adding home stack

hosts/snowbelle/configuration.nix

@@ -40,6 +40,9 @@ in
       gitea.enable = true;
       qbittorrent.enable = true;
       immich.enable = true;
+      homeassistant.enable = true;
+      zigbee2mqtt.enable = true;
+      mosquitto.enable = true;
       prowlarr.enable = true;
       flaresolverr.enable = true;
       bazarr.enable = true;

modules/homelab/services/default.nix

@@ -10,6 +10,9 @@
     ./qbittorrent
     ./immich
     ./nginx-proxy
+    ./smarthome/homeassistant
+    ./smarthome/zigbee2mqtt
+    ./smarthome/mosquitto
     ./arr/prowlarr
     ./arr/flaresolverr
     ./arr/bazarr

modules/homelab/services/smarthome/homeassistant/default.nix

@@ -0,0 +1,116 @@
+{ pkgs, config, lib, ... }:
+
+let
+  service = "home-assistant";
+  cfg = config.modules.services.${service};
+  sec = config.sops.secrets;
+  homelab = config.modules.homelab;
+in
+{
+  options.modules.services.${service} = {
+    enable = lib.mkEnableOption "enables ${service}";
+
+    # set port options
+    port = lib.mkOption {
+      type = lib.types.int;
+      default = 7704;
+      description = "set port for ${service} (default: ${toString cfg.port}";
+    };
+    url = lib.mkOption {
+      type = lib.types.str;
+      default = "${service}.${homelab.base_domain}";
+      description = "set domain for ${service}";
+    };
+    data_dir = lib.mkOption {
+      type = lib.types.str;
+      default = "/var/lib/${service}";
+      description = "set data directory for ${service}";
+    };
+    ids = lib.mkOption {
+      type = lib.types.int;
+      default = cfg.port;
+      description = "set uid and pid of ${service} user (matches port by default)";
+    };
+    backup = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "enable backups for ${service}";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    
+    # declare ${service} group
+    users.groups.${service} = { gid = lib.mkForce cfg.ids; };
+
+    # declare ${service} user
+    users.users.${service} = {
+      description = "${service} server user";
+      uid = lib.mkForce cfg.ids;
+      isSystemUser = true;
+      home = cfg.data_dir;
+      createHome = true;
+      group = "${service}";
+      extraGroups = [ "media" ];
+    };
+
+    # enable the ${service} service
+    services.${service} = {
+      enable = true;
+      openFirewall = true;
+      user = "${service}";
+      group = "${service}";
+      configDir = cfg.data_dir;
+      # if config is set in here, configuration.yaml will be overwritten every startup with this
+#      configWritable = true;
+#      config = {
+#       http.server_port = cfg.port;
+#        homeassistant = {
+#          name = "snowbelle";
+#          time_zone = cfg.tz;
+#          unit_system = "us_customary";
+#          temperature_unit = "F";
+#        };
+#      };
+    };
+
+    # override umask to make permissions work out
+    systemd.services.${service}.serviceConfig = {
+      UMask = lib.mkForce "0007";
+#      User = "${service}";
+#      Group = "${service}";
+    };
+
+#    # open firewall
+#    networking.firewall.allowedTCPPorts = [ cfg.port ];
+
+    # internal reverse proxy entry
+    services.nginx.virtualHosts."${cfg.url}" = {
+      forceSSL = true;
+      sslCertificate = sec."ssl_blakedheld_crt".path;
+      sslCertificateKey = sec."ssl_blakedheld_key".path;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString cfg.port}";
+      };
+    };
+     # external reverse proxy entry
+     services.nginx.virtualHosts."${service}.blakedheld.xyz" = {
+      forceSSL = true;
+      sslCertificate = sec."ssl_blakedheld_crt".path;
+      sslCertificateKey = sec."ssl_blakedheld_key".path;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString cfg.port}";
+      };
+    };
+
+#    sops.secrets = {
+#      "${service}_" = {
+#        owner = "${service}";
+#        group = "${service}";
+#      };
+#    };
+
+     # add to backups
+     modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ];
+  };
+}

