diff --git a/modules/nixos/home-assistant.nix b/modules/nixos/home-assistant.nix index 13df657f..0b4eaab8 100644 --- a/modules/nixos/home-assistant.nix +++ b/modules/nixos/home-assistant.nix @@ -101,10 +101,15 @@ in { interfaces.local = { allowedTCPPorts = mkMerge [ (mkIf (!cfg.homekit.openFirewall) homekitTcp) - (mkIf (!cfg.openFirewall) [cfg.config.http.server_port]) + (mkIf (!cfg.openFirewall && !cfg.reverseProxy.enable) [cfg.config.http.server_port]) ]; allowedUDPPortRanges = mkIf (!cfg.cast.openFirewall) castUdpRanges; }; + interfaces.lan = { + allowedTCPPorts = mkIf (!cfg.openFirewall && cfg.reverseProxy.enable) [ + cfg.config.http.server_port + ]; + }; allowedTCPPorts = mkIf cfg.homekit.openFirewall homekitTcp; allowedUDPPortRanges = mkIf cfg.cast.openFirewall castUdpRanges; }; diff --git a/nixos/access/home-assistant.nix b/nixos/access/home-assistant.nix index 59170ee2..9fbf557b 100644 --- a/nixos/access/home-assistant.nix +++ b/nixos/access/home-assistant.nix @@ -3,7 +3,7 @@ lib, ... }: let - inherit (lib.modules) mkIf mkDefault; + inherit (lib.modules) mkIf mkForce mkDefault; inherit (config.services) nginx home-assistant; name.shortServer = mkDefault "home"; listen' = { @@ -81,8 +81,9 @@ in { }; }; "/api/prometheus" = { - local.denyGlobal = true; - proxy.enable = true; + #proxy.enable = true; + #local.denyGlobal = true; + extraConfig = mkForce "deny all;"; }; }; in { @@ -109,10 +110,11 @@ in { reverseProxy = { enable = mkDefault true; auth = { - enable = mkIf (nginx.virtualHosts.home-assistant.enable && nginx.virtualHosts.home-assistant.vouch.enable) true; + enable = mkIf (nginx.virtualHosts.home-assistant.enable && nginx.virtualHosts.home-assistant.vouch.enable) (mkDefault true); userHeader = "X-Hass-User"; }; }; + config.prometheus.requires_auth = mkDefault false; }; config.networking.firewall.allowedTCPPorts = let inherit (nginx.virtualHosts.home-assistant'local) listen'; diff --git a/nixos/home-assistant.nix b/nixos/home-assistant.nix index cac8bdf5..4920fa30 100644 --- a/nixos/home-assistant.nix +++ b/nixos/home-assistant.nix @@ -165,9 +165,7 @@ in { password = "!secret mpd-shanghai-password"; } ]; - prometheus = { - requires_auth = mkDefault false; - }; + prometheus = {}; wake_on_lan = {}; }; grocy.enable = true; diff --git a/systems/tei/cloudflared.nix b/systems/tei/cloudflared.nix index 0b6bba26..b986f57f 100644 --- a/systems/tei/cloudflared.nix +++ b/systems/tei/cloudflared.nix @@ -1,11 +1,10 @@ { config, lib, - access, ... }: let inherit (lib.modules) mkMerge; - inherit (config.services) home-assistant nginx; + inherit (config.services) nginx; cfg = config.services.cloudflared; apartment = "5e85d878-c6b2-4b15-b803-9aeb63d63543"; in { @@ -19,15 +18,7 @@ in { (nginx.virtualHosts.zigbee2mqtt.proxied.cloudflared.getIngress {}) (nginx.virtualHosts.grocy.proxied.cloudflared.getIngress {}) (nginx.virtualHosts.barcodebuddy.proxied.cloudflared.getIngress {}) - ( - if nginx.virtualHosts.home-assistant.proxied.enable or false != false - then (nginx.virtualHosts.home-assistant.proxied.cloudflared.getIngress {}) - else { - ${home-assistant.domain} = assert home-assistant.enable && home-assistant.reverseProxy.enable; { - service = access.proxyUrlFor {serviceName = "home-assistant";}; - }; - } - ) + (nginx.virtualHosts.home-assistant.proxied.cloudflared.getIngress {}) ]; }; }; diff --git a/systems/tei/nixos.nix b/systems/tei/nixos.nix index 9c18c5d5..2c321ad0 100644 --- a/systems/tei/nixos.nix +++ b/systems/tei/nixos.nix @@ -1,36 +1,31 @@ { - config, meta, lib, ... }: let inherit (lib.modules) mkIf; - inherit (lib.lists) optional; - hassOpenMetrics = true; - hassVouchAuth = false; hassVouch = false; in { imports = let inherit (meta) nixos; - in - [ - nixos.reisen-ct - nixos.sops - nixos.tailscale - nixos.cloudflared - nixos.postgres - nixos.nginx - nixos.access.zigbee2mqtt - nixos.access.grocy - nixos.access.barcodebuddy - nixos.home-assistant - nixos.zigbee2mqtt - nixos.syncplay - nixos.grocy - nixos.barcodebuddy - ./cloudflared.nix - ] - ++ optional (hassVouchAuth || hassOpenMetrics) nixos.access.home-assistant; + in [ + nixos.reisen-ct + nixos.sops + nixos.tailscale + nixos.cloudflared + nixos.postgres + nixos.nginx + nixos.access.home-assistant + nixos.access.zigbee2mqtt + nixos.access.grocy + nixos.access.barcodebuddy + nixos.home-assistant + nixos.zigbee2mqtt + nixos.syncplay + nixos.grocy + nixos.barcodebuddy + ./cloudflared.nix + ]; services.nginx = { proxied.enable = true; @@ -38,25 +33,16 @@ in { zigbee2mqtt.proxied.enable = "cloudflared"; grocy.proxied.enable = "cloudflared"; barcodebuddy.proxied.enable = "cloudflared"; - home-assistant = mkIf (hassVouchAuth || hassOpenMetrics) { + home-assistant = { proxied.enable = "cloudflared"; vouch.enable = mkIf hassVouch true; }; }; }; - services.home-assistant = mkIf hassVouchAuth { - reverseProxy.auth.enable = true; + services.home-assistant = { + #reverseProxy.auth.enable = true; }; - assertions = let - inherit (config.services) home-assistant; - in [ - (mkIf home-assistant.enable { - assertion = hassOpenMetrics != home-assistant.config.prometheus.requires_auth or true; - message = "home-assistant.config.prometheus.requires_auth set incorrectly"; - }) - ]; - sops.defaultSopsFile = ./secrets.yaml; system.stateVersion = "23.11";