Kinda rootless HA

pedorich-n · Jan 6, 2025 · 619fe5f · 619fe5f
1 parent 471bcc1
commit 619fe5f
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 9 deletions.
diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -169,11 +169,15 @@
       };
     };
 
-
     trash-guides = {
       url = "github:TRaSH-Guides/Guides";
       flake = false;
     };
+
+    homeassistant-docker-venv = {
+      url = "github:tribut/homeassistant-docker-venv";
+      flake = false;
+    };
   };
 
   outputs = inputs@{ flake-parts, systems, ... }: flake-parts.lib.mkFlake { inherit inputs; } ({ lib, ... }: {

diff --git a/machines/geekomA5/modules/system/services/home-automation/containers.nix b/machines/geekomA5/modules/system/services/home-automation/containers.nix
@@ -1,6 +1,11 @@
-{ config, pkgs, containerLib, systemdLib, ... }:
+{ inputs, config, pkgs, containerLib, systemdLib, ... }:
 let
   user = "${toString config.users.users.user.uid}:${toString config.users.groups.${config.users.users.user.group}.gid}";
+  PUID_GUID = {
+    PUID = builtins.toString config.users.users.user.uid;
+    PGID = builtins.toString config.users.groups.${config.users.users.user.group}.gid;
+    UMASK = "007";
+  };
 
   storeFor = localPath: remotePath: "/mnt/store/home-automation/${localPath}:${remotePath}";
 
@@ -84,19 +89,15 @@ in
         };
       };
 
-      # TODO: figure out rootless container.
-      # See https://github.com/tribut/homeassistant-docker-venv
-      # See https://community.home-assistant.io/t/improving-docker-security-non-root-configuration/399971/9
       homeassistant = {
         useGlobalContainers = true;
         requiresTraefikNetwork = true;
         wantsAuthentik = true;
 
         containerConfig = {
-          environments = {
+          environments = PUID_GUID // {
             TZ = "${config.time.timeZone}";
           };
-          # user = userSetting;
           # capabilities = {
           #   CAP_NET_RAW = true;
           #   CAP_NET_BIND_SERVICE = true;
@@ -105,10 +106,12 @@ in
             (storeFor "homeassistant" "/config")
             (storeFor "homeassistant/local" "/.local")
             "${config.age.secrets.ha_secrets.path}:/config/secrets.yaml"
+            # See https://github.com/tribut/homeassistant-docker-venv
+            "${inputs.homeassistant-docker-venv}/run:/etc/services.d/home-assistant/run"
           ];
           labels = (containerLib.mkTraefikLabels {
             name = "homeassistant";
-            port = 80;
+            port = 8123;
             priority = 10;
             middlewares = [ "authentik@docker" ];
           }) ++

diff --git a/.../geekomA5/modules/system/services/home-automation/homeassistant/static/configuration.yaml b/.../geekomA5/modules/system/services/home-automation/homeassistant/static/configuration.yaml
@@ -31,7 +31,6 @@ recorder:
   db_url: !secret db_url
 
 http:
-  server_port: 80
   use_x_forwarded_for: true
   trusted_proxies:
     - 172.31.0.0/24 #LINK - machines/geekomA5/modules/system/services/traefik/podman-traefik-network.nix