-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathhome-assistant.nix
107 lines (89 loc) · 2.5 KB
/
home-assistant.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
{ pkgs, config, lib, ... }:
with lib;
let
cfg = config.custom.home-assistant;
in {
options.custom.home-assistant = {
enable = mkOption {
example = true;
default = false;
};
sslCertificate = mkOption {
example = "/run/secrets/cert.crt";
default = null;
};
sslCertificateKey = mkOption {
example = "/run/secrets/cert.key";
default = null;
};
hostname = mkOption {
example = "hass.example.org";
type = lib.types.str;
};
acmeHost = mkOption {
default = null;
example = "example.org";
};
configDir = mkOption {
default = "/var/lib/home-assistant/config";
};
};
config = mkIf cfg.enable{
systemd.tmpfiles.rules = [
"d ${cfg.configDir} - - - - -"
];
# Enable writing to /dev/ttyUSB0
# users.users.hass.extraGroups = [ "dialout" ];
virtualisation.oci-containers = {
backend = "podman";
containers.homeassistant = {
autoStart = true;
volumes = [
"${cfg.configDir}:/config"
"/run/dbus:/run/dbus:ro"
"/etc/localtime:/etc/localtime:ro"
];
environment.TZ = "Europe/Brussels";
labels."io.containers.autoupdate" = "registry";
image = "ghcr.io/home-assistant/home-assistant:stable";
extraOptions = [
"--network=host"
"--privileged"
];
};
};
systemd.services.podman-update = {
description = "Update and prune podman containers";
restartIfChanged = false;
unitConfig.X-StopOnRemoval = false;
serviceConfig.Type = "oneshot";
script = ''
${pkgs.podman}/bin/podman auto-update
${pkgs.podman}/bin/podman system prune -f --filter until="300h"
'';
startAt = "daily";
after = [ "podman.service" ];
requires = [ "podman.service" ];
};
systemd.timers.podman-update.timerConfig = {
Persistent = true;
RandomizedDelaySec = 1800;
};
services.nginx.virtualHosts.${cfg.hostname} = {
forceSSL = true;
useACMEHost = cfg.hostname;
extraConfig = ''
proxy_buffering off;
'';
locations."/".extraConfig = ''
proxy_pass http://127.0.0.1:8123;
proxy_set_header Host $host;
proxy_redirect http:// https://;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
'';
};
};
}