modules/homelab/services/smarthome/mosquitto/default.nix

@@ -0,0 +1,104 @@
+{ pkgs, config, lib, ... }:
+
+let
+  service = "mosquitto";
+  cfg = config.modules.services.${service};
+  sec = config.sops.secrets;
+  homelab = config.modules.homelab;
+in
+{
+  options.modules.services.${service} = {
+    enable = lib.mkEnableOption "enables ${service}";
+
+    # set port options
+    port = lib.mkOption {
+      type = lib.types.int;
+      default = 1883;
+      description = "set port for ${service} (default: ${toString cfg.port}";
+    };
+    url = lib.mkOption {
+      type = lib.types.str;
+      default = "${service}.${homelab.base_domain}";
+      description = "set domain for ${service}";
+    };
+    data_dir = lib.mkOption {
+      type = lib.types.str;
+      default = "/var/lib/${service}";
+      description = "set data directory for ${service}";
+    };
+    ids = lib.mkOption {
+      type = lib.types.int;
+      default = cfg.port;
+      description = "set uid and pid of ${service} user (matches port by default)";
+    };
+    backup = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "enable backups for ${service}";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    
+    # declare ${service} group
+    users.groups.${service} = { gid = lib.mkForce cfg.ids; };
+
+    # declare ${service} user
+    users.users.${service} = {
+      description = "${service} server user";
+      uid = lib.mkForce cfg.ids;
+      isSystemUser = true;
+      home = cfg.data_dir;
+      createHome = true;
+      group = "${service}";
+      extraGroups = [ "media" ];
+    };
+
+    # enable the ${service} service
+    services.${service} = {
+      enable = true;
+      listeners = {
+        port = cfg.port;
+        settings = {
+          allow_anonymous false
+          listener = 1883
+          listener = 9001
+          protocol = websockets
+          persistence = true
+          password_file = ${sec."mosquitto_password_file".path}
+          persistence_file =  ${service}.db
+          persistence_location = cfg.data_dir
+        };
+      };
+    };
+
+    # override umask to make permissions work out
+    systemd.services.${service}.serviceConfig = {
+      UMask = lib.mkForce "0007";
+      User = "${service}";
+      Group = "${service}";
+    };
+
+#    # open firewall
+#    networking.firewall.allowedTCPPorts = [ cfg.port ];
+
+    # internal reverse proxy entry
+    services.nginx.virtualHosts."${cfg.url}" = {
+      forceSSL = true;
+      sslCertificate = sec."ssl_blakedheld_crt".path;
+      sslCertificateKey = sec."ssl_blakedheld_key".path;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString cfg.port}";
+      };
+    };
+
+    sops.secrets = {
+      "${service}_password_file" = {
+        owner = "${service}";
+        group = "${service}";
+      };
+
+     # add to backups
+     modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ];
+  };
+}

modules/homelab/services/smarthome/zigbee2mqtt/default.nix

@@ -0,0 +1,96 @@
+{ pkgs, config, lib, ... }:
+
+let
+  service = "zigbee2mqtt";
+  cfg = config.modules.services.${service};
+  sec = config.sops.secrets;
+  homelab = config.modules.homelab;
+in
+{
+  options.modules.services.${service} = {
+    enable = lib.mkEnableOption "enables ${service}";
+
+    # set port options
+    port = lib.mkOption {
+      type = lib.types.int;
+      default = 7705;
+      description = "set port for ${service} (default: ${toString cfg.port}";
+    };
+    url = lib.mkOption {
+      type = lib.types.str;
+      default = "${service}.${homelab.base_domain}";
+      description = "set domain for ${service}";
+    };
+    data_dir = lib.mkOption {
+      type = lib.types.str;
+      default = "/var/lib/${service}";
+      description = "set data directory for ${service}";
+    };
+    ids = lib.mkOption {
+      type = lib.types.int;
+      default = cfg.port;
+      description = "set uid and pid of ${service} user (matches port by default)";
+    };
+    backup = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "enable backups for ${service}";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    
+    # declare ${service} group
+    users.groups.${service} = { gid = lib.mkForce cfg.ids; };
+
+    # declare ${service} user
+    users.users.${service} = {
+      description = "${service} server user";
+      uid = lib.mkForce cfg.ids;
+      isSystemUser = true;
+      home = cfg.data_dir;
+      createHome = true;
+      group = "${service}";
+      extraGroups = [ "media" ];
+    };
+
+    # enable the ${service} service
+    services.${service} = {
+      enable = true;
+      dataDir = cfg.data_dir;
+#      settings = {
+#        
+#      };
+    };
+
+    # override umask to make permissions work out
+    systemd.services.${service}.serviceConfig = {
+      UMask = lib.mkForce "0007";
+      User = "${service}";
+      Group = "${service}";
+    };
+
+#    # open firewall
+    networking.firewall.allowedTCPPorts = [ cfg.port ];
+
+    # internal reverse proxy entry
+    services.nginx.virtualHosts."${cfg.url}" = {
+      forceSSL = true;
+      sslCertificate = sec."ssl_blakedheld_crt".path;
+      sslCertificateKey = sec."ssl_blakedheld_key".path;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString cfg.port}";
+      };
+    };
+#
+#    sops.secrets = {
+#      "${service}_" = {
+#        owner = "${service}";
+#        group = "${service}";
+#      };
+#    };
+
+     # add to backups
+     modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ];
+  };
+}

