From c407a4520af8f5d1ba9f885ea25a2d01b55c218b Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Thu, 22 Dec 2022 17:36:26 +0100 Subject: [PATCH 1/6] blind dev result of homeassistant --- .../homeassistant/files/homeassistant.service | 13 ++++ bundles/homeassistant/items.py | 66 +++++++++++++++++++ bundles/homeassistant/metadata.py | 23 +++++++ 3 files changed, 102 insertions(+) create mode 100644 bundles/homeassistant/files/homeassistant.service create mode 100644 bundles/homeassistant/items.py create mode 100644 bundles/homeassistant/metadata.py diff --git a/bundles/homeassistant/files/homeassistant.service b/bundles/homeassistant/files/homeassistant.service new file mode 100644 index 0000000..ece9e21 --- /dev/null +++ b/bundles/homeassistant/files/homeassistant.service @@ -0,0 +1,13 @@ +[Unit] +Description=Home Assistant +After=network-online.target + +[Service] +Type=simple +User=homeassistant +WorkingDirectory=/var/opt/homeassistant +ExecStart=/opt/homeassistant/bin/hass -c "/var/opt/homeassistant" +RestartForceExitStatus=100 + +[Install] +WantedBy=multi-user.target diff --git a/bundles/homeassistant/items.py b/bundles/homeassistant/items.py new file mode 100644 index 0000000..d562859 --- /dev/null +++ b/bundles/homeassistant/items.py @@ -0,0 +1,66 @@ +users = { + 'homeassistant': { + 'home': '/var/opt/homeassistant', + }, +} + +directories = { + '/opt/homeassistant': {}, + '/var/opt/homeassistant': { + 'owner': 'homeassistant', + }, +} + +files = { + '/etc/systemd/system/homeassistant.service': { + 'triggers': { + 'action:systemd-reload', + 'svc_systemd:homeassistant:restart', + }, + }, +} + +actions = { + 'homeassistant_create_virtualenv': { + 'command': '/usr/bin/python3 -m virtualenv -p python3 /opt/homeassistant/venv', + 'unless': 'test -d /opt/homeassistant/venv/', + 'needed_by': { + 'action:homeassistant_install', + }, + }, + 'homeassistant_install': { + 'triggered': True, + 'command': ' && '.join([ + 'cd /opt/homeassistant/src', + f"/opt/homeassistant/venv/bin/pip install --upgrade homeassistant=={node.metadata.get('homeassistant/version')}", + ]) , + 'needs': { + 'pkg_apt:bluez', + 'pkg_apt:libffi-dev', + 'pkg_apt:libssl-dev', + 'pkg_apt:libjpeg-dev', + 'pkg_apt:zlib1g-dev', + 'pkg_apt:autoconf', + 'pkg_apt:build-essential', + 'pkg_apt:libopenjp2-7', + 'pkg_apt:libtiff5', + 'pkg_apt:libturbojpeg0-dev', + 'pkg_apt:tzdata', + }, + 'triggers': { + 'svc_systemd:homeassistant:restart', + }, + 'unless': { + "[[ $(/opt/homeassistant/venv/bin/pip freeze | grep homeassistant=={node.metadata.get('homeassistant/version')}) ]]", + }, + }, +} + +svc_systemd = { + 'homeassistant': { + 'needs': { + 'action:homeassistant_install', + 'file:/etc/systemd/system/homeassistant.service', + }, + }, +} diff --git a/bundles/homeassistant/metadata.py b/bundles/homeassistant/metadata.py new file mode 100644 index 0000000..3f66d4d --- /dev/null +++ b/bundles/homeassistant/metadata.py @@ -0,0 +1,23 @@ +defaults = { + 'apt': { + 'packages': { + 'bluez': {}, + 'libffi-dev': {}, + 'libssl-dev': {}, + 'libjpeg-dev': {}, + 'zlib1g-dev': {}, + 'autoconf': {}, + 'build-essential': {}, + 'libopenjp2-7': {}, + 'libtiff5': {}, + 'libturbojpeg0-dev': {}, + 'tzdata': {}, + }, + }, + 'backups': { + 'paths': { + '/opt/homeassistant', + '/var/opt/homeassistant', + }, + }, +} From 107fd6872be8cf6b48a9f746163e82f866d536e7 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Thu, 22 Dec 2022 17:53:10 +0100 Subject: [PATCH 2/6] home.hass add metadata --- bundles/homeassistant/metadata.py | 41 +++++++++++++++++++++++++++++++ nodes/home.hass.toml | 18 +++++++++++++- 2 files changed, 58 insertions(+), 1 deletion(-) diff --git a/bundles/homeassistant/metadata.py b/bundles/homeassistant/metadata.py index 3f66d4d..6c71656 100644 --- a/bundles/homeassistant/metadata.py +++ b/bundles/homeassistant/metadata.py @@ -21,3 +21,44 @@ defaults = { }, }, } +@metadata_reactor.provides( + 'icinga2_api/homeassistant/services/HOMESSISTANT UPDATE', +) +def icinga_check_for_new_release(metadata): + return { + 'icinga2_api': { + 'homeassistant': { + 'services': { + 'HOMEASSISTANT UPDATE': { + 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_github_for_new_release homeassistant/core {}'.format(metadata.get('homeassistant/version')), + 'vars.notification.mail': True, + 'check_interval': '60m', + }, + }, + }, + }, + } + +@metadata_reactor.provides( + 'nginx/vhosts/homeassistant', +) +def nginx(metadata): + if not node.has_bundle('nginx'): + raise DoNotRunAgain + + return { + 'nginx': { + 'vhosts': { + 'homeassistant': { + 'domain': metadata.get('homeassistant/domain'), + 'website_check_path': '/', + 'website_check_string': 'Homeassistant', + 'locations': { + '/': { + 'target': 'http://127.0.0.1:8123', + }, + }, + }, + }, + }, + } diff --git a/nodes/home.hass.toml b/nodes/home.hass.toml index 34cf68d..a053f8c 100644 --- a/nodes/home.hass.toml +++ b/nodes/home.hass.toml @@ -1,5 +1,8 @@ hostname = "172.19.138.25" -bundles = [] +bundles = [ + 'homeassistant', + 'nginx' +] groups = ["debian-bullseye"] [metadata.backups] @@ -13,3 +16,16 @@ ipv6_accept_ra = true [metadata.vm] cpu = 2 ram = 2 + +[metadata.homeassistant] +domain = 'hass.home.kunbox.net' +version = '2022.12.8' + +[metadata.nginx] +restrict-to = [ + '172.19.136.0/25', + '172.19.138.0/24', +] + +[metadata.nginx.vhosts.homeassistant] +ssl = '_.home.kunbox.net' From edeffee5c2f69215e9500dbf90294b0d693263c6 Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Thu, 22 Dec 2022 18:59:27 +0100 Subject: [PATCH 3/6] first running hass stuff --- .../homeassistant/files/homeassistant.service | 2 +- bundles/homeassistant/items.py | 28 +++++++++---------- bundles/homeassistant/metadata.py | 14 ++++++++++ 3 files changed, 28 insertions(+), 16 deletions(-) diff --git a/bundles/homeassistant/files/homeassistant.service b/bundles/homeassistant/files/homeassistant.service index ece9e21..d97cec7 100644 --- a/bundles/homeassistant/files/homeassistant.service +++ b/bundles/homeassistant/files/homeassistant.service @@ -6,7 +6,7 @@ After=network-online.target Type=simple User=homeassistant WorkingDirectory=/var/opt/homeassistant -ExecStart=/opt/homeassistant/bin/hass -c "/var/opt/homeassistant" +ExecStart=/opt/homeassistant/venv/bin/hass -c "/var/opt/homeassistant" RestartForceExitStatus=100 [Install] diff --git a/bundles/homeassistant/items.py b/bundles/homeassistant/items.py index d562859..f5f7a08 100644 --- a/bundles/homeassistant/items.py +++ b/bundles/homeassistant/items.py @@ -5,7 +5,9 @@ users = { } directories = { - '/opt/homeassistant': {}, + '/opt/homeassistant': { + 'owner': 'homeassistant', + }, '/var/opt/homeassistant': { 'owner': 'homeassistant', }, @@ -22,19 +24,11 @@ files = { actions = { 'homeassistant_create_virtualenv': { - 'command': '/usr/bin/python3 -m virtualenv -p python3 /opt/homeassistant/venv', + 'command': 'sudo -u homeassistant /usr/bin/python3 -m virtualenv -p python3 /opt/homeassistant/venv/', 'unless': 'test -d /opt/homeassistant/venv/', - 'needed_by': { - 'action:homeassistant_install', - }, - }, - 'homeassistant_install': { - 'triggered': True, - 'command': ' && '.join([ - 'cd /opt/homeassistant/src', - f"/opt/homeassistant/venv/bin/pip