feat(hass): vouch auth

disabled for now, nginx config needs more tweaking
2026-02-09 04:19:19 -08:00 · 2024-05-23 13:37:19 -07:00 · 2024-05-23 13:37:19 -07:00 · fab441b438
commit fab441b438
parent da991ef980
9 changed files with 185 additions and 28 deletions
--- a/nixos/access/home-assistant.nix
+++ b/nixos/access/home-assistant.nix
@ -32,24 +32,60 @@ in {
      };
    };
    virtualHosts = let
+      vouchHost = { config, ... }: {
+        vouch = {
+          requireAuth = mkDefault false;
+          auth.lua = {
+            enable = mkDefault true;
+            accessRequest = ''
+              ngx.ctx.auth_res = ngx.location.capture("${config.vouch.auth.requestLocation}")
+              if ngx.ctx.auth_res.status == ngx.HTTP_OK then
+                local vouch_user = ngx.re.match(ngx.ctx.auth_res.header["X-Vouch-User"], [[^([^@]+)@.*$]])
+                ngx.var["hass_user"] = vouch_user[1]
+              end
+            '';
+          };
+        };
+        extraConfig = ''
+          set $hass_user "";
+        '';
+      };
+      headers.set.X-Hass-User = mkDefault "$hass_user";
      copyFromVhost = mkDefault "home-assistant";
      locations = {
        "/" = {
-          proxy.enable = true;
+          proxy = {
+            inherit headers;
+            enable = true;
+          };
+        };
+        # TODO: restrict to "/auth/authorize" and "/auth/login_flow" only..?
+        "/auth/" = { virtualHost, config, ... }: {
+          proxy = {
+            inherit headers;
+            enable = true;
+          };
+          vouch = mkIf virtualHost.vouch.enable {
+            requireAuth = true;
+          };
        };
        "/api/websocket" = {
          proxy = {
+            inherit headers;
            enable = true;
            websocket.enable = true;
          };
        };
      };
    in {
-      home-assistant = {
+      home-assistant = { ... }: {
+        imports = [ vouchHost ];
        inherit name locations;
        proxy.upstream = mkDefault upstreamName;
      };
-      home-assistant'local = {
+      home-assistant'local = { ... }: {
+        imports = [ vouchHost ];
+        vouch.enable = mkDefault nginx.virtualHosts.home-assistant.vouch.enable;
        inherit name listen' locations;
        ssl.cert = {
          inherit copyFromVhost;
@ -61,6 +97,15 @@ in {
      };
    };
  };
+  config.services.home-assistant = {
+    reverseProxy = {
+      enable = mkDefault true;
+      auth = {
+        enable = mkIf (nginx.virtualHosts.home-assistant.enable && nginx.virtualHosts.home-assistant.vouch.enable) true;
+        userHeader = "X-Hass-User";
+      };
+    };
+  };
  config.networking.firewall.allowedTCPPorts = let
    inherit (nginx.virtualHosts.home-assistant'local) listen';
  in