diff --git a/hosts/snowbelle/configuration.nix b/hosts/snowbelle/configuration.nix index 3b358ff..afc7173 100644 --- a/hosts/snowbelle/configuration.nix +++ b/hosts/snowbelle/configuration.nix @@ -40,6 +40,9 @@ in gitea.enable = true; qbittorrent.enable = true; immich.enable = true; + homeassistant.enable = true; + zigbee2mqtt.enable = true; + mosquitto.enable = true; prowlarr.enable = true; flaresolverr.enable = true; bazarr.enable = true; diff --git a/modules/homelab/services/default.nix b/modules/homelab/services/default.nix index 513c813..376fd95 100644 --- a/modules/homelab/services/default.nix +++ b/modules/homelab/services/default.nix @@ -10,6 +10,9 @@ ./qbittorrent ./immich ./nginx-proxy + ./smarthome/homeassistant + ./smarthome/zigbee2mqtt + ./smarthome/mosquitto ./arr/prowlarr ./arr/flaresolverr ./arr/bazarr diff --git a/modules/homelab/services/smarthome/homeassistant/default.nix b/modules/homelab/services/smarthome/homeassistant/default.nix new file mode 100644 index 0000000..94c0cc7 --- /dev/null +++ b/modules/homelab/services/smarthome/homeassistant/default.nix @@ -0,0 +1,116 @@ +{ pkgs, config, lib, ... }: + +let + service = "home-assistant"; + cfg = config.modules.services.${service}; + sec = config.sops.secrets; + homelab = config.modules.homelab; +in +{ + options.modules.services.${service} = { + enable = lib.mkEnableOption "enables ${service}"; + + # set port options + port = lib.mkOption { + type = lib.types.int; + default = 7704; + description = "set port for ${service} (default: ${toString cfg.port}"; + }; + url = lib.mkOption { + type = lib.types.str; + default = "${service}.${homelab.base_domain}"; + description = "set domain for ${service}"; + }; + data_dir = lib.mkOption { + type = lib.types.str; + default = "/var/lib/${service}"; + description = "set data directory for ${service}"; + }; + ids = lib.mkOption { + type = lib.types.int; + default = cfg.port; + description = "set uid and pid of ${service} user (matches port by default)"; + }; + backup = lib.mkOption { + type = lib.types.bool; + default = true; + description = "enable backups for ${service}"; + }; + }; + + config = lib.mkIf cfg.enable { + + # declare ${service} group + users.groups.${service} = { gid = lib.mkForce cfg.ids; }; + + # declare ${service} user + users.users.${service} = { + description = "${service} server user"; + uid = lib.mkForce cfg.ids; + isSystemUser = true; + home = cfg.data_dir; + createHome = true; + group = "${service}"; + extraGroups = [ "media" ]; + }; + + # enable the ${service} service + services.${service} = { + enable = true; + openFirewall = true; + user = "${service}"; + group = "${service}"; + configDir = cfg.data_dir; + # if config is set in here, configuration.yaml will be overwritten every startup with this +# configWritable = true; +# config = { +# http.server_port = cfg.port; +# homeassistant = { +# name = "snowbelle"; +# time_zone = cfg.tz; +# unit_system = "us_customary"; +# temperature_unit = "F"; +# }; +# }; + }; + + # override umask to make permissions work out + systemd.services.${service}.serviceConfig = { + UMask = lib.mkForce "0007"; +# User = "${service}"; +# Group = "${service}"; + }; + +# # open firewall +# networking.firewall.allowedTCPPorts = [ cfg.port ]; + + # internal reverse proxy entry + services.nginx.virtualHosts."${cfg.url}" = { + forceSSL = true; + sslCertificate = sec."ssl_blakedheld_crt".path; + sslCertificateKey = sec."ssl_blakedheld_key".path; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString cfg.port}"; + }; + }; + # external reverse proxy entry + services.nginx.virtualHosts."