3 changed files with 38 additions and 8 deletions
--- a/hosts/microserver.home.ts.hillion.co.uk/default.nix
+++ b/hosts/microserver.home.ts.hillion.co.uk/default.nix
@ -24,6 +24,8 @@
      preAuthKeyFile = config.age.secrets."tailscale/microserver.home.ts.hillion.co.uk".path;
      advertiseRoutes = [ "10.64.50.0/24" "10.239.19.0/24" ];
      advertiseExitNode = true;
+      ipv4Addr = "100.105.131.47";
+      ipv6Addr = "fd7a:115c:a1e0:ab12:4843:cd96:6269:832f";
    };

    ## Enable IoT VLAN
@ -47,14 +49,17 @@
    services.iperf3.enable = true;
    services.iperf3.openFirewall = true;

-    networking.firewall.interfaces = {
-      "eth0" = {
-        allowedUDPPorts = [
-          5353 # HomeKit
-        ];
-        allowedTCPPorts = [
-          21063 # HomeKit
-        ];
+    networking.firewall = {
+      trustedInterfaces = [ "tailscale0" ];
+      interfaces = {
+        "eth0" = {
+          allowedUDPPorts = [
+            5353 # HomeKit
+          ];
+          allowedTCPPorts = [
+            21063 # HomeKit
+          ];
+        };
      };
    };
  };
--- a/modules/backups/homeassistant.nix
+++ b/modules/backups/homeassistant.nix
@ -26,6 +26,7 @@ in
        passwordFile = config.age.secrets."backups/homeassistant/restic/128G".path;
        paths = [
          config.services.home-assistant.configDir
+          config.services.node-red.userDir
        ];
      };
    };
--- a/modules/services/homeassistant.nix
+++ b/modules/services/homeassistant.nix
@ -34,6 +34,17 @@ in
        '';
      };

+      node-red = {
+        enable = true;
+      };
+      caddy = {
+        enable = true;
+        virtualHosts."http://nodered.home.ts.hillion.co.uk" = {
+          listenAddresses = [ config.custom.tailscale.ipv4Addr config.custom.tailscale.ipv6Addr ];
+          extraConfig = "reverse_proxy http://localhost:1880";
+        };
+      };
+
      home-assistant = {
        enable = true;

@ -152,5 +163,18 @@ in
        };
      };
    };
+
+    ### HACK: Allow Caddy to restart if it fails. This happens because Tailscale
+    ### is too late at starting. Upstream nixos caddy does restart on failure
+    ### but it's prevented on exit code 1. Set the exit code to 0 (non-failure)
+    ### to override this.
+    systemd.services.caddy = {
+      requires = [ "tailscaled.service" ];
+      after = [ "tailscaled.service" ];
+      serviceConfig = {
+        RestartPreventExitStatus = lib.mkForce 0;
+      };
+    };
+
  };
 }