From 53167234da226fb7369f23ff75091ff9463db223 Mon Sep 17 00:00:00 2001
From: arcnmx <git@git.arcn.mx>
Date: Mon, 29 Jan 2024 17:05:54 -0800
Subject: [PATCH] fix(hass): homekit firewall

---
 modules/nixos/home-assistant.nix | 11 ++++++++---
 nixos/home-assistant.nix         |  2 +-
 systems/tei/nixos.nix            |  2 ++
 3 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/modules/nixos/home-assistant.nix b/modules/nixos/home-assistant.nix
index e65b81a4..877f843d 100644
--- a/modules/nixos/home-assistant.nix
+++ b/modules/nixos/home-assistant.nix
@@ -16,8 +16,13 @@ in {
       type = str;
       default = config.networking.domain;
     };
-    homekit.enable = mkEnableOption "homekit" // {
-      default = cfg.config.homekit or [ ] != [ ];
+    homekit = {
+      enable = mkEnableOption "homekit" // {
+        default = cfg.config.homekit or [ ] != [ ];
+      };
+      openFirewall = mkEnableOption "homekit ports" // {
+        default = cfg.openFirewall;
+      };
     };
     googleAssistant.enable = mkEnableOption "Google Assistant" // {
       default = cfg.config.google_assistant or { } != { };
@@ -40,7 +45,7 @@ in {
 
   config = {
     networking.firewall = mkIf cfg.enable {
-      allowedTCPPorts = mkIf (cfg.openFirewall && cfg.homekit.enable) (
+      allowedTCPPorts = mkIf (cfg.homekit.enable && cfg.homekit.openFirewall) (
         map ({ port, ... }: port) cfg.config.homekit or [ ]
       );
 
diff --git a/nixos/home-assistant.nix b/nixos/home-assistant.nix
index c2359706..cdf7cb43 100644
--- a/nixos/home-assistant.nix
+++ b/nixos/home-assistant.nix
@@ -80,7 +80,7 @@ in {
         exposed_domains = [
           "scene"
           "script"
-          "climate"
+          #"climate"
           #"sensor"
         ];
         entity_config = {};
diff --git a/systems/tei/nixos.nix b/systems/tei/nixos.nix
index 314ae710..5fac16bc 100644
--- a/systems/tei/nixos.nix
+++ b/systems/tei/nixos.nix
@@ -30,6 +30,8 @@ in {
 
   sops.defaultSopsFile = ./secrets.yaml;
 
+  services.home-assistant.homekit.openFirewall = true;
+
   services.kanidm = {
     package =
       lib.warnIf