diff --git a/homeassistant.yml b/homeassistant.yml index 1d46ed0..40d5f5f 100644 --- a/homeassistant.yml +++ b/homeassistant.yml @@ -11,12 +11,3 @@ service: name: httpd state: started - -- hosts: home-assistant - roles: - - hass-dhcp - tasks: - - name: ensure dnsmasq is running - service: - name: dnsmasq - state: started diff --git a/hosts b/hosts index e86ffbf..8c88246 100644 --- a/hosts +++ b/hosts @@ -41,6 +41,7 @@ file0.pyrocufflink.blue git0.pyrocufflink.blue [home-assistant] +hass1.pyrocufflink.blue [jenkins-slave] build0-amd64.pyrocufflink.blue @@ -75,6 +76,8 @@ web0.pyrocufflink.blue [pyrocufflink] build0-amd64.pyrocufflink.blue +build1-aarch64.pyrocufflink.blue +build2-armv7hl.pyrocufflink.blue burp0.pyrocufflink.blue burp1.pyrocufflink.blue bw0.pyrocufflink.blue @@ -83,6 +86,7 @@ dc0.pyrocufflink.blue dns0.pyrocufflink.blue file0.pyrocufflink.blue git0.pyrocufflink.blue +hass1.pyrocufflink.blue jenkins0.pyrocufflink.blue koji0.pyrocufflink.blue smtp1.pyrocufflink.blue diff --git a/roles/homeassistant/files/hass.sh b/roles/homeassistant/files/hass.sh index c579028..7969908 100644 --- a/roles/homeassistant/files/hass.sh +++ b/roles/homeassistant/files/hass.sh @@ -1,3 +1,3 @@ #!/bin/sh -exec /var/lib/homeassistant/.local/bin/hass +exec /usr/local/homeassistant/bin/hass diff --git a/roles/homeassistant/files/homeassistant.service b/roles/homeassistant/files/homeassistant.service index ca3bced..3248908 100644 --- a/roles/homeassistant/files/homeassistant.service +++ b/roles/homeassistant/files/homeassistant.service @@ -4,6 +4,7 @@ Description=Home Assistant [Service] Type=simple +Environment=TMPDIR=/var/lib/homeassistant/tmp ExecStart=/usr/local/bin/hass User=homeassistant UMask=0077 diff --git a/roles/homeassistant/handlers/main.yml b/roles/homeassistant/handlers/main.yml index 7bb1fd3..fec0129 100644 --- a/roles/homeassistant/handlers/main.yml +++ b/roles/homeassistant/handlers/main.yml @@ -1,3 +1,5 @@ +- name: relabel home assistant dir + command: restorecon -RF /usr/local/homeassistant - name: reload systemd command: systemctl daemon-reload - name: restart homeassistant diff --git a/roles/homeassistant/tasks/main.yml b/roles/homeassistant/tasks/main.yml index 431e7f8..522775c 100644 --- a/roles/homeassistant/tasks/main.yml +++ b/roles/homeassistant/tasks/main.yml @@ -1,7 +1,13 @@ +- name: load architecture-specific values + include_vars: '{{ item }}' + with_first_found: + - '{{ ansible_architecture }}.yml' + - defaults.yml + - name: ensure system dependencies are installed package: - name: - - python3-pip + name: >- + {{ homeassistant_common_system_deps + homeassistant_arch_system_deps }} state: present tags: - install @@ -12,18 +18,46 @@ system: true home: /var/lib/homeassistant +- name: ensure homeassistant tmp dir exists + file: + path: /var/lib/homeassistant/tmp + mode: '0700' + owner: homeassistant + group: homeassistant + state: directory + +- name: ensure homeassistant install dir exists + file: + path: /usr/local/homeassistant + mode: '0755' + owner: homeassistant + group: homeassistant + state: directory - name: ensure homeassistant is installed + environment: + TMPDIR: /var/lib/homeassistant/tmp become: true become_user: homeassistant pip: name: homeassistant extra_args: >- - --user + --prefer-binary + virtualenv: /usr/local/homeassistant + virtualenv_command: '/usr/bin/python3 -m venv' + +- name: ensure selinux file context map is correct for home assistant dir + sefcontext: + ftype: a + setype: bin_t + target: /usr/local/homeassistant/bin(/.*)? + state: present + notify: relabel home assistant dir - name: ensure homeassistant entry point is installed copy: src: hass.sh dest: /usr/local/bin/hass + setype: bin_t mode: '0755' notify: - restart homeassistant diff --git a/roles/homeassistant/templates/homeassistant.httpd.conf.j2 b/roles/homeassistant/templates/homeassistant.httpd.conf.j2 index 03fc35e..a0166f4 100644 --- a/roles/homeassistant/templates/homeassistant.httpd.conf.j2 +++ b/roles/homeassistant/templates/homeassistant.httpd.conf.j2 @@ -7,7 +7,13 @@ ProxyPass / http://localhost:8123/ ProxyPassReverse / http://localhost:8123/ RewriteEngine on +RewriteCond %{HTTPS} !on +RewriteRule /.* https://%{SERVER_NAME}$0 [R=301,L] + RewriteCond %{HTTP:Upgrade} =websocket [NC] RewriteRule /(.*) ws://localhost:8123/$1 [P,L] RewriteCond %{HTTP:Upgrade} !=websocket [NC] RewriteRule /(.*) http://localhost:8123/$1 [P,L] + +Header always set \ + Strict-Transport-Security "max-age=63072000; includeSubDomains" diff --git a/roles/homeassistant/vars/armv7l.yml b/roles/homeassistant/vars/armv7l.yml new file mode 100644 index 0000000..c8b9726 --- /dev/null +++ b/roles/homeassistant/vars/armv7l.yml @@ -0,0 +1,12 @@ +# These are required to build Python packages that do not have wheels +# on pypi.org for armv7hl +homeassistant_arch_system_deps: +- gcc +- gcc-c++ +- libffi-devel +- libopenzwave-devel +- libudev-devel +- make +- openssl-devel +- python3-devel +- which diff --git a/roles/homeassistant/vars/defaults.yml b/roles/homeassistant/vars/defaults.yml new file mode 100644 index 0000000..222f814 --- /dev/null +++ b/roles/homeassistant/vars/defaults.yml @@ -0,0 +1 @@ +homeassistant_arch_system_deps: [] diff --git a/roles/homeassistant/vars/main.yml b/roles/homeassistant/vars/main.yml new file mode 100644 index 0000000..447fcd7 --- /dev/null +++ b/roles/homeassistant/vars/main.yml @@ -0,0 +1,2 @@ +homeassistant_common_system_deps: +- python3-pip