{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.home-assistant;
format = pkgs.formats.yaml {};
# Render config attribute sets to YAML
# Values that are null will be filtered from the output, so this is one way to have optional
# options shown in settings.
# We post-process the result to add support for YAML functions, like secrets or includes, see e.g.
# https://www.home-assistant.io/docs/configuration/secrets/
filteredConfig = lib.converge (lib.filterAttrsRecursive (_: v: ! elem v [ null ])) cfg.config or {};
configFile = pkgs.runCommand "configuration.yaml" { preferLocalBuild = true; } ''
cp ${format.generate "configuration.yaml" filteredConfig} $out
sed -i -e "s/'\!\([a-z_]\+\) \(.*\)'/\!\1 \2/;s/^\!\!/\!/;" $out
'';
lovelaceConfig = cfg.lovelaceConfig or {};
lovelaceConfigFile = format.generate "ui-lovelace.yaml" lovelaceConfig;
# Components advertised by the home-assistant package
availableComponents = cfg.package.availableComponents;
# Components that were added by overriding the package
explicitComponents = cfg.package.extraComponents;
useExplicitComponent = component: elem component explicitComponents;
# Given a component "platform", looks up whether it is used in the config
# as `platform = "platform";`.
#
# For example, the component mqtt.sensor is used as follows:
# config.sensor = [ {
# platform = "mqtt";
# ...
# } ];
usedPlatforms = config:
if isAttrs config then
optional (config ? platform) config.platform
++ concatMap usedPlatforms (attrValues config)
else if isList config then
concatMap usedPlatforms config
else [ ];
useComponentPlatform = component: elem component (usedPlatforms cfg.config);
# Returns whether component is used in config, explicitly passed into package or
# configured in the module.
useComponent = component:
hasAttrByPath (splitString "." component) cfg.config
|| useComponentPlatform component
|| useExplicitComponent component
|| builtins.elem component cfg.extraComponents;
# Final list of components passed into the package to include required dependencies
extraComponents = filter useComponent availableComponents;
package = (cfg.package.override (oldArgs: {
# Respect overrides that already exist in the passed package and
# concat it with values passed via the module.
extraComponents = oldArgs.extraComponents or [] ++ extraComponents;
extraPackages = ps: (oldArgs.extraPackages or (_: []) ps) ++ (cfg.extraPackages ps);
}));
in {
imports = [
# Migrations in NixOS 22.05
(mkRemovedOptionModule [ "services" "home-assistant" "applyDefaultConfig" ] "The default config was migrated into services.home-assistant.config")
(mkRemovedOptionModule [ "services" "home-assistant" "autoExtraComponents" ] "Components are now parsed from services.home-assistant.config unconditionally")
(mkRenamedOptionModule [ "services" "home-assistant" "port" ] [ "services" "home-assistant" "config" "http" "server_port" ])
];
meta = {
buildDocsInSandbox = false;
maintainers = teams.home-assistant.members;
};
options.services.home-assistant = {
# Running home-assistant on NixOS is considered an installation method that is unsupported by the upstream project.
# https://github.com/home-assistant/architecture/blob/master/adr/0012-define-supported-installation-method.md#decision
enable = mkEnableOption "Home Assistant. Please note that this installation method is unsupported upstream";
configDir = mkOption {
default = "/var/lib/hass";
type = types.path;
description = "The config directory, where your configuration.yaml is located.";
};
extraComponents = mkOption {
type = types.listOf (types.enum availableComponents);
default = [
# List of components required to complete the onboarding
"default_config"
"met"
"esphome"
] ++ optionals (pkgs.stdenv.hostPlatform.isAarch32 || pkgs.stdenv.hostPlatform.isAarch64) [
# Use the platform as an indicator that we might be running on a RaspberryPi and include
# relevant components
"rpi_power"
];
example = literalExpression ''
[
"analytics"
"default_config"
"esphome"
"my"
"shopping_list"
"wled"
]
'';
description = ''
List of components that have their dependencies included in the package.
The component name can be found in the URL, for example https://www.home-assistant.io/integrations/ffmpeg/ would map to ffmpeg.
'';
};
extraPackages = mkOption {
type = types.functionTo (types.listOf types.package);
default = _: [];
defaultText = literalExpression ''
python3Packages: with python3Packages; [];
'';
example = literalExpression ''
python3Packages: with python3Packages; [
# postgresql support
psycopg2
];
'';
description = ''
List of packages to add to propagatedBuildInputs.
A popular example is python3Packages.psycopg2
for PostgreSQL support in the recorder component.
'';
};
config = mkOption {
type = types.nullOr (types.submodule {
freeformType = format.type;
options = {
# This is a partial selection of the most common options, so new users can quickly
# pick up how to match home-assistants config structure to ours. It also lets us preset
# config values intelligently.
homeassistant = {
# https://www.home-assistant.io/docs/configuration/basic/
name = mkOption {
type = types.nullOr types.str;
default = null;
example = "Home";
description = ''
Name of the location where Home Assistant is running.
'';
};
latitude = mkOption {
type = types.nullOr (types.either types.float types.str);
default = null;
example = 52.3;
description = ''
Latitude of your location required to calculate the time the sun rises and sets.
'';
};
longitude = mkOption {
type = types.nullOr (types.either types.float types.str);
default = null;
example = 4.9;
description = ''
Longitude of your location required to calculate the time the sun rises and sets.
'';
};
unit_system = mkOption {
type = types.nullOr (types.enum [ "metric" "imperial" ]);
default = null;
example = "metric";
description = ''
The unit system to use. This also sets temperature_unit, Celsius for Metric and Fahrenheit for Imperial.
'';
};
temperature_unit = mkOption {
type = types.nullOr (types.enum [ "C" "F" ]);
default = null;
example = "C";
description = ''
Override temperature unit set by unit_system. C for Celsius, F for Fahrenheit.
'';
};
time_zone = mkOption {
type = types.nullOr types.str;
default = config.time.timeZone or null;
defaultText = literalExpression ''
config.time.timeZone or null
'';
example = "Europe/Amsterdam";
description = ''
Pick your time zone from the column TZ of Wikipedia’s list of tz database time zones.
'';
};
};
http = {
# https://www.home-assistant.io/integrations/http/
server_host = mkOption {
type = types.either types.str (types.listOf types.str);
default = [
"0.0.0.0"
"::"
];
example = "::1";
description = ''
Only listen to incoming requests on specific IP/host. The default listed assumes support for IPv4 and IPv6.
'';
};
server_port = mkOption {
default = 8123;
type = types.port;
description = ''
The port on which to listen.
'';
};
};
lovelace = {
# https://www.home-assistant.io/lovelace/dashboards/
mode = mkOption {
type = types.enum [ "yaml" "storage" ];
default = if cfg.lovelaceConfig != null
then "yaml"
else "storage";
defaultText = literalExpression ''
if cfg.lovelaceConfig != null
then "yaml"
else "storage";
'';
example = "yaml";
description = ''
In what mode should the main Lovelace panel be, yaml or storage (UI managed).
'';
};
};
};
});
example = literalExpression ''
{
homeassistant = {
name = "Home";
latitude = "!secret latitude";
longitude = "!secret longitude";
elevation = "!secret elevation";
unit_system = "metric";
time_zone = "UTC";
};
frontend = {
themes = "!include_dir_merge_named themes";
};
http = {};
feedreader.urls = [ "https://nixos.org/blogs.xml" ];
}
'';
description = ''
Your configuration.yaml as a Nix attribute set.
YAML functions like secrets
can be passed as a string and will be unquoted automatically.
Unless this option is explicitly set to null
we assume your configuration.yaml is
managed through this module and thereby overwritten on startup.
'';
};
configWritable = mkOption {
default = false;
type = types.bool;
description = ''
Whether to make configuration.yaml writable.
This will allow you to edit it from Home Assistant's web interface.
This only has an effect if is set.
However, bear in mind that it will be overwritten at every start of the service.
'';
};
lovelaceConfig = mkOption {
default = null;
type = types.nullOr format.type;
# from https://www.home-assistant.io/lovelace/dashboards/
example = literalExpression ''
{
title = "My Awesome Home";
views = [ {
title = "Example";
cards = [ {
type = "markdown";
title = "Lovelace";
content = "Welcome to your **Lovelace UI**.";
} ];
} ];
}
'';
description = ''
Your ui-lovelace.yaml as a Nix attribute set.
Setting this option will automatically set lovelace.mode to yaml.
Beware that setting this option will delete your previous ui-lovelace.yaml
'';
};
lovelaceConfigWritable = mkOption {
default = false;
type = types.bool;
description = ''
Whether to make ui-lovelace.yaml writable.
This will allow you to edit it from Home Assistant's web interface.
This only has an effect if is set.
However, bear in mind that it will be overwritten at every start of the service.
'';
};
package = mkOption {
default = pkgs.home-assistant.overrideAttrs (oldAttrs: {
doInstallCheck = false;
});
defaultText = literalExpression ''
pkgs.home-assistant.overrideAttrs (oldAttrs: {
doInstallCheck = false;
})
'';
type = types.package;
example = literalExpression ''
pkgs.home-assistant.override {
extraPackages = python3Packages: with python3Packages; [
psycopg2
];
extraComponents = [
"default_config"
"esphome"
"met"
];
}
'';
description = ''
The Home Assistant package to use.
