This PR irons out the last issues with the backup contract and the Restic implementation. I could check it works backing up files to a local folder and to Backblaze on my server.
327 lines
11 KiB
327 lines
11 KiB
{ config, pkgs, lib, ... }:
cfg = config.shb.home-assistant;
contracts = pkgs.callPackage ../contracts {};
shblib = pkgs.callPackage ../../lib {};
fqdn = "${cfg.subdomain}.${cfg.domain}";
ldap_auth_script_repo = pkgs.fetchFromGitHub {
owner = "lldap";
repo = "lldap";
rev = "7d1f5abc137821c500de99c94f7579761fc949d8";
sha256 = "sha256-8D+7ww70Ja6Qwdfa+7MpjAAHewtCWNf/tuTAExoUrg0=";
ldap_auth_script = pkgs.writeShellScriptBin "" ''
export PATH=${pkgs.gnused}/bin:${pkgs.curl}/bin:${pkgs.jq}/bin
exec ${pkgs.bash}/bin/bash ${ldap_auth_script_repo}/example_configs/ $@
# Filter secrets from config. Secrets are those of the form { source = <path>; }
secrets = lib.attrsets.filterAttrs (k: v: builtins.isAttrs v) cfg.config;
nonSecrets = (lib.attrsets.filterAttrs (k: v: !(builtins.isAttrs v)) cfg.config);
configWithSecretsIncludes =
// (lib.attrsets.mapAttrs (k: v: "!secret ${k}") secrets);
options.shb.home-assistant = {
enable = lib.mkEnableOption "selfhostblocks.home-assistant";
subdomain = lib.mkOption {
type = lib.types.str;
description = "Subdomain under which home-assistant will be served.";
example = "ha";
domain = lib.mkOption {
type = lib.types.str;
description = "domain under which home-assistant will be served.";
example = "";
ssl = lib.mkOption {
description = "Path to SSL files";
type = lib.types.nullOr contracts.ssl.certs;
default = null;
config = lib.mkOption {
description = "See all available settings at";
type = lib.types.submodule {
freeformType = lib.types.attrsOf lib.types.str;
options = {
name = lib.mkOption {
type = lib.types.oneOf [ lib.types.str shblib.secretFileType ];
description = "Name of the Home Assistant instance.";
country = lib.mkOption {
type = lib.types.oneOf [ lib.types.str shblib.secretFileType ];
description = "Two letter country code where this instance is located.";
latitude = lib.mkOption {
type = lib.types.oneOf [ lib.types.str shblib.secretFileType ];
description = "Latitude where this instance is located.";
longitude = lib.mkOption {
type = lib.types.oneOf [ lib.types.str shblib.secretFileType ];
description = "Longitude where this instance is located.";
time_zone = lib.mkOption {
type = lib.types.oneOf [ lib.types.str shblib.secretFileType ];
description = "Timezone of this instance.";
example = "America/Los_Angeles";
unit_system = lib.mkOption {
type = lib.types.oneOf [ lib.types.str (lib.types.enum [ "metric" "us_customary" ]) ];
description = "Timezone of this instance.";
example = "America/Los_Angeles";
ldap = lib.mkOption {
description = ''
LDAP Integration App. [Manual](
Enabling this app will create a new LDAP configuration or update one that exists with
the given host.
default = {};
type = lib.types.submodule {
options = {
enable = lib.mkEnableOption "LDAP app.";
host = lib.mkOption {
type = lib.types.str;
description = ''
Host serving the LDAP server.
If set, the Home Assistant auth will be disabled. To keep it, set
`keepDefaultAuth` to `true`.
default = "";
port = lib.mkOption {
type = lib.types.port;
description = ''
Port of the service serving the LDAP server.
default = 389;
userGroup = lib.mkOption {
type = lib.types.str;
description = "Group users must belong to to be able to login to Nextcloud.";
default = "homeassistant_user";
keepDefaultAuth = lib.mkOption {
type = lib.types.bool;
description = ''
Keep Home Assistant auth active, even if LDAP is configured. Usually, you want to enable
this to transfer existing users to LDAP and then you can disabled it.
default = false;
backup = lib.mkOption {
type = contracts.backup;
description = ''
Backup configuration. This is an output option.
