mirror of
https://github.com/gensokyo-zone/infrastructure.git
synced 2026-02-09 04:19:19 -08:00
feat(hass): vouch auth
disabled for now, nginx config needs more tweaking
This commit is contained in:
arcnmx
parent
da991ef980
commit
fab441b438
9 changed files with 185 additions and 28 deletions
|
|
@ -1,11 +1,12 @@
|
|||
{
|
||||
pkgs,
|
||||
config,
|
||||
access,
|
||||
lib,
|
||||
...
|
||||
}: let
|
||||
cfg = config.services.home-assistant;
|
||||
inherit (lib.modules) mkIf mkMerge mkBefore mkDefault mkOptionDefault;
|
||||
inherit (lib.modules) mkIf mkMerge mkBefore mkAfter mkDefault mkOptionDefault;
|
||||
inherit (lib.options) mkOption mkEnableOption;
|
||||
inherit (lib.lists) optional elem unique;
|
||||
inherit (lib.strings) toLower;
|
||||
|
|
@ -16,10 +17,27 @@ in {
|
|||
type = str;
|
||||
default = config.networking.domain;
|
||||
};
|
||||
localDomain = mkOption {
|
||||
type = nullOr str;
|
||||
default = null;
|
||||
};
|
||||
secretsFile = mkOption {
|
||||
type = nullOr path;
|
||||
default = null;
|
||||
};
|
||||
reverseProxy = {
|
||||
enable = mkEnableOption "use_x_forwarded_for";
|
||||
trustedAddresses = mkOption {
|
||||
type = listOf str;
|
||||
};
|
||||
auth = {
|
||||
enable = mkEnableOption "auth-header";
|
||||
debug = mkEnableOption "debug logging";
|
||||
userHeader = mkOption {
|
||||
type = str;
|
||||
};
|
||||
};
|
||||
};
|
||||
homekit = {
|
||||
enable =
|
||||
mkEnableOption "homekit"
|
||||
|
|
@ -114,27 +132,34 @@ in {
|
|||
};
|
||||
|
||||
config.services.home-assistant = {
|
||||
reverseProxy = {
|
||||
trustedAddresses = access.cidrForNetwork.loopback.all;
|
||||
};
|
||||
config = mkMerge [
|
||||
{
|
||||
homeassistant = {
|
||||
external_url = "https://${cfg.domain}";
|
||||
internal_url = mkIf (cfg.localDomain != null) "https://${cfg.localDomain}";
|
||||
};
|
||||
logger = {
|
||||
default = mkDefault "info";
|
||||
logs = {
|
||||
"custom_components.auth_header" = mkIf (cfg.reverseProxy.enable && cfg.reverseProxy.auth.enable && cfg.reverseProxy.auth.debug) "debug";
|
||||
};
|
||||
};
|
||||
http = {
|
||||
use_x_forwarded_for = cfg.reverseProxy.enable;
|
||||
trusted_proxies = mkIf cfg.reverseProxy.enable cfg.reverseProxy.trustedAddresses;
|
||||
cors_allowed_origins = [
|
||||
"https://google.com"
|
||||
(mkIf cfg.googleAssistant.enable "https://google.com")
|
||||
(mkIf (cfg.localDomain != null) "https://${cfg.localDomain}")
|
||||
# TODO: (mkIf (cfg.reverseProxy.enable && cfg.reverseProxy.auth.enable) vouch cors idk)
|
||||
"https://www.home-assistant.io"
|
||||
];
|
||||
use_x_forwarded_for = "true";
|
||||
trusted_proxies = let
|
||||
inherit (config.networking.access) cidrForNetwork;
|
||||
in
|
||||
cidrForNetwork.allLocal.all
|
||||
++ [
|
||||
"200::/7"
|
||||
];
|
||||
};
|
||||
auth_header = mkIf (cfg.reverseProxy.enable && cfg.reverseProxy.auth.enable) {
|
||||
username_header = cfg.reverseProxy.auth.userHeader;
|
||||
debug = mkIf cfg.reverseProxy.auth.debug true;
|
||||
};
|
||||
recorder = {
|
||||
db_url = mkIf config.services.postgresql.enable (mkDefault "postgresql://@/hass");
|
||||
|
|
@ -280,5 +305,10 @@ in {
|
|||
(map ({platform, ...}: platform) cfg.config.media_player or [])
|
||||
(map ({platform, ...}: platform) cfg.config.tts or [])
|
||||
];
|
||||
customComponents = [
|
||||
(mkIf (cfg.reverseProxy.enable && cfg.reverseProxy.auth.enable)
|
||||
pkgs.home-assistant-custom-components.auth-header
|
||||
)
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -18,7 +18,9 @@
|
|||
virtualHost,
|
||||
xvars,
|
||||
...
|
||||
}: {
|
||||
}: let
|
||||
cfg = config.vouch;
|
||||
in {
|
||||
options.vouch = with lib.types; {
|
||||
requireAuth = mkEnableOption "require auth to access this location";
|
||||
setProxyHeader = mkOption {
|
||||
|
|
@ -32,7 +34,7 @@
|
|||
enableVouchTail = enableVouchLocal && tailscale.enable && false;
|
||||
allowOrigin = url: "add_header Access-Control-Allow-Origin ${url};";
|
||||
in
|
||||
mkIf config.vouch.requireAuth {
|
||||
mkIf cfg.requireAuth {
|
||||
lua = mkIf virtualHost.vouch.auth.lua.enable {
|
||||
access.block = mkMerge [
|
||||
(mkBefore virtualHost.vouch.auth.lua.accessRequest)
|
||||
|
|
@ -41,7 +43,9 @@
|
|||
];
|
||||
};
|
||||
xvars.enable = mkIf (enableVouchTail || virtualHost.vouch.auth.lua.enable) true;
|
||||
proxy.headers.set.X-Vouch-User = mkOptionDefault "$auth_resp_x_vouch_user";
|
||||
proxy.headers.set = mkIf cfg.setProxyHeader {
|
||||
X-Vouch-User = mkOptionDefault "$auth_resp_x_vouch_user";
|
||||
};
|
||||
extraConfig = assert virtualHost.vouch.enable;
|
||||
mkMerge [
|
||||
(mkIf (!virtualHost.vouch.requireAuth) virtualHost.vouch.auth.requestDirective)
|
||||
|
|
|
|||
|
|
@ -12,6 +12,7 @@
|
|||
mkDefault
|
||||
mkOptionDefault
|
||||
mkOption
|
||||
mkPackageOption
|
||||
mkEnableOption
|
||||
types
|
||||
getExe
|
||||
|
|
@ -22,6 +23,7 @@
|
|||
in {
|
||||
options.services.vouch-proxy = with types; {
|
||||
enable = mkEnableOption "vouch";
|
||||
package = mkPackageOption pkgs "vouch-proxy" { };
|
||||
user = mkOption {
|
||||
type = str;
|
||||
default = "vouch-proxy";
|
||||
|
|
@ -157,7 +159,7 @@ in {
|
|||
"${preprocess}"
|
||||
];
|
||||
ExecStart = [
|
||||
"${getExe pkgs.vouch-proxy} -config ${cfg.settingsPath}"
|
||||
"${getExe cfg.package} -config ${cfg.settingsPath}"
|
||||
];
|
||||
Restart = "on-failure";
|
||||
RestartSec = mkDefault 5;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue