roles/hass/handlers/main.yml

@@ -15,4 +15,4 @@
     name: hass
     state: started
     restart: true
-  when: not hass_container.changed
+  when: hass_container is not defined or not hass_container.changed

roles/hass/tasks/hass.yml

@@ -50,21 +50,6 @@
 
 # hass + zwave
 
-- name: install certs
-  copy:
-    src: "/usr/local/etc/letsencrypt/live/{{ item }}"
-    dest: "/usr/local/etc/certs/"
-    owner: root
-    group: root
-    mode: 0755
-  tags:
-    - letsencrypt-certs
-  notify: reload nginx
-  vars:
-    prediff_cmd: echo
-  with_items:
-    - "{{ hass_url }}"
-
 - name: create dir structure
   file:
     path: "{{ systemuserlist.hass.home }}/{{ item }}"
@@ -89,6 +74,8 @@
     group: "{{ systemuserlist.hass.gid }}"
     mode: 0644
   notify: restart hass container
+  tags:
+    - hass-config
 
 - name: home assistant secrets file
   template:
@@ -97,8 +84,9 @@
     owner: "{{ systemuserlist.hass.uid }}"
     group: "{{ systemuserlist.hass.gid }}"
     mode: 0644
-  no_log: true
   notify: restart hass container
+  tags:
+    - hass-config
 
 # docker run --run -it -p 8091:8091 -p 3000:3000 --network
 #bridgewithdns --device /dev/ttyACM0:/dev/zwave -v
@@ -131,6 +119,10 @@
       # ip/dns changed or the container moved networks. it is not configured in a
       # config file either. so using localhost is the least fragile strategy.
       - "127.0.0.1:3000:3000"
+    env:
+      #BASE_URL: "/zwavejs/"
+      SESSION_SECRET: "{{ zwavejs_session_secret }}"
+      ZWAVEJS_EXTERNAL_CONFIG: /usr/src/app/store/.config-db
     mounts:
       - type: bind
         source: "{{ systemuserlist.hass.home }}/zwavejs/app/store"
@@ -168,6 +160,11 @@
       - type: bind
         source: "{{ systemuserlist.hass.home }}/home-assistant/media"
         target: /usr/var/media
+        # from role: common
+        # only depends on requests, which hass image has
+      - type: bind
+        source: /usr/local/bin/authelia-auth.py
+        target: /usr/local/bin/authelia-auth.py
   tags:
     - home-assistant
     - home-assistant-container
@@ -175,6 +172,21 @@
     - docker-containers
   register: hass_container
 
+- name: install certs
+  copy:
+    src: "/usr/local/etc/letsencrypt/live/{{ item }}"
+    dest: "/usr/local/etc/certs/"
+    owner: root
+    group: root
+    mode: 0755
+  tags:
+    - letsencrypt-certs
+  notify: reload nginx
+  vars:
+    prediff_cmd: echo
+  with_items:
+    - "{{ hass_url }}"
+
 - name: template nginx vhost for hass
   template:
     src: 01-hass.j2

roles/hass/templates/01-hass.j2

@@ -1,6 +1,7 @@
 map $http_upgrade $connection_upgrade {
     default upgrade;
-    ''      upgrade;
+    #default $http_connection;
+    ''      close;
 }
 
 server {
@@ -10,7 +11,6 @@ server {
     {% endif -%}
 
     include /etc/nginx/authelia_internal.conf;
-
     include listen-proxy-protocol.conf;
     include /etc/nginx/sudo-known.conf;
 
@@ -19,7 +19,7 @@ server {
     location / {
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "upgrade";
+        proxy_set_header Connection $connection_upgrade;
 
         proxy_set_header Host $host;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -35,20 +35,29 @@ server {
         return 302 https://{{ hass_url }}{{ nginx_zwavejs_path }}/;
     }
 
-    location {{ nginx_zwavejs_path }}/ {
+    location {{ nginx_zwavejs_path }} {
-        include /etc/nginx/require_auth.conf;
+        #add_header Access-Control-Allow-Origin "*" always;
+        # kill cache
+        add_header Last-Modified $date_gmt always;
+        add_header Cache-Control 'no-store' always;
+        if_modified_since off;
+        expires off;
+        etag off;
 
-        proxy_set_header X-External-Path {{ nginx_zwavejs_path }};
+        include /etc/nginx/require_auth.conf;
 
         rewrite ^ $request_uri;
         rewrite '^{{ nginx_zwavejs_path }}(/.*)$' $1 break;
 
+        proxy_set_header X-External-Path {{ nginx_zwavejs_path }};
+
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection $connection_upgrade;
+        #proxy_socket_keepalive          on;
 
         proxy_pass http://{{ bridgewithdns.zwavejs }}:8091$uri;
-
+        #proxy_pass http://{{ bridgewithdns.zwavejs }}:8091;
         # for the special dashboard
         # https://zwave-js.github.io/zwave-js-ui/#/usage/reverse-proxy?id=using-an-http-header
         # proxy_set_header X-External-Path $http_x_ingress_path;

roles/hass/templates/configuration.yaml.j2

@@ -66,9 +66,11 @@ scene: !include scenes.yaml
 
 calendar:
   - platform: caldav
+    days: 30
     username: !secret caldav_user
     password: !secret caldav_passwd
-    url: !secret caldav_url
+    # {{ hass_caldav.urls[0].name }}
+    url: {{ hass_caldav.urls[0].url }}
 
 http:
   # container runs with network_mode=host, so no network isolation. the docs say to not
@@ -78,11 +80,14 @@ http:
   #server_host: 127.0.0.1
   trusted_proxies:
     - 127.0.0.1
-    - {{ bridgewithdns.host }}
-    - {{ bridgewithdns_cidr }}
   use_x_forwarded_for: true
 
 homeassistant:
+  auth_providers:
+    - type: command_line
+      command: /usr/local/bin/authelia-auth.py
+      args:
+        - {{ hass_url }}
   name: Home
   currency: EUR
   unit_system: metric
@@ -121,3 +126,8 @@ sensor:
   - platform: dwd_weather_warnings
     # Stadt Berlin
     region_name: 811000000
+
+tts:
+  - platform: voicerss
+    api_key: !secret voicerss_api_key
+  - platform: google_translate

roles/hass/templates/secrets.yaml.j2

@@ -1,8 +1,7 @@
 
-# Use this file to store secrets like usernames and passwords.
+# kind of dont need this file
-# Learn more at https://www.home-assistant.io/docs/configuration/secrets/
-some_password: welcome
 
 caldav_user: "{{ hass_caldav.user }}"
 caldav_passwd: "{{ hass_caldav.passwd }}"
-caldav_url: https://{{ nextcloud_url }}/remote.php/dav/principals/users/{{ hass_caldav.user }}/
+
+voicerss_api_key: {{ voicerss_api_key }}