From d1a8c1db842615b42d4c1d071159ef3bdf031290 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Mon, 9 Mar 2020 20:12:54 -0500
Subject: [PATCH 1/6] hosts: Add build1-aarch64.p.b

*build1-aarch64* is a Raspberry Pi 3 B+ running Fedora aarch64.  It is
intended to be used to build software and operating system images for
other aarch64 machines.
---
 hosts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hosts b/hosts
index ca2714f..8380705 100644
--- a/hosts
+++ b/hosts
@@ -76,6 +76,7 @@ web0.pyrocufflink.blue
 
 [pyrocufflink]
 build0-amd64.pyrocufflink.blue
+build1-aarch64.pyrocufflink.blue
 burp0.pyrocufflink.blue
 burp1.pyrocufflink.blue
 bw0.pyrocufflink.blue

From 1d0786f46b92526aacaaaed82ca783211c4eae79 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Mon, 9 Mar 2020 20:11:31 -0500
Subject: [PATCH 2/6] hosts: Add build2-armv7hl.p.b

*build2-armv7hl.pyrocufflink.blue* is a Raspberry Pi 3 running Fedora
ARM.  It will be used to build software and OS images for other ARM
machines.
---
 hosts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hosts b/hosts
index 8380705..dcae412 100644
--- a/hosts
+++ b/hosts
@@ -77,6 +77,7 @@ web0.pyrocufflink.blue
 [pyrocufflink]
 build0-amd64.pyrocufflink.blue
 build1-aarch64.pyrocufflink.blue
+build2-armv7hl.pyrocufflink.blue
 burp0.pyrocufflink.blue
 burp1.pyrocufflink.blue
 bw0.pyrocufflink.blue

From 0a3ff65a8c260d2739c9d71086f4f69d92b99ddd Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Mon, 9 Mar 2020 20:11:21 -0500
Subject: [PATCH 3/6] hosts: Add hass1.p.b

*hass1.pyrocufflink.blue* is the new host for Home Assistant.  I
migrated from using a virtual machine to using a Raspberry Pi to avoid
having to deal with USB passthrough for the Z-Wave USB stick.
---
 hosts | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/hosts b/hosts
index dcae412..abdbc8e 100644
--- a/hosts
+++ b/hosts
@@ -42,6 +42,7 @@ git0.pyrocufflink.blue
 
 [home-assistant]
 hass0.pyrocufflink.blue
+hass1.pyrocufflink.blue
 
 [jenkins-slave]
 build0-amd64.pyrocufflink.blue
@@ -87,6 +88,7 @@ dns0.pyrocufflink.blue
 file0.pyrocufflink.blue
 git0.pyrocufflink.blue
 hass0.pyrocufflink.blue
+hass1.pyrocufflink.blue
 jenkins0.pyrocufflink.blue
 koji0.pyrocufflink.blue
 proxy0.pyrocufflink.blue

From b99c7aa27db46e77a92ca2d819bb32e10cda6c8a Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sat, 4 Jul 2020 13:53:55 -0500
Subject: [PATCH 4/6] roles/homeassistant: Install in a virtualenv

Because the Home Assistant user's home directory is on `/var`, Python
packages installed in the "user site" do not get the correct SELinux
labels and thus run in the wrong domain.  This causes a lot of AVC
denials and other issues that prevent Home Assistant from working
correctly.

To resolve this issue, Home Assistant is now installed in a virtual
environment at `/usr/local/homeassistant`.  This directory is still
owned by the Home Assistant user, allowing Home Assistant to manage
packages installed there.  Since it is rooted under `/usr`, files are
labelled correctly and processes launched from executables there will
run in the correct domain.
---
 roles/homeassistant/files/hass.sh             |  2 +-
 .../homeassistant/files/homeassistant.service |  1 +
 roles/homeassistant/handlers/main.yml         |  2 +
 roles/homeassistant/tasks/main.yml            | 40 +++++++++++++++++--
 roles/homeassistant/vars/armv7l.yml           | 12 ++++++
 roles/homeassistant/vars/defaults.yml         |  1 +
 roles/homeassistant/vars/main.yml             |  2 +
 7 files changed, 56 insertions(+), 4 deletions(-)
 create mode 100644 roles/homeassistant/vars/armv7l.yml
 create mode 100644 roles/homeassistant/vars/defaults.yml
 create mode 100644 roles/homeassistant/vars/main.yml

diff --git a/roles/homeassistant/files/hass.sh b/roles/homeassistant/files/hass.sh
index c579028..7969908 100644
--- a/roles/homeassistant/files/hass.sh
+++ b/roles/homeassistant/files/hass.sh
@@ -1,3 +1,3 @@
 #!/bin/sh
 
