diff --git a/flake.nix b/flake.nix index a8e533e..173b6c6 100644 --- a/flake.nix +++ b/flake.nix @@ -11,6 +11,7 @@ imports = [ modules/authelia.nix modules/backup.nix + modules/hledger.nix modules/home-assistant.nix modules/jellyfin.nix modules/ldap.nix diff --git a/modules/hledger.nix b/modules/hledger.nix new file mode 100644 index 0000000..3db36ca --- /dev/null +++ b/modules/hledger.nix @@ -0,0 +1,102 @@ +{ config, pkgs, lib, ... }: + +let + cfg = config.shb.hledger; + + fqdn = "${cfg.subdomain}.${cfg.domain}"; +in +{ + options.shb.hledger = { + enable = lib.mkEnableOption "selfhostblocks.hledger"; + + subdomain = lib.mkOption { + type = lib.types.str; + description = "Subdomain under which Authelia will be served."; + example = "ha"; + }; + + domain = lib.mkOption { + type = lib.types.str; + description = "domain under which Authelia will be served."; + example = "mydomain.com"; + }; + + port = lib.mkOption { + type = lib.types.int; + description = "HLedger port"; + default = 5000; + }; + + localNetworkIPRange = lib.mkOption { + type = lib.types.str; + description = "Local network range, to restrict access to the UI to only those IPs."; + default = null; + example = "192.168.1.1/24"; + }; + }; + + config = lib.mkIf cfg.enable { + services.hledger-web = { + enable = true; + baseUrl = fqdn; + + stateDir = "/var/lib/hledger"; + journalFiles = ["hledger.journal"]; + + host = "127.0.0.1"; + port = cfg.port; + + capabilities.view = true; + capabilities.add = true; + capabilities.manage = true; + extraOptions = [ + # https://hledger.org/1.30/hledger-web.html + # "--capabilities-header=HLEDGER-CAP" + "--forecast" + ]; + }; + + services.nginx = { + enable = true; + + virtualHosts.${fqdn} = { + forceSSL = true; + sslCertificate = "/var/lib/acme/${cfg.domain}/cert.pem"; + sslCertificateKey = "/var/lib/acme/${cfg.domain}/key.pem"; + + locations."/" = { + proxyPass = "http://${toString config.services.hledger-web.host}:${toString config.services.hledger-web.port}"; + # proxyWebsockets = true; + + extraConfig = lib.mkIf (cfg.localNetworkIPRange != null) '' + allow ${cfg.localNetworkIPRange}; + ''; + }; + }; + }; + + shb.authelia.rules = [ + # { + # domain = fqdn; + # policy = "bypass"; + # resources = [ + # "^/api.*" + # "^/auth/token.*" + # "^/.external_auth=." + # "^/service_worker.js" + # "^/static/.*" + # ]; + # } + { + domain = fqdn; + policy = "two_factor"; + } + ]; + + shb.backup.instances.hledger = { + sourceDirectories = [ + config.services.hledger-web.stateDir + ]; + }; + }; +} diff --git a/modules/home-assistant.nix b/modules/home-assistant.nix index 24583aa..32d5235 100644 --- a/modules/home-assistant.nix +++ b/modules/home-assistant.nix @@ -100,7 +100,7 @@ in time_zone = "America/Los_Angeles"; auth_providers = [ # Ensure you have the homeassistant provider enabled if you want to continue using your existing accounts - { type = "homeassistant"; } + # { type = "homeassistant"; } { type = "command_line"; command = ldap_auth_script + "/bin/ldap_auth.sh"; # Only allow users in the 'homeassistant_user' group to login.