feat(monitoring): home-assistant

2026-02-09 12:29:19 -08:00 · 2024-06-06 11:38:14 -07:00 · 2024-06-06 11:38:14 -07:00 · 3991badf2c
commit 3991badf2c
parent 2ed7d5516d
5 changed files with 22 additions and 4 deletions
--- a/modules/system/exports/home-assistant.nix
+++ b/modules/system/exports/home-assistant.nix
@ -29,6 +29,7 @@ in {
  in {
    id = mkAlmostOptionDefault "home";
    displayName = mkAlmostOptionDefault "Home Assistant";
+    prometheus.exporter.metricsPath = "/api/prometheus";
    nixos = {
      serviceAttr = "home-assistant";
      assertions = mkIf config.enable [
@ -42,6 +43,7 @@ in {
        port = mkAlmostOptionDefault 8123;
        protocol = "http";
        status.enable = true;
+        prometheus.exporter.enable = mkAlmostOptionDefault true;
      };
      homekit0 = {
        port = mkAlmostOptionDefault 21063;
--- a/nixos/access/home-assistant.nix
+++ b/nixos/access/home-assistant.nix
@ -80,6 +80,10 @@ in {
            websocket.enable = true;
          };
        };
+        "/api/prometheus" = {
+          local.denyGlobal = true;
+          proxy.enable = true;
+        };
      };
    in {
      home-assistant = {...}: {
--- a/nixos/home-assistant.nix
+++ b/nixos/home-assistant.nix
@ -165,7 +165,9 @@ in {
          password = "!secret mpd-shanghai-password";
        }
      ];
-      prometheus = {};
+      prometheus = {
+        requires_auth = mkDefault false;
+      };
      wake_on_lan = {};
    };
    grocy.enable = true;
--- a/systems/tei/cloudflared.nix
+++ b/systems/tei/cloudflared.nix
@ -20,7 +20,7 @@ in {
          (nginx.virtualHosts.grocy.proxied.cloudflared.getIngress {})
          (nginx.virtualHosts.barcodebuddy.proxied.cloudflared.getIngress {})
          (
-            if home-assistant.reverseProxy.auth.enable
+            if nginx.virtualHosts.home-assistant.proxied.enable or false != false
            then (nginx.virtualHosts.home-assistant.proxied.cloudflared.getIngress {})
            else {
              ${home-assistant.domain} = assert home-assistant.enable && home-assistant.reverseProxy.enable; {
--- a/systems/tei/nixos.nix
+++ b/systems/tei/nixos.nix
@ -6,6 +6,7 @@
 }: let
  inherit (lib.modules) mkIf;
  inherit (lib.lists) optional;
+  hassOpenMetrics = true;
  hassVouchAuth = false;
  hassVouch = false;
 in {
@ -29,7 +30,7 @@ in {
      nixos.barcodebuddy
      ./cloudflared.nix
    ]
-    ++ optional hassVouchAuth nixos.access.home-assistant;
+    ++ optional (hassVouchAuth || hassOpenMetrics) nixos.access.home-assistant;

  services.nginx = {
    proxied.enable = true;
@ -37,7 +38,7 @@ in {
      zigbee2mqtt.proxied.enable = "cloudflared";
      grocy.proxied.enable = "cloudflared";
      barcodebuddy.proxied.enable = "cloudflared";
-      home-assistant = mkIf hassVouchAuth {
+      home-assistant = mkIf (hassVouchAuth || hassOpenMetrics) {
        proxied.enable = "cloudflared";
        vouch.enable = mkIf hassVouch true;
      };
@ -47,6 +48,15 @@ in {
    reverseProxy.auth.enable = true;
  };

+  assertions = let
+    inherit (config.services) home-assistant;
+  in [
+    (mkIf home-assistant.enable {
+      assertion = hassOpenMetrics != home-assistant.config.prometheus.requires_auth or true;
+      message = "home-assistant.config.prometheus.requires_auth set incorrectly";
+    })
+  ];
+
  sops.defaultSopsFile = ./secrets.yaml;

  system.stateVersion = "23.11";