'';
};
openFirewall = mkOption {
default = false;
type = types.bool;
description = "Whether to open the firewall for the specified port.";
};
};
config = mkIf cfg.enable {
assertions = [
{
assertion = cfg.openFirewall -> !isNull cfg.config;
message = "openFirewall can only be used with a declarative config";
}
];
networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.config.http.server_port ];
systemd.services.home-assistant = {
description = "Home Assistant";
after = [
"network-online.target"
# prevent races with database creation
"mysql.service"
"postgresql.service"
];
preStart = let
copyConfig = if cfg.configWritable then ''
cp --no-preserve=mode ${configFile} "${cfg.configDir}/configuration.yaml"
'' else ''
rm -f "${cfg.configDir}/configuration.yaml"
ln -s ${configFile} "${cfg.configDir}/configuration.yaml"
'';
copyLovelaceConfig = if cfg.lovelaceConfigWritable then ''
cp --no-preserve=mode ${lovelaceConfigFile} "${cfg.configDir}/ui-lovelace.yaml"
'' else ''
rm -f "${cfg.configDir}/ui-lovelace.yaml"
ln -s ${lovelaceConfigFile} "${cfg.configDir}/ui-lovelace.yaml"
'';
in
(optionalString (cfg.config != null) copyConfig) +
(optionalString (cfg.lovelaceConfig != null) copyLovelaceConfig)
;
serviceConfig = let
# List of capabilities to equip home-assistant with, depending on configured components
capabilities = [
# Empty string first, so we will never accidentally have an empty capability bounding set
# https://github.com/NixOS/nixpkgs/issues/120617#issuecomment-830685115
""
] ++ (unique (optionals (useComponent "bluetooth_tracker" || useComponent "bluetooth_le_tracker") [
# Required for interaction with hci devices and bluetooth sockets
# https://www.home-assistant.io/integrations/bluetooth_le_tracker/#rootless-setup-on-core-installs
"CAP_NET_ADMIN"
"CAP_NET_RAW"
] ++ lib.optionals (useComponent "emulated_hue") [
# Alexa looks for the service on port 80
# https://www.home-assistant.io/integrations/emulated_hue
"CAP_NET_BIND_SERVICE"
] ++ lib.optionals (useComponent "nmap_tracker") [
# https://www.home-assistant.io/integrations/nmap_tracker#linux-capabilities
"CAP_NET_ADMIN"
"CAP_NET_BIND_SERVICE"
"CAP_NET_RAW"
]));
componentsUsingBluetooth = [
# Components that require the AF_BLUETOOTH address family
"bluetooth_tracker"
"bluetooth_le_tracker"
];
componentsUsingPing = [
# Components that require the capset syscall for the ping wrapper
"ping"
"wake_on_lan"
];
componentsUsingSerialDevices = [
# Components that require access to serial devices (/dev/tty*)
# List generated from home-assistant documentation:
# git clone https://github.com/home-assistant/home-assistant.io/
# cd source/_integrations
# rg "/dev/tty" -l | cut -d'/' -f3 | cut -d'.' -f1 | sort
# And then extended by references found in the source code, these
# mostly the ones using config flows already.
"acer_projector"
"alarmdecoder"
"arduino"
"blackbird"
"deconz"
"dsmr"
"edl21"
"elkm1"
"elv"
"enocean"
"firmata"
"flexit"
"gpsd"
"insteon"
"kwb"
"lacrosse"
"mhz19"
"modbus"
"modem_callerid"
"mysensors"
"nad"
"numato"
"rflink"
"rfxtrx"
"scsgate"
"serial"
"serial_pm"
"sms"
"upb"
"usb"
"velbus"
"w800rf32"
"xbee"
"zha"
"zwave"
"zwave_js"
];
in {
ExecStart = "${package}/bin/hass --config '${cfg.configDir}'";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
User = "hass";
Group = "hass";
Restart = "on-failure";
RestartForceExitStatus = "100";
SuccessExitStatus = "100";
KillSignal = "SIGINT";
# Hardening
AmbientCapabilities = capabilities;
CapabilityBoundingSet = capabilities;
DeviceAllow = (optionals (any useComponent componentsUsingSerialDevices) [
"char-ttyACM rw"
"char-ttyAMA rw"
"char-ttyUSB rw"
]);
DevicePolicy = "closed";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateTmp = true;
PrivateUsers = false; # prevents gaining capabilities in the host namespace
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProcSubset = "all";
ProtectSystem = "strict";
RemoveIPC = true;
ReadWritePaths = let
# Allow rw access to explicitly configured paths
cfgPath = [ "config" "homeassistant" "allowlist_external_dirs" ];
value = attrByPath cfgPath [] cfg;
allowPaths = if isList value then value else singleton value;
in [ "${cfg.configDir}" ] ++ allowPaths;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_NETLINK"
"AF_UNIX"
] ++ optionals (any useComponent componentsUsingBluetooth) [
"AF_BLUETOOTH"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SupplementaryGroups = optionals (any useComponent componentsUsingSerialDevices) [
"dialout"
];
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
] ++ optionals (any useComponent componentsUsingPing) [
"capset"
];
UMask = "0077";
};
path = [
"/run/wrappers" # needed for ping
];
};
systemd.targets.home-assistant = rec {
description = "Home Assistant";
wantedBy = [ "multi-user.target" ];
wants = [ "home-assistant.service" ];
after = wants;
};
users.users.hass = {
home = cfg.configDir;
createHome = true;
group = "hass";
uid = config.ids.uids.hass;
};
users.groups.hass.gid = config.ids.gids.hass;
};
}