install --upgrade homeassistant=={node.metadata.get('homeassistant/version')}", - ]) , 'needs': { + 'directory:/opt/homeassistant', + 'user:homeassistant', 'pkg_apt:bluez', 'pkg_apt:libffi-dev', 'pkg_apt:libssl-dev', @@ -47,12 +41,16 @@ actions = { 'pkg_apt:libturbojpeg0-dev', 'pkg_apt:tzdata', }, + }, + 'homeassistant_install': { + 'command': 'sudo -u homeassistant /opt/homeassistant/venv/bin/pip install homeassistant', + 'unless': 'test -f /opt/homeassistant/venv/bin/hass', + 'needs': { + 'action:homeassistant_create_virtualenv', + }, 'triggers': { 'svc_systemd:homeassistant:restart', }, - 'unless': { - "[[ $(/opt/homeassistant/venv/bin/pip freeze | grep homeassistant=={node.metadata.get('homeassistant/version')}) ]]", - }, }, } diff --git a/bundles/homeassistant/metadata.py b/bundles/homeassistant/metadata.py index 6c71656..508c274 100644 --- a/bundles/homeassistant/metadata.py +++ b/bundles/homeassistant/metadata.py @@ -1,3 +1,5 @@ +from bundlewrap.metadata import atomic + defaults = { 'apt': { 'packages': { @@ -62,3 +64,15 @@ def nginx(metadata): }, }, } + +@metadata_reactor.provides( + 'firewall/port_rules/8123', +) +def firewall(metadata): + return { + 'firewall': { + 'port_rules': { + '8123': atomic(metadata.get('nginx/restrict-to', {'*'})), + }, + }, + } From df303b3487cdc53f34050a909b8f2bcfafc663d1 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Thu, 22 Dec 2022 20:01:35 +0100 Subject: [PATCH 4/6] bundles/homeassistant: set websockets=True in nginx config --- bundles/homeassistant/metadata.py | 1 + nodes/home.hass.toml | 8 ++++---- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/bundles/homeassistant/metadata.py b/bundles/homeassistant/metadata.py index 508c274..e000af9 100644 --- a/bundles/homeassistant/metadata.py +++ b/bundles/homeassistant/metadata.py @@ -58,6 +58,7 @@ def nginx(metadata): 'locations': { '/': { 'target': 'http://127.0.0.1:8123', + 'websockets': True, }, }, }, diff --git a/nodes/home.hass.toml b/nodes/home.hass.toml index a053f8c..00fd3c6 100644 --- a/nodes/home.hass.toml +++ b/nodes/home.hass.toml @@ -1,7 +1,7 @@ hostname = "172.19.138.25" bundles = [ - 'homeassistant', - 'nginx' + 'homeassistant', + 'nginx' ] groups = ["debian-bullseye"] @@ -23,8 +23,8 @@ version = '2022.12.8' [metadata.nginx] restrict-to = [ - '172.19.136.0/25', - '172.19.138.0/24', + '172.19.136.0/25', + '172.19.138.0/24', ] [metadata.nginx.vhosts.homeassistant] From 52983a51a97e159eb40719e5bb91c37b01b2194d Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Sat, 24 Dec 2022 17:51:42 +0100 Subject: [PATCH 5/6] homeassistant: rework update check --- .../files/check_homeassistant_update | 49 +++++++++++++++++++ bundles/homeassistant/items.py | 8 +++ bundles/homeassistant/metadata.py | 25 +++------- 3 files changed, 64 insertions(+), 18 deletions(-) create mode 100644 bundles/homeassistant/files/check_homeassistant_update diff --git a/bundles/homeassistant/files/check_homeassistant_update b/bundles/homeassistant/files/check_homeassistant_update new file mode 100644 index 0000000..d01d830 --- /dev/null +++ b/bundles/homeassistant/files/check_homeassistant_update @@ -0,0 +1,49 @@ +#!