Use it to initialize a block implementing the "backup" contract.
For example, with the restic block:
shb.restic.instances."home-assistant" = {
enable = true;
# Options specific to Restic.
} // config.shb.home-assistant.backup;
readOnly = true;
default = {
user = "hass";
# No need for backup hooks as we use an hourly automation job in home assistant directly with a cron job.
sourceDirectories = [
config = lib.mkIf cfg.enable {
services.home-assistant = {
enable = true;
# Find them at
extraComponents = [
# Components required to complete the onboarding
configDir = "/var/lib/hass";
# If you can't find a component in component-packages.nix, you can add them manually with something similar to:
# extraPackages = python3Packages: [
# (python3Packages.simplisafe-python.overrideAttrs (old: rec {
# pname = "simplisafe-python";
# version = "5b003a9fa1abd00f0e9a0b99d3ee57c4c7c16bda";
# format = "pyproject";
# src = pkgs.fetchFromGitHub {
# owner = "bachya";
# repo = pname;
# rev = "${version}";
# hash = "sha256-Ij2e0QGYLjENi/yhFBQ+8qWEJp86cgwC9E27PQ5xNno=";
# };
# }))
# ];
config = {
# Includes dependencies for a basic setup
default_config = {};
http = {
use_x_forwarded_for = true;
server_host = "";
server_port = 8123;
trusted_proxies = "";
logger.default = "info";
homeassistant = configWithSecretsIncludes // {
external_url = "https://${cfg.subdomain}.${cfg.domain}";
auth_providers =
(lib.optionals (!cfg.ldap.enable || cfg.ldap.keepDefaultAuth) [
type = "homeassistant";
++ (lib.optionals cfg.ldap.enable [
type = "command_line";
command = ldap_auth_script + "/bin/";
args = [ "http://${}:${toString cfg.ldap.port}" cfg.ldap.userGroup ];
meta = true;
"automation ui" = "!include automations.yaml";
"scene ui" = "!include scenes.yaml";
"script ui" = "!include scripts.yaml";
"automation manual" = [
alias = "Create Backup on Schedule";
trigger = [
platform = "time_pattern";
minutes = "5";
action = [
service = "shell_command.delete_backups";
data = {};
service = "backup.create";
data = {};
mode = "single";
shell_command = {
delete_backups = "find ${}/backups -type f -delete";
conversation.intents = {
TellJoke = [
"Tell [me] (a joke|something funny|a dad joke)"
"Raconte [moi] (une blague)"
sensor = [
name = "random_joke";
platform = "rest";
json_attributes = ["joke" "id" "status"];
value_template = "{{ value_json.joke }}";
resource = "";
scan_interval = "3600";
headers.Accept = "application/json";
intent_script.TellJoke = {
speech.text = ''{{ state_attr("sensor.random_joke", "joke") }}'';
action = {
service = "homeassistant.update_entity";
entity_id = "sensor.random_joke";
services.nginx.virtualHosts."${fqdn}" = {
http2 = true;
forceSSL = !(isNull cfg.ssl);
sslCertificate = lib.mkIf (!(isNull cfg.ssl)) cfg.ssl.paths.cert;
sslCertificateKey = lib.mkIf (!(isNull cfg.ssl)) cfg.ssl.paths.key;
extraConfig = ''
proxy_buffering off;
locations."/" = {
proxyPass = "http://${toString}:${toString}/";
proxyWebsockets = true;
| = lib.mkIf cfg.ldap.enable (
onboarding = pkgs.writeText "onboarding" ''
"version": 4,
"minor_version": 1,
"key": "onboarding",
"data": {
"done": [
storage = "${}";
file = "${storage}/.storage/onboarding";
if ! -f ${file}; then
mkdir -p ''$(dirname ${file}) && cp ${onboarding} ${file}
'' + shblib.replaceSecrets {
userConfig = cfg.config;
resultPath = "${}/secrets.yaml";
generator = shblib.replaceSecretsGeneratorAdapter (lib.generators.toYAML {});
systemd.tmpfiles.rules = [
"f ${}/automations.yaml 0755 hass hass"
"f ${}/scenes.yaml 0755 hass hass"
"f ${}/scripts.yaml 0755 hass hass"