chore(monitoring): clean up hass changes

2026-02-09 04:19:19 -08:00 · 2024-06-06 12:31:39 -07:00 · 2024-06-06 12:31:39 -07:00 · 409d711175
commit 409d711175
parent 3991badf2c
5 changed files with 36 additions and 54 deletions
--- a/modules/nixos/home-assistant.nix
+++ b/modules/nixos/home-assistant.nix
@ -101,10 +101,15 @@ in {
        interfaces.local = {
          allowedTCPPorts = mkMerge [
            (mkIf (!cfg.homekit.openFirewall) homekitTcp)
-            (mkIf (!cfg.openFirewall) [cfg.config.http.server_port])
+            (mkIf (!cfg.openFirewall && !cfg.reverseProxy.enable) [cfg.config.http.server_port])
          ];
          allowedUDPPortRanges = mkIf (!cfg.cast.openFirewall) castUdpRanges;
        };
+        interfaces.lan = {
+          allowedTCPPorts = mkIf (!cfg.openFirewall && cfg.reverseProxy.enable) [
+            cfg.config.http.server_port
+          ];
+        };
        allowedTCPPorts = mkIf cfg.homekit.openFirewall homekitTcp;
        allowedUDPPortRanges = mkIf cfg.cast.openFirewall castUdpRanges;
      };
--- a/nixos/access/home-assistant.nix
+++ b/nixos/access/home-assistant.nix
@ -3,7 +3,7 @@
  lib,
  ...
 }: let
-  inherit (lib.modules) mkIf mkDefault;
+  inherit (lib.modules) mkIf mkForce mkDefault;
  inherit (config.services) nginx home-assistant;
  name.shortServer = mkDefault "home";
  listen' = {
@ -81,8 +81,9 @@ in {
          };
        };
        "/api/prometheus" = {
-          local.denyGlobal = true;
-          proxy.enable = true;
+          #proxy.enable = true;
+          #local.denyGlobal = true;
+          extraConfig = mkForce "deny all;";
        };
      };
    in {
@ -109,10 +110,11 @@ in {
    reverseProxy = {
      enable = mkDefault true;
      auth = {
-        enable = mkIf (nginx.virtualHosts.home-assistant.enable && nginx.virtualHosts.home-assistant.vouch.enable) true;
+        enable = mkIf (nginx.virtualHosts.home-assistant.enable && nginx.virtualHosts.home-assistant.vouch.enable) (mkDefault true);
        userHeader = "X-Hass-User";
      };
    };
+    config.prometheus.requires_auth = mkDefault false;
  };
  config.networking.firewall.allowedTCPPorts = let
    inherit (nginx.virtualHosts.home-assistant'local) listen';
--- a/nixos/home-assistant.nix
+++ b/nixos/home-assistant.nix
@ -165,9 +165,7 @@ in {
          password = "!secret mpd-shanghai-password";
        }
      ];
-      prometheus = {
-        requires_auth = mkDefault false;
-      };
+      prometheus = {};
      wake_on_lan = {};
    };
    grocy.enable = true;
--- a/systems/tei/cloudflared.nix
+++ b/systems/tei/cloudflared.nix
@ -1,11 +1,10 @@
 {
  config,
  lib,
-  access,
  ...
 }: let
  inherit (lib.modules) mkMerge;
-  inherit (config.services) home-assistant nginx;
+  inherit (config.services) nginx;
  cfg = config.services.cloudflared;
  apartment = "5e85d878-c6b2-4b15-b803-9aeb63d63543";
 in {
@ -19,15 +18,7 @@ in {
          (nginx.virtualHosts.zigbee2mqtt.proxied.cloudflared.getIngress {})
          (nginx.virtualHosts.grocy.proxied.cloudflared.getIngress {})
          (nginx.virtualHosts.barcodebuddy.proxied.cloudflared.getIngress {})
-          (
-            if nginx.virtualHosts.home-assistant.proxied.enable or false != false
-            then (nginx.virtualHosts.home-assistant.proxied.cloudflared.getIngress {})
-            else {
-              ${home-assistant.domain} = assert home-assistant.enable && home-assistant.reverseProxy.enable; {
-                service = access.proxyUrlFor {serviceName = "home-assistant";};
-              };
-            }
-          )
+          (nginx.virtualHosts.home-assistant.proxied.cloudflared.getIngress {})
        ];
      };
    };
--- a/systems/tei/nixos.nix
+++ b/systems/tei/nixos.nix
@ -1,36 +1,31 @@
 {
-  config,
  meta,
  lib,
  ...
 }: let
  inherit (lib.modules) mkIf;
-  inherit (lib.lists) optional;
-  hassOpenMetrics = true;
-  hassVouchAuth = false;
  hassVouch = false;
 in {
  imports = let
    inherit (meta) nixos;
-  in
-    [
-      nixos.reisen-ct
-      nixos.sops
-      nixos.tailscale
-      nixos.cloudflared
-      nixos.postgres
-      nixos.nginx
-      nixos.access.zigbee2mqtt
-      nixos.access.grocy
-      nixos.access.barcodebuddy
-      nixos.home-assistant
-      nixos.zigbee2mqtt
-      nixos.syncplay
-      nixos.grocy
-      nixos.barcodebuddy
-      ./cloudflared.nix
-    ]
-    ++ optional (hassVouchAuth || hassOpenMetrics) nixos.access.home-assistant;
+  in [
+    nixos.reisen-ct
+    nixos.sops
+    nixos.tailscale
+    nixos.cloudflared
+    nixos.postgres
+    nixos.nginx
+    nixos.access.home-assistant
+    nixos.access.zigbee2mqtt
+    nixos.access.grocy
+    nixos.access.barcodebuddy
+    nixos.home-assistant
+    nixos.zigbee2mqtt
+    nixos.syncplay
+    nixos.grocy
+    nixos.barcodebuddy
+    ./cloudflared.nix
+  ];

  services.nginx = {
    proxied.enable = true;
@ -38,25 +33,16 @@ in {
      zigbee2mqtt.proxied.enable = "cloudflared";
      grocy.proxied.enable = "cloudflared";
      barcodebuddy.proxied.enable = "cloudflared";
-      home-assistant = mkIf (hassVouchAuth || hassOpenMetrics) {
+      home-assistant = {
        proxied.enable = "cloudflared";
        vouch.enable = mkIf hassVouch true;
      };
    };
  };
-  services.home-assistant = mkIf hassVouchAuth {
-    reverseProxy.auth.enable = true;
+  services.home-assistant = {
+    #reverseProxy.auth.enable = true;
  };

-  assertions = let
-    inherit (config.services) home-assistant;
-  in [
-    (mkIf home-assistant.enable {
-      assertion = hassOpenMetrics != home-assistant.config.prometheus.requires_auth or true;
-      message = "home-assistant.config.prometheus.requires_auth set incorrectly";
-    })
-  ];
-
  sops.defaultSopsFile = ./secrets.yaml;

  system.stateVersion = "23.11";