${service}.blakedheld.xyz" = { + forceSSL = true; + sslCertificate = sec."ssl_blakedheld_crt".path; + sslCertificateKey = sec."ssl_blakedheld_key".path; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString cfg.port}"; + }; + }; + +# sops.secrets = { +# "${service}_" = { +# owner = "${service}"; +# group = "${service}"; +# }; +# }; + + # add to backups + modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ]; + }; +} diff --git a/modules/homelab/services/smarthome/mosquitto/default.nix b/modules/homelab/services/smarthome/mosquitto/default.nix new file mode 100644 index 0000000..b001a85 --- /dev/null +++ b/modules/homelab/services/smarthome/mosquitto/default.nix @@ -0,0 +1,104 @@ +{ pkgs, config, lib, ... }: + +let + service = "mosquitto"; + cfg = config.modules.services.${service}; + sec = config.sops.secrets; + homelab = config.modules.homelab; +in +{ + options.modules.services.${service} = { + enable = lib.mkEnableOption "enables ${service}"; + + # set port options + port = lib.mkOption { + type = lib.types.int; + default = 1883; + description = "set port for ${service} (default: ${toString cfg.port}"; + }; + url = lib.mkOption { + type = lib.types.str; + default = "${service}.${homelab.base_domain}"; + description = "set domain for ${service}"; + }; + data_dir = lib.mkOption { + type = lib.types.str; + default = "/var/lib/${service}"; + description = "set data directory for ${service}"; + }; + ids = lib.mkOption { + type = lib.types.int; + default = cfg.port; + description = "set uid and pid of ${service} user (matches port by default)"; + }; + backup = lib.mkOption { + type = lib.types.bool; + default = true; + description = "enable backups for ${service}"; + }; + }; + + config = lib.mkIf cfg.enable { + + # declare ${service} group + users.groups.${service} = { gid = lib.mkForce cfg.ids; }; + + # declare ${service} user + users.users.${service} = { + description = "${service} server user"; + uid = lib.mkForce cfg.ids; + isSystemUser = true; + home = cfg.data_dir; + createHome = true; + group = "${service}"; + extraGroups = [ "media" ]; + }; + + # enable the ${service} service + services.${service} = { + enable = true; + listeners = { + port = cfg.port; + settings = { + allow_anonymous false + listener = 1883 + listener = 9001 + protocol = websockets + persistence = true + password_file = ${sec."mosquitto_password_file".path} + persistence_file = ${service}.db + persistence_location = cfg.data_dir + }; + }; + }; + + # override umask to make permissions work out + systemd.services.${service}.serviceConfig = { + UMask = lib.mkForce "0007"; + User = "${service}"; + Group = "${service}"; + }; + +# # open firewall +# networking.firewall.allowedTCPPorts = [ cfg.port ]; + + # internal reverse proxy entry + services.nginx.virtualHosts."${cfg.url}" = { + forceSSL = true; + sslCertificate = sec."ssl_blakedheld_crt".path; + sslCertificateKey = sec."ssl_blakedheld_key".path; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString cfg.port}"; + }; + }; + + sops.secrets = { + "${service}_password_file" = { + owner = "${service}"; + group = "${service}"; + }; + + # add to backups + modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ]; + }; +} diff --git a/modules/homelab/services/smarthome/zigbee2mqtt/default.nix b/modules/homelab/services/smarthome/zigbee2mqtt/default.nix new file mode 100644 index 0000000..8966ca5 --- /dev/null +++ b/modules/homelab/services/smarthome/zigbee2mqtt/default.nix @@ -0,0 +1,96 @@ +{ pkgs, config, lib, ... }: + +let + service = "zigbee2mqtt"; + cfg = config.modules.services.${service}; + sec = config.sops.secrets; + homelab = config.modules.homelab; +in +{ + options.modules.services.${service} = { + enable = lib.mkEnableOption "enables ${service}"; + + # set port options + port = lib.mkOption { + type = lib.types.int; + default = 7705; + description = "set port for ${service} (default: ${toString cfg.port}"; + }; + url = lib.mkOption { + type = lib.types.str; + default = "${service}.