diff --git a/hosts/router.home.ts.hillion.co.uk/default.nix b/hosts/router.home.ts.hillion.co.uk/default.nix index 20f7bf3..e6c6bd1 100644 --- a/hosts/router.home.ts.hillion.co.uk/default.nix +++ b/hosts/router.home.ts.hillion.co.uk/default.nix @@ -263,6 +263,16 @@ ip-address = "10.239.19.3"; hostname = "living-room-everything-presence-one"; } + { + hw-address = "a0:7d:9c:b0:f0:14"; + ip-address = "10.239.19.4"; + hostname = "hallway-wall-tablet"; + } + { + hw-address = "d8:3a:dd:c3:d6:2b"; + ip-address = "10.239.19.5"; + hostname = "sodium"; + } ]; } { diff --git a/hosts/sodium.pop.ts.hillion.co.uk/default.nix b/hosts/sodium.pop.ts.hillion.co.uk/default.nix index 145f84c..5afb053 100644 --- a/hosts/sodium.pop.ts.hillion.co.uk/default.nix +++ b/hosts/sodium.pop.ts.hillion.co.uk/default.nix @@ -16,6 +16,7 @@ boot.loader.efi.canTouchEfiVariables = true; custom.defaults = true; + custom.www.home.enable = true; ## Enable btrfs compression fileSystems."/data".options = [ "compress=zstd" ]; @@ -51,11 +52,11 @@ # Networking networking = { - useDHCP = false; - interfaces = { - end0 = { - name = "eth0"; - useDHCP = true; + interfaces.end0.name = "eth0"; + vlans = { + iot = { + id = 2; + interface = "eth0"; }; }; }; @@ -63,15 +64,17 @@ networking.firewall = { trustedInterfaces = [ "tailscale0" ]; - allowedTCPPorts = lib.mkForce [ - ]; - allowedUDPPorts = lib.mkForce [ ]; + allowedTCPPorts = lib.mkForce []; + allowedUDPPorts = lib.mkForce []; interfaces = { eth0 = { allowedTCPPorts = lib.mkForce [ + 80 # HTTP 1-2 + 443 # HTTPS 1-2 7654 # Tang ]; allowedUDPPorts = lib.mkForce [ + 443 # HTTP 3 ]; }; }; diff --git a/modules/default.nix b/modules/default.nix index 4fa00c1..af81420 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -21,8 +21,7 @@ ./ssh/default.nix ./storj.nix ./users.nix - ./www/global.nix - ./www/www-repo.nix + ./www/default.nix ]; options.custom = { diff --git a/modules/services/homeassistant.nix b/modules/services/homeassistant.nix index 3ac4620..3bd0a53 100644 --- a/modules/services/homeassistant.nix +++ b/modules/services/homeassistant.nix @@ -62,6 +62,20 @@ in config = { default_config = { }; + homeassistant = { + auth_providers = [ + { type = "homeassistant"; } + { + type = "trusted_networks"; + trusted_networks = [ "10.239.19.4/32" ]; + trusted_users = { + "10.239.19.4" = "fb4979873ecb480d9e3bb336250fa344"; + }; + allow_bypass_login = true; + } + ]; + }; + recorder = { db_url = "postgresql://@/homeassistant"; }; @@ -71,6 +85,8 @@ in trusted_proxies = with config.custom.dns.authoritative; [ ipv4.uk.co.hillion.ts.cx.boron ipv6.uk.co.hillion.ts.cx.boron + ipv4.uk.co.hillion.ts.pop.sodium + ipv6.uk.co.hillion.ts.pop.sodium ]; }; diff --git a/modules/www/default.nix b/modules/www/default.nix new file mode 100644 index 0000000..b531b87 --- /dev/null +++ b/modules/www/default.nix @@ -0,0 +1,9 @@ +{ config, lib, ... }: + +{ + imports = [ + ./global.nix + ./home.nix + ./www-repo.nix + ]; +} diff --git a/modules/www/home.nix b/modules/www/home.nix new file mode 100644 index 0000000..87fefff --- /dev/null +++ b/modules/www/home.nix @@ -0,0 +1,27 @@ +{ pkgs, lib, config, ... }: + +let + cfg = config.custom.www.home; + locations = config.custom.locations.locations; +in +{ + options.custom.www.home = { + enable = lib.mkEnableOption "home"; + }; + + config = lib.mkIf cfg.enable { + services.caddy = { + enable = true; + package = pkgs.unstable.caddy; + + virtualHosts = { + "homeassistant.home.hillion.co.uk".extraConfig = '' + tls { + ca https://ca.ts.hillion.co.uk:8443/acme/acme/directory + } + reverse_proxy http://${locations.services.homeassistant}:8123 + ''; + }; + }; + }; +}