313 lines
7.8 KiB
YAML
313 lines
7.8 KiB
YAML
---
|
|
|
|
- name: allow ssh
|
|
ufw:
|
|
rule: allow
|
|
to_port: "22"
|
|
direction: in
|
|
state: enabled
|
|
tags:
|
|
- ufw
|
|
|
|
- name: allow loopback
|
|
ufw:
|
|
rule: allow
|
|
interface: lo
|
|
direction: in
|
|
state: enabled
|
|
tags:
|
|
- ufw
|
|
|
|
- name: default policy
|
|
ufw:
|
|
policy: allow
|
|
state: enabled
|
|
tags:
|
|
- ufw
|
|
|
|
- name: deny hass cloud port stuff
|
|
ufw:
|
|
# drops packets
|
|
rule: deny
|
|
to_port: '42161'
|
|
direction: in
|
|
state: enabled
|
|
tags:
|
|
- ufw
|
|
|
|
- name: reject zwavejs ws and hass ports (loopback only)
|
|
ufw:
|
|
# connection refused
|
|
rule: reject
|
|
to_port: "{{ item }}"
|
|
direction: in
|
|
state: enabled
|
|
with_items:
|
|
- "8091"
|
|
- "8123"
|
|
tags:
|
|
- ufw
|
|
|
|
- name: copy ssh keys for {{ hass_config_repo_name }}
|
|
template:
|
|
src: "private/sshkeys/{{ item }}"
|
|
dest: "{{ systemuserlist.hass.home }}/.ssh/{{ item }}"
|
|
owner: "{{ systemuserlist.hass.uid }}"
|
|
group: "{{ systemuserlist.hass.gid }}"
|
|
mode: 0600
|
|
no_log: true
|
|
with_items:
|
|
- "{{ hass_config_repo_name }}"
|
|
- "{{ hass_config_repo_name }}.pub"
|
|
tags:
|
|
- hass-git
|
|
|
|
# hass + zwave
|
|
|
|
- name: create dir structure
|
|
file:
|
|
path: "{{ systemuserlist.hass.home }}/{{ item }}"
|
|
state: directory
|
|
mode: 0755
|
|
owner: hass
|
|
group: hass
|
|
tags:
|
|
- hass-dirs
|
|
with_items:
|
|
- home-assistant
|
|
- home-assistant/config
|
|
- home-assistant/.config
|
|
- home-assistant/media
|
|
- zwavejs
|
|
- zwavejs/app
|
|
- zwavejs/app/store
|
|
- git
|
|
|
|
- name: template gitconfig
|
|
template:
|
|
src: gitconfig.j2
|
|
dest: "{{ systemuserlist.hass.home }}/.gitconfig"
|
|
owner: "{{ systemuserlist.hass.uid }}"
|
|
group: "{{ systemuserlist.hass.gid }}"
|
|
mode: 0644
|
|
tags:
|
|
- hass-git
|
|
|
|
- name: set up the {{ hass_config_repo_name }} repo
|
|
git:
|
|
repo: "{{ hass_config_repo }}"
|
|
dest: "{{ systemuserlist.hass.home }}/git/{{ hass_config_repo_name }}"
|
|
version: main
|
|
clone: true
|
|
update: false
|
|
force: false
|
|
accept_newhostkey: true
|
|
key_file: "{{ systemuserlist.hass.home }}/.ssh/{{ hass_config_repo_name }}"
|
|
become_user: "{{ systemuserlist.hass.username }}"
|
|
tags:
|
|
- hass-git
|
|
- hass-git-clone
|
|
|
|
- name: home assistant main configuration.yaml
|
|
template:
|
|
src: configuration.yaml.j2
|
|
dest: "{{ systemuserlist.hass.home }}/home-assistant/config/configuration.yaml"
|
|
owner: "{{ systemuserlist.hass.uid }}"
|
|
group: "{{ systemuserlist.hass.gid }}"
|
|
mode: 0644
|
|
notify: restart hass container
|
|
tags:
|
|
- hass-config
|
|
|
|
- name: home assistant secrets file
|
|
template:
|
|
src: secrets.yaml.j2
|
|
dest: "{{ systemuserlist.hass.home }}/home-assistant/config/secrets.yaml"
|
|
owner: "{{ systemuserlist.hass.uid }}"
|
|
group: "{{ systemuserlist.hass.gid }}"
|
|
mode: 0644
|
|
notify: restart hass container
|
|
tags:
|
|
- hass-config
|
|
|
|
- name: copy home assistant templates file
|
|
copy:
|
|
src: templates.yaml
|
|
dest: "{{ systemuserlist.hass.home }}/home-assistant/config/templates.yaml"
|
|
owner: "{{ systemuserlist.hass.uid }}"
|
|
group: "{{ systemuserlist.hass.gid }}"
|
|
mode: 0644
|
|
notify: restart hass container
|
|
tags:
|
|
- hass-config
|
|
|
|
- name: install git sync script
|
|
template:
|
|
src: git-hass-config.sh.j2
|
|
dest: /usr/local/bin/git-hass-config.sh
|
|
mode: 0775
|
|
owner: hass
|
|
group: hass
|
|
tags:
|
|
- hass-git
|
|
|
|
- name: cron file
|
|
template:
|
|
src: hass-cron.j2
|
|
dest: /etc/cron.d/hass
|
|
owner: root
|
|
group: root
|
|
mode: 0640
|
|
tags:
|
|
- cron
|
|
- hass-cron
|
|
- hass-git
|
|
|
|
# the host needs to have bluez installed for the container to use bluetooth
|
|
- name: install bluetooth packages
|
|
apt:
|
|
name:
|
|
- bluez
|
|
- bluetooth
|
|
state: latest
|
|
tags:
|
|
- packages
|
|
|
|
# docker run --run -it -p 8091:8091 -p 3000:3000 --network
|
|
#bridgewithdns --device /dev/ttyACM0:/dev/zwave -v
|
|
# /home/ben/zwavejs:/usr/src/app/store zwavejs/zwavejs2mqtt:latest
|
