feat(hass): vouch auth

disabled for now, nginx config needs more tweaking

systems/tei/cloudflared.nix

@@ -19,11 +19,14 @@ in {
           (nginx.virtualHosts.zigbee2mqtt.proxied.cloudflared.getIngress {})
           (nginx.virtualHosts.grocy.proxied.cloudflared.getIngress {})
           (nginx.virtualHosts.barcodebuddy.proxied.cloudflared.getIngress {})
-          {
-            ${home-assistant.domain} = assert home-assistant.enable; {
-              service = access.proxyUrlFor {serviceName = "home-assistant";};
-            };
-          }
+          (if home-assistant.reverseProxy.auth.enable
+            then (nginx.virtualHosts.home-assistant.proxied.cloudflared.getIngress {})
+            else {
+              ${home-assistant.domain} = assert home-assistant.enable && home-assistant.reverseProxy.enable; {
+                service = access.proxyUrlFor {serviceName = "home-assistant";};
+              };
+            }
+          )
         ];
       };
     };

systems/tei/nixos.nix

@@ -1,8 +1,14 @@
 {
   config,
   meta,
+  lib,
   ...
-}: {
+}: let
+  inherit (lib.modules) mkIf;
+  inherit (lib.lists) optional;
+  hassVouchAuth = false;
+  hassVouch = false;
+in {
   imports = let
     inherit (meta) nixos;
   in [
@@ -21,7 +27,7 @@
     nixos.grocy
     nixos.barcodebuddy
     ./cloudflared.nix
-  ];
+  ] ++ optional hassVouchAuth nixos.access.home-assistant;
 
   services.nginx = {
     proxied.enable = true;
@@ -29,8 +35,15 @@
       zigbee2mqtt.proxied.enable = "cloudflared";
       grocy.proxied.enable = "cloudflared";
       barcodebuddy.proxied.enable = "cloudflared";
+      home-assistant = mkIf hassVouchAuth {
+        proxied.enable = "cloudflared";
+        vouch.enable = mkIf hassVouch true;
+      };
     };
   };
+  services.home-assistant = mkIf hassVouchAuth {
+    reverseProxy.auth.enable = true;
+  };
 
   sops.defaultSopsFile = ./secrets.yaml;