homeassistant: announce locally and deploy to hallway tablet

hosts/router.home.ts.hillion.co.uk/default.nix

@@ -263,6 +263,16 @@
                     ip-address = "10.239.19.3";
                     hostname = "living-room-everything-presence-one";
                   }
+                  {
+                    hw-address = "a0:7d:9c:b0:f0:14";
+                    ip-address = "10.239.19.4";
+                    hostname = "hallway-wall-tablet";
+                  }
+                  {
+                    hw-address = "d8:3a:dd:c3:d6:2b";
+                    ip-address = "10.239.19.5";
+                    hostname = "sodium";
+                  }
                 ];
               }
               {

hosts/sodium.pop.ts.hillion.co.uk/default.nix

@@ -16,6 +16,7 @@
     boot.loader.efi.canTouchEfiVariables = true;
 
     custom.defaults = true;
+    custom.www.home.enable = true;
 
     ## Enable btrfs compression
     fileSystems."/data".options = [ "compress=zstd" ];
@@ -51,11 +52,11 @@
 
     # Networking
     networking = {
-      useDHCP = false;
-      interfaces = {
-        end0 = {
-          name = "eth0";
-          useDHCP = true;
+      interfaces.end0.name = "eth0";
+      vlans = {
+        iot = {
+          id = 2;
+          interface = "eth0";
         };
       };
     };
@@ -63,15 +64,17 @@
 
     networking.firewall = {
       trustedInterfaces = [ "tailscale0" ];
-      allowedTCPPorts = lib.mkForce [
-      ];
-      allowedUDPPorts = lib.mkForce [ ];
+      allowedTCPPorts = lib.mkForce [];
+      allowedUDPPorts = lib.mkForce [];
       interfaces = {
         eth0 = {
           allowedTCPPorts = lib.mkForce [
+            80 # HTTP 1-2
+            443 # HTTPS 1-2
             7654 # Tang
           ];
           allowedUDPPorts = lib.mkForce [
+            443 # HTTP 3
           ];
         };
       };

modules/default.nix

@@ -21,8 +21,7 @@
     ./ssh/default.nix
     ./storj.nix
     ./users.nix
-    ./www/global.nix
-    ./www/www-repo.nix
+    ./www/default.nix
   ];
 
   options.custom = {

modules/services/homeassistant.nix

@@ -62,6 +62,20 @@ in
         config = {
           default_config = { };
 
+          homeassistant = {
+            auth_providers = [
+              { type = "homeassistant"; }
+              {
+                type = "trusted_networks";
+                trusted_networks = [ "10.239.19.4/32" ];
+                trusted_users = {
+                  "10.239.19.4" = "fb4979873ecb480d9e3bb336250fa344";
+                };
+                allow_bypass_login = true;
+              }
+            ];
+          };
+
           recorder = {
             db_url = "postgresql://@/homeassistant";
           };
@@ -71,6 +85,8 @@ in
             trusted_proxies = with config.custom.dns.authoritative; [
               ipv4.uk.co.hillion.ts.cx.boron
               ipv6.uk.co.hillion.ts.cx.boron
+              ipv4.uk.co.hillion.ts.pop.sodium
+              ipv6.uk.co.hillion.ts.pop.sodium
             ];
           };
 

modules/www/default.nix

@@ -0,0 +1,9 @@
+{ config, lib, ... }:
+
+{
+  imports = [
+    ./global.nix
+    ./home.nix
+    ./www-repo.nix
+  ];
+}

modules/www/home.nix

@@ -0,0 +1,27 @@
+{ pkgs, lib, config, ... }:
+
+let
+  cfg = config.custom.www.home;
+  locations = config.custom.locations.locations;
+in
+{
+  options.custom.www.home = {
+    enable = lib.mkEnableOption "home";
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.caddy = {
+      enable = true;
+      package = pkgs.unstable.caddy;
+
+      virtualHosts = {
+        "homeassistant.home.hillion.co.uk".extraConfig = ''
+          tls {
+            ca https://ca.ts.hillion.co.uk:8443/acme/acme/directory
+          }
+          reverse_proxy http://${locations.services.homeassistant}:8123
+        '';
+      };
+    };
+  };
+}