|
|
|
# the name has changed to zwave-js-ui:
|
|
# https://github.com/zwave-js/zwave-js-ui/pull/2650
|
|
- name: start zwavejs container
|
|
docker_container:
|
|
name: zwavejs
|
|
image: zwavejs/zwave-js-ui:latest
|
|
detach: true
|
|
pull: true
|
|
restart_policy: "unless-stopped"
|
|
state: "{{ container_state | default('started') }}"
|
|
container_default_behavior: compatibility
|
|
user: "{{ systemuserlist.hass.uid }}:dialout"
|
|
networks_cli_compatible: false
|
|
network_mode: bridgewithdns
|
|
networks:
|
|
- name: bridgewithdns
|
|
ipv4_address: "{{ bridgewithdns.zwavejs }}"
|
|
devices:
|
|
- "/dev/serial/by-id/usb-0658_0200-if00:/dev/zwave:rwm"
|
|
ports:
|
|
# ws for hass<->zwavejs
|
|
# hass is configured to use localhost:3000 to talk to zwavejs, but can
|
|
# also use {{ bridgewithdns.zwavejs }}, but hass is very fragile and
|
|
# you have to manually work around it if it cant access zwaevjs because the
|
|
# ip/dns changed or the container moved networks. it is not configured in a
|
|
# config file either. so using localhost is the least fragile strategy.
|
|
- "127.0.0.1:3000:3000"
|
|
env:
|
|
#BASE_URL: "/zwavejs/"
|
|
SESSION_SECRET: "{{ zwavejs_session_secret }}"
|
|
ZWAVEJS_EXTERNAL_CONFIG: /usr/src/app/store/.config-db
|
|
mounts:
|
|
- type: bind
|
|
source: "{{ systemuserlist.hass.home }}/zwavejs/app/store"
|
|
target: /usr/src/app/store
|
|
tags:
|
|
- zwavejs
|
|
- zwavejs-container
|
|
- hass-container
|
|
- docker-containers
|
|
|
|
# docker run --rm it --name hass -p 8123:8123 -e TZ=Etc/UTC -v
|
|
# /home/ben/hass:/config --network-bridgewithdns
|
|
# ghcr.io/home-assistant/home-assistant:stable
|
|
|
|
- name: start home-assistant container
|
|
docker_container:
|
|
name: hass
|
|
image: ghcr.io/home-assistant/home-assistant:stable
|
|
detach: true
|
|
pull: true
|
|
restart_policy: "unless-stopped"
|
|
state: "{{ container_state | default('started') }}"
|
|
container_default_behavior: compatibility
|
|
user: "{{ systemuserlist.hass.uid }}:{{ systemuserlist.hass.gid }}"
|
|
network_mode: host
|
|
env:
|
|
TZ: "Etc/UTC"
|
|
mounts:
|
|
- type: bind
|
|
source: "{{ systemuserlist.hass.home }}/home-assistant/config"
|
|
target: /config
|
|
- type: bind
|
|
source: "{{ systemuserlist.hass.home }}/home-assistant/.config"
|
|
target: /.config
|
|
- type: bind
|
|
source: "{{ systemuserlist.hass.home }}/home-assistant/media"
|
|
target: /usr/var/media
|
|
# for bluetooth, container needs access to the dbus socket
|
|
# https://www.home-assistant.io/integrations/bluetooth/
|
|
- type: bind
|
|
source: /run/dbus/
|
|
target: /run/dbus/
|
|
read_only: true
|
|
- type: bind
|
|
source: /etc/bluetooth/main.conf
|
|
target: /etc/bluetooth/main.conf
|
|
read_only: true
|
|
# scripts from role: common
|
|
# only depends on requests, which hass image has
|
|
- type: bind
|
|
source: /usr/local/bin/authelia-auth.py
|
|
target: /usr/local/bin/authelia-auth.py
|
|
- type: bind
|
|
source: /usr/local/bin/matrixmsg.py
|
|
target: /usr/local/bin/matrixmsg.py
|
|
tags:
|
|
- home-assistant
|
|
- home-assistant-container
|
|
- hass-container
|
|
- docker-containers
|
|
register: hass_container
|
|
|
|
- name: install certs
|
|
copy:
|
|
src: "/usr/local/etc/letsencrypt/live/{{ item }}"
|
|
dest: "/usr/local/etc/certs/"
|
|
owner: root
|
|
group: root
|
|
mode: 0755
|
|
tags:
|
|
- letsencrypt-certs
|
|
notify: reload nginx
|
|
vars:
|
|
prediff_cmd: echo
|
|
with_items:
|
|
- "{{ hass_url }}"
|
|
|
|
- name: template nginx vhost for hass
|
|
template:
|
|
src: 01-hass.j2
|
|
dest: /etc/nginx/sites-enabled/01-hass
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
tags:
|
|
- nginx
|
|
- hass-nginx
|
|
- zwave-nginx
|
|
notify: restart nginx
|
|
|
|
# different task because its better for the hass config to restart nginx
|
|
- name: template nginx vhost for grafana-proxy
|
|
template:
|
|
src: 01-grafana-proxy.j2
|
|
dest: /etc/nginx/sites-enabled/01-grafana
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
tags:
|
|
- nginx
|
|
- grafana-proxy-nginx
|
|
notify: reload nginx
|