secrets/secrets.yaml

@@ -20,6 +20,8 @@ vpncon_mex_config: ENC[AES256_GCM,data:4i356X97sBoRliskmh5ewcEwZHkpo37IhPcemKVdW
 vaultwarden_admin_token: ENC[AES256_GCM,data:G1v3N064ci0Fw5EtTzaryailWpsv6f4w6eoHp2vjXIBtIlScdQk1Q0W+eDNRk8Wr2C3ysTXQNbyYismNsls+jeS3W+YqkKL4fnh3a5UTzQrMqvaH11n3ak0X9R9vmt+ZJXBrUrAOKJ6RPHJJSWenhjDB77kwEdQ=,iv:f8X+x/AdmZ3b3dtcSFrxGgA2tCgDRpgddjlVu3mdCmM=,tag:c0MXljVvhwOdvrb/8hWlsQ==,type:str]
 #ENC[AES256_GCM,data:2ESzSsQZqKdjD7OXN8ZPThj6g9acJREe,iv:aDFPB0vs8NNo8ExLcJw7qtQvWbCb1XK6TJrHSK86qss=,tag:z+dypHAGUjEXP7Y9MHYWwg==,type:comment]
 gitea_database_password: ENC[AES256_GCM,data:nhFn0/G7gW5rk996OZzlcTt7T9KMbP8MNM+ReFC8w1H9ZqBSJUbs3K+n68uQVrkOVSXE0cKpOR1VbQ+i+46z3g==,iv:bT4GRZZ83v47/EmeV2KaUFo+4qTT4T2AktFUpPiZdF4=,tag:OC9TInkAr1egM+xnBDizxw==,type:str]
+#ENC[AES256_GCM,data:nbB5Cd7i/KTMCjCzcX8o1sxREZQ/gLAG,iv:iyuO2erxdJM08WHJBjKuNIXYxVhH7rfyOLTcGCcGqNQ=,tag:UeDszimXv8kQUmDetLeFqg==,type:comment]
+mosquitto_password_file: ENC[AES256_GCM,data:7ifs2hGnFQSgJOAKpN0usfiaqLjj7Rjb7zn1/qBDbqEi5hV0JfUncZGorBivR/+kjXHQO6nxaHcKqYvPedNdJ7Qy4/uil/xwgwSmzcbisdVYkhd2pf/N34EQFxmqohud0aTH9V47QbgTdrUPfvsiL+ljLvLu4w==,iv:z7YPIfJHHaLOJrDVnMQhgcMzYAPordFR11kHRAzZqYU=,tag:LRddczdvy01YTm2DFDgSJQ==,type:str]
 sops:
     age:
         - recipient: age14gfh682a7m7jfp3qrulql03x5rs7yedwmxwksxrrmgjsunstyuksqx93pz
@@ -31,7 +33,7 @@ sops:
             U0tmdFBuZnJES3piOTZNV0VKQmQ0eVUKCWRQ/flLzmpC64WyLoipklZBmrkpYiUg
             PRu+itNolpPTHm96pe+P93g2iP0wgekG0cX21wkiU2xaLF3dY2FEIA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-10-09T00:57:39Z"
-    mac: ENC[AES256_GCM,data:NCsVDJnzb/x6/InOrE7Aco1bEfbcOA0t5mEQOO/tSM4uj5QjDeCTUyfzfK0A7LHdQSMvRpZLZuz7xDg/WA/QLe0F/CdA1h5HJucpop4NWN/bnJrVNIcik/YlvB6xSWojimZF9sbWZQQb2lPsn3GWt9wIHIHWlBhjIMfHHpLANq8=,iv:yQgpRv+xCvKcBYCyVac66egptSbF/8vi4TtQ5vL5xWQ=,tag:JdsI0yAecTnNO9UiE2IEwQ==,type:str]
+    lastmodified: "2025-10-09T23:59:55Z"
+    mac: ENC[AES256_GCM,data:Zdn1teUi8epB0WJZrpwdOxsnZ4XtJN7dPefGROPUpt0mMFDI5pP9NJpczNLj6ZddCka75Bca8Z3ixcpKasZAJhlQNNKTCe6NRhuh6ergSepzerYGTN1fUwKm+goLY40d33moZFurHkHjmdsNXgb6T9JsIz9bzjLrzqiK9P/gPoM=,iv:AQKQuW1zR9hiaBx3KxfwftM9GnwsOSfsmTN/nEJh5qA=,tag:qxODcuuzTh6ifwMNKR/6lg==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0