "sha256-M2If+gRcfpmaJy/XbfSsRzLlPpoU4nr0NHnKKl50fd8=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "1c9db9710cb23d60570ad4d7ab829c2d34403de3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1687031877,
+        "narHash": "sha256-yMFcVeI+kZ6KD2QBrFPNsvBrLq2Gt//D0baHByMrjFY=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "e2e2059d19668dab1744301b8b0e821e3aae9c99",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-23.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1686628398,
+        "narHash": "sha256-jXEuS/dex59Oon4tll+Jb8aVl6B8HX/aREigHjt2S6E=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "202850e1a11a939364cef0f326cb1352b3f2d8cd",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "master",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs",
+        "selfhostblocks": "selfhostblocks",
+        "sops-nix": "sops-nix"
+      }
+    },
+    "selfhostblocks": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "sops-nix": [
+          "sops-nix"
+        ]
+      },
+      "locked": {
+        "lastModified": 1687501773,
+        "narHash": "sha256-NtASNHmf+WeVMoGDUk8cMZLEHIOzs9DAaTafWtt9PhY=",
+        "type": "git",
+        "url": "file:///home/timi/Projects/selfhostblocks"
+      },
+      "original": {
+        "type": "git",
+        "url": "file:///home/timi/Projects/selfhostblocks"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_2",
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1687398569,
+        "narHash": "sha256-e/umuIKFcFtZtWeX369Hbdt9r+GQ48moDmlTcyHWL28=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "2ff6973350682f8d16371f8c071a304b8067f192",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

examples/homeassistant/flake.nix

@@ -0,0 +1,43 @@
+{
+  description = "Home Assistant example for Self Host Blocks";
+
+  inputs = {
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+    sops-nix.url = "github:Mic92/sops-nix";
+
+    selfhostblocks.url = "/home/timi/Projects/selfhostblocks";
+    selfhostblocks.inputs.nixpkgs.follows = "nixpkgs";
+    selfhostblocks.inputs.sops-nix.follows = "sops-nix";
+  };
+
+  outputs = inputs@{ self, nixpkgs, sops-nix, selfhostblocks, ... }: {
+    colmena = {
+      meta = {
+        nixpkgs = import nixpkgs {
+          system = "x86_64-linux";
+        };
+        specialArgs = inputs;
+      };
+
+      myserver = {
+        deployment = {
+          targetHost = "localhost";
+          targetPort = 2222;
+          targetUser = "nixos";
+        };
+
+        imports = [
+          ./configuration.nix
+          sops-nix.nixosModules.default
+          selfhostblocks.nixosModules.default
+        ];
+
+        shb.home-assistant = {
+          enable = true;
+          subdomain = "ha";
+          sopsFile = ./secrets.yaml;
+        };
+      };
+    };
+  };
+}

examples/homeassistant/keys.txt

@@ -0,0 +1,3 @@
+# created: 2023-06-26T21:31:39-07:00
+# public key: age1a3gukez540dt9p64rrq994487j6awjd063n2jgxtpu6ljv2n0d0qcv8tft
+AGE-SECRET-KEY-1RE30YJ76UHS0FF3GVL0894SG9J67RRFWT0YQ8K6QGTTS4FDK5QEQRV2436

examples/homeassistant/secrets.yaml

@@ -0,0 +1,30 @@
+home-assistant: ENC[AES256_GCM,data:SnkutANfqF2KZ6fpg1S4yBoeEbXBGZ97doxgiP7GVcsf/w7t1ajP0z6vJ7idBTKZ51t8vlRGr4Bq3RzLsqUlQpxjdFDcGGe506EDZhMQUvr4bn2C9gc=,iv:YYkHnNBmd8J1GAL4EW+SAlb9ILbIxevmk/yhLrwnchw=,tag:owP/F/NC4WUpUkNhCkAclw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1a3gukez540dt9p64rrq994487j6awjd063n2jgxtpu6ljv2n0d0qcv8tft
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVU0NGVE9ubkFQN2kvK1Vo
+            SHVIaVZrN2VobkpXMzZPVFdHcVVqdlpTeFJzCjBXbHVuUTJ5S0MrNkVRcWFhWVE0
+            MVRDZ0lOWi9ZeFN6WFQxUUhSVlNCbGcKLS0tIE9YWmtmSTFkZU9CWWp6V3g0ejJS
+            RS9oRDdZdGkrNGlCZU12TDBCSEtkTFUKIROyBC1UFg4AHz6LgqwPIaZzeDunQSYB
+            7MiIp74icMSsl3P3r+6K/brQ5e3DPNvdttr6Q1FhGYfEj55xFqcLMg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1qawyldukqyaeexd0zet4gldp5hc4p0ulrnete73k38xexa8m0yvqzswc2v
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0cTY5b3F3WkJjc3NzcW1X
+            SkZxdUdaMkNzQXk2Tng3dHNscFpDR0x0amwwCjhkUGRkRnhiWlZEWVU2UVZseTZh
+            V1FoYjVtd3JIMm8rTHBySThYRWFOMVUKLS0tIDV5ZDRkQitOTFNHOFlYdFEzUUIv
+            R0N4T1BKRGNkOS95Y1Y2MU10cWR5UWcKpiJ3S1aJOR+jUnVS7u1FaSUo828ZJWGA
+            YAjb1G749UxZmUHA7wV4W7oBW3TcBml9HmLyyUjefX6MEPadflp8rQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-06-27T05:02:12Z"
+    mac: ENC[AES256_GCM,data:w/FOB/hc5MUfu0c6+NvLWXG+wNAzD4VZSb44WXXWDxT/Twhb5ASSAXLM6YxCbKGTuug7BiEEPQkBZHEQATuwLmc04R3yKDq4ocyPTI7vbARgwuh/hqw3nAVLi76tH5v2lJLVBFvOzJxB8JBkJgs3VbSlh3APLncvb5+KivPIqis=,iv:zVbMO8zr4uXlZTEin5JsLCos1vOrCKWSDo3Nf3JygXQ=,tag:zMG3D8m2fGa6KMkRrBfffA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3

examples/homeassistant/sops.yaml

@@ -0,0 +1,9 @@
+keys:
+  - &admin age1a3gukez540dt9p64rrq994487j6awjd063n2jgxtpu6ljv2n0d0qcv8tft
+  - &vm age1qawyldukqyaeexd0zet4gldp5hc4p0ulrnete73k38xexa8m0yvqzswc2v
+creation_rules:
+  - path_regex: secrets.yaml$
+    key_groups:
+    - age:
+      - *admin
+      - *vm

examples/homeassistant/sshkey

@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACD7ngEdcDu4UVbe2ZzBhKn2HhPW0PlEmgEpb/kkMieFIwAAAJiBL8xSgS/M
+UgAAAAtzc2gtZWQyNTUxOQAAACD7ngEdcDu4UVbe2ZzBhKn2HhPW0PlEmgEpb/kkMieFIw
+AAAECzMZfgJIQJUVgyKZ3IYnEVvwnYXJ8nstc4/g1H41dC/vueAR1wO7hRVt7ZnMGEqfYe
+E9bQ+USaASlv+SQyJ4UjAAAAEWV4YW1wbGVAbG9jYWxob3N0AQIDBA==
+-----END OPENSSH PRIVATE KEY-----

examples/homeassistant/sshkey.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPueAR1wO7hRVt7ZnMGEqfYeE9bQ+USaASlv+SQyJ4Uj example@localhost