${homelab.base_domain}"; + description = "set domain for ${service}"; + }; + data_dir = lib.mkOption { + type = lib.types.str; + default = "/var/lib/${service}"; + description = "set data directory for ${service}"; + }; + ids = lib.mkOption { + type = lib.types.int; + default = cfg.port; + description = "set uid and pid of ${service} user (matches port by default)"; + }; + backup = lib.mkOption { + type = lib.types.bool; + default = true; + description = "enable backups for ${service}"; + }; + }; + + config = lib.mkIf cfg.enable { + + # declare ${service} group + users.groups.${service} = { gid = lib.mkForce cfg.ids; }; + + # declare ${service} user + users.users.${service} = { + description = "${service} server user"; + uid = lib.mkForce cfg.ids; + isSystemUser = true; + home = cfg.data_dir; + createHome = true; + group = "${service}"; + extraGroups = [ "media" ]; + }; + + # enable the ${service} service + services.${service} = { + enable = true; + dataDir = cfg.data_dir; +# settings = { +# +# }; + }; + + # override umask to make permissions work out + systemd.services.${service}.serviceConfig = { + UMask = lib.mkForce "0007"; + User = "${service}"; + Group = "${service}"; + }; + +# # open firewall + networking.firewall.allowedTCPPorts = [ cfg.port ]; + + # internal reverse proxy entry + services.nginx.virtualHosts."${cfg.url}" = { + forceSSL = true; + sslCertificate = sec."ssl_blakedheld_crt".path; + sslCertificateKey = sec."ssl_blakedheld_key".path; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString cfg.port}"; + }; + }; +# +# sops.secrets = { +# "${service}_" = { +# owner = "${service}"; +# group = "${service}"; +# }; +# }; + + # add to backups + modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ]; + }; +} diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index d25cfb9..7288527 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -20,6 +20,8 @@ vpncon_mex_config: ENC[AES256_GCM,data:4i356X97sBoRliskmh5ewcEwZHkpo37IhPcemKVdW vaultwarden_admin_token: ENC[AES256_GCM,data:G1v3N064ci0Fw5EtTzaryailWpsv6f4w6eoHp2vjXIBtIlScdQk1Q0W+eDNRk8Wr2C3ysTXQNbyYismNsls+jeS3W+YqkKL4fnh3a5UTzQrMqvaH11n3ak0X9R9vmt+ZJXBrUrAOKJ6RPHJJSWenhjDB77kwEdQ=,iv:f8X+x/AdmZ3b3dtcSFrxGgA2tCgDRpgddjlVu3mdCmM=,tag:c0MXljVvhwOdvrb/8hWlsQ==,type:str] #ENC[AES256_GCM,data:2ESzSsQZqKdjD7OXN8ZPThj6g9acJREe,iv:aDFPB0vs8NNo8ExLcJw7qtQvWbCb1XK6TJrHSK86qss=,tag:z+dypHAGUjEXP7Y9MHYWwg==,type:comment] gitea_database_password: ENC[AES256_GCM,data:nhFn0/G7gW5rk996OZzlcTt7T9KMbP8MNM+ReFC8w1H9ZqBSJUbs3K+n68uQVrkOVSXE0cKpOR1VbQ+i+46z3g==,iv:bT4GRZZ83v47/EmeV2KaUFo+4qTT4T2AktFUpPiZdF4=,tag:OC9TInkAr1egM+xnBDizxw==,type:str] +#ENC[AES256_GCM,data:nbB5Cd7i/KTMCjCzcX8o1sxREZQ/gLAG,iv:iyuO2erxdJM08WHJBjKuNIXYxVhH7rfyOLTcGCcGqNQ=,tag:UeDszimXv8kQUmDetLeFqg==,type:comment] +mosquitto_password_file: ENC[AES256_GCM,data:7ifs2hGnFQSgJOAKpN0usfiaqLjj7Rjb7zn1/qBDbqEi5hV0JfUncZGorBivR/+kjXHQO6nxaHcKqYvPedNdJ7Qy4/uil/xwgwSmzcbisdVYkhd2pf/N34EQFxmqohud0aTH9V47QbgTdrUPfvsiL+ljLvLu4w==,iv:z7YPIfJHHaLOJrDVnMQhgcMzYAPordFR11kHRAzZqYU=,tag:LRddczdvy01YTm2DFDgSJQ==,type:str] sops: age: - recipient: age14gfh682a7m7jfp3qrulql03x5rs7yedwmxwksxrrmgjsunstyuksqx93pz @@ -31,7 +33,7 @@ sops: U0tmdFBuZnJES3piOTZNV0VKQmQ0eVUKCWRQ/flLzmpC64WyLoipklZBmrkpYiUg PRu+itNolpPTHm96pe+P93g2iP0wgekG0cX21wkiU2xaLF3dY2FEIA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-09T00:57:39Z" - mac: ENC[AES256_GCM,data:NCsVDJnzb/x6/InOrE7Aco1bEfbcOA0t5mEQOO/tSM4uj5QjDeCTUyfzfK0A7LHdQSMvRpZLZuz7xDg/WA/QLe0F/CdA1h5HJucpop4NWN/bnJrVNIcik/YlvB6xSWojimZF9sbWZQQb2lPsn3GWt9wIHIHWlBhjIMfHHpLANq8=,iv:yQgpRv+xCvKcBYCyVac66egptSbF/8vi4TtQ5vL5xWQ=,tag:JdsI0yAecTnNO9UiE2IEwQ==,type:str] + lastmodified: "2025-10-09T23:59:55Z" + mac: ENC[AES256_GCM,data:Zdn1teUi8epB0WJZrpwdOxsnZ4XtJN7dPefGROPUpt0mMFDI5pP9NJpczNLj6ZddCka75Bca8Z3ixcpKasZAJhlQNNKTCe6NRhuh6ergSepzerYGTN1fUwKm+goLY40d33moZFurHkHjmdsNXgb6T9JsIz9bzjLrzqiK9P/gPoM=,iv:AQKQuW1zR9hiaBx3KxfwftM9GnwsOSfsmTN/nEJh5qA=,tag:qxODcuuzTh6ifwMNKR/6lg==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0