/usr/bin/env python3 + +from sys import exit + +import requests +from packaging import version + +bearer = "${bearer}" +domain = "${domain}" +OK = 0 +WARN = 1 +CRITICAL = 2 +UNKNOWN = 3 + +status = 3 +message = "Unknown Update Status" + + +domain = "hass.home.kunbox.net" + +s = requests.Session() +s.headers.update({"Content-Type": "application/json"}) + +try: + stable_version = version.parse( + s.get("https://version.home-assistant.io/stable.json").json()["homeassistant"][ + "generic-x86-64" + ] + ) + s.headers.update( + {"Authorization": f"Bearer {bearer}", "Content-Type": "application/json"} + ) + running_version = version.parse( + s.get(f"https://{domain}/api/config").json()["version"] + ) + if running_version == stable_version: + status = 0 + message = f"OK - running version {running_version} equals stable version {stable_version}" + elif running_version > stable_version: + status = 1 + message = f"WARNING - stable version {stable_version} is lower than running version {running_version}, check if downgrade is necessary." + else: + status = 2 + message = f"CRITICAL - update necessary, running verison {running_version} is lower than stable version {stable_version}" +except Exception as e: + message = f"{message}: {repr(e)}" + +print(message) +exit(status) diff --git a/bundles/homeassistant/items.py b/bundles/homeassistant/items.py index f5f7a08..6ceeec4 100644 --- a/bundles/homeassistant/items.py +++ b/bundles/homeassistant/items.py @@ -20,6 +20,14 @@ files = { 'svc_systemd:homeassistant:restart', }, }, + '/usr/local/share/icinga/plugins/check_homeassistant_update': { + 'content_type': 'mako', + 'context': { + 'bearer': repo.vault.decrypt(node.metadata.get('homeassistant/api_secret')), + 'domain': node.metadata.get('homeassistant/domain'), + }, + 'mode': '0755', + }, } actions = { diff --git a/bundles/homeassistant/metadata.py b/bundles/homeassistant/metadata.py index e000af9..87855f8 100644 --- a/bundles/homeassistant/metadata.py +++ b/bundles/homeassistant/metadata.py @@ -3,17 +3,18 @@ from bundlewrap.metadata import atomic defaults = { 'apt': { 'packages': { - 'bluez': {}, - 'libffi-dev': {}, - 'libssl-dev': {}, - 'libjpeg-dev': {}, - 'zlib1g-dev': {}, 'autoconf': {}, + 'bluez': {}, 'build-essential': {}, + 'libffi-dev': {}, + 'libjpeg-dev': {}, 'libopenjp2-7': {}, + 'libssl-dev': {}, 'libtiff5': {}, 'libturbojpeg0-dev': {}, + 'python3-packaging': {}, 'tzdata': {}, + 'zlib1g-dev': {}, }, }, 'backups': { @@ -32,7 +33,7 @@ def icinga_check_for_new_release(metadata): 'homeassistant': { 'services': { 'HOMEASSISTANT UPDATE': { - 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_github_for_new_release homeassistant/core {}'.format(metadata.get('homeassistant/version')), + 'command_on_monitored_host': '/usr/local/share/icinga/plugins/check_homeassistant_update', 'vars.notification.mail': True, 'check_interval': '60m', }, @@ -65,15 +66,3 @@ def nginx(metadata): }, }, } - -@metadata_reactor.provides( - 'firewall/port_rules/8123', -) -def firewall(metadata): - return { - 'firewall': { - 'port_rules': { - '8123': atomic(metadata.get('nginx/restrict-to', {'*'})), - }, - }, - } From 3019ee43553dbacbda6f33774a56c2e1bc9d2f8d Mon Sep 17 00:00:00 2001 From: Sophie Schiller Date: Sat, 24 Dec 2022 17:52:04 +0100 Subject: [PATCH 6/6] home.hass: add api secret for update check --- nodes/home.hass.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/home.hass.toml b/nodes/home.hass.toml index 00fd3c6..b451d32 100644 --- a/nodes/home.hass.toml +++ b/nodes/home.hass.toml @@ -19,7 +19,7 @@ ram = 2 [metadata.homeassistant] domain = 'hass.home.kunbox.net' -version = '2022.12.8' +api_secret = 'encrypt$gAAAAABjpyuqXLoilokQW5c0zV8shHcOzN1zkEbS-I6WAAX-xDO_OF33YbjbkpELU2HGBzqiWX40J0hsaEbYJOnCHFk8gJ-Xt0vdqqbQ5vca_TGPNQHZPAS4qZoPTcUhmX_I-0EdT6ukhxejXFYBiYRZikTLjH3lcNM5qnckCm-H9NbRdjLb9hbCDIjbEglHmBl_g08S1_ukvX3dDSCIHIxgXXGsdK_Go1KxPJd8G22FL_MMhCfsTW-6ioIqoHSeSA1NGk3MZHEIM2errckiopKBxoBaROsacO9Uqk1zrrgXOs2NsgiTRtrbV1TNlFVaIX9mZdsUnMGZ' [metadata.nginx] restrict-to = [