-exec /var/lib/homeassistant/.local/bin/hass
+exec /usr/local/homeassistant/bin/hass
diff --git a/roles/homeassistant/files/homeassistant.service b/roles/homeassistant/files/homeassistant.service
index ca3bced..3248908 100644
--- a/roles/homeassistant/files/homeassistant.service
+++ b/roles/homeassistant/files/homeassistant.service
@@ -4,6 +4,7 @@ Description=Home Assistant
 
 [Service]
 Type=simple
+Environment=TMPDIR=/var/lib/homeassistant/tmp
 ExecStart=/usr/local/bin/hass
 User=homeassistant
 UMask=0077
diff --git a/roles/homeassistant/handlers/main.yml b/roles/homeassistant/handlers/main.yml
index 7bb1fd3..fec0129 100644
--- a/roles/homeassistant/handlers/main.yml
+++ b/roles/homeassistant/handlers/main.yml
@@ -1,3 +1,5 @@
+- name: relabel home assistant dir
+  command: restorecon -RF /usr/local/homeassistant
 - name: reload systemd
   command: systemctl daemon-reload
 - name: restart homeassistant
diff --git a/roles/homeassistant/tasks/main.yml b/roles/homeassistant/tasks/main.yml
index 431e7f8..522775c 100644
--- a/roles/homeassistant/tasks/main.yml
+++ b/roles/homeassistant/tasks/main.yml
@@ -1,7 +1,13 @@
+- name: load architecture-specific values
+  include_vars: '{{ item }}'
+  with_first_found:
+  - '{{ ansible_architecture }}.yml'
+  - defaults.yml
+
 - name: ensure system dependencies are installed
   package:
-    name:
-    - python3-pip
+    name: >-
+      {{ homeassistant_common_system_deps + homeassistant_arch_system_deps }}
     state: present
   tags:
   - install
@@ -12,18 +18,46 @@
     system: true
     home: /var/lib/homeassistant
 
+- name: ensure homeassistant tmp dir exists
+  file:
+    path: /var/lib/homeassistant/tmp
+    mode: '0700'
+    owner: homeassistant
+    group: homeassistant
+    state: directory
+
+- name: ensure homeassistant install dir exists
+  file:
+    path: /usr/local/homeassistant
+    mode: '0755'
+    owner: homeassistant
+    group: homeassistant
+    state: directory
 - name: ensure homeassistant is installed
+  environment:
+    TMPDIR: /var/lib/homeassistant/tmp
   become: true
   become_user: homeassistant
   pip:
     name: homeassistant
     extra_args: >-
-      --user
+      --prefer-binary
+    virtualenv: /usr/local/homeassistant
+    virtualenv_command: '/usr/bin/python3 -m venv'
+
+- name: ensure selinux file context map is correct for home assistant dir
+  sefcontext:
+    ftype: a
+    setype: bin_t
+    target: /usr/local/homeassistant/bin(/.*)?
+    state: present
+  notify: relabel home assistant dir
 
 - name: ensure homeassistant entry point is installed
   copy:
     src: hass.sh
     dest: /usr/local/bin/hass
+    setype: bin_t
     mode: '0755'
   notify:
   - restart homeassistant
diff --git a/roles/homeassistant/vars/armv7l.yml b/roles/homeassistant/vars/armv7l.yml
new file mode 100644
index 0000000..c8b9726
--- /dev/null
+++ b/roles/homeassistant/vars/armv7l.yml
@@ -0,0 +1,12 @@
+# These are required to build Python packages that do not have wheels
+# on pypi.org for armv7hl
+homeassistant_arch_system_deps:
+- gcc
+- gcc-c++
+- libffi-devel
+- libopenzwave-devel
+- libudev-devel
+- make
+- openssl-devel
+- python3-devel
+- which
diff --git a/roles/homeassistant/vars/defaults.yml b/roles/homeassistant/vars/defaults.yml
new file mode 100644
index 0000000..222f814
--- /dev/null
+++ b/roles/homeassistant/vars/defaults.yml
@@ -0,0 +1 @@
+homeassistant_arch_system_deps: []
diff --git a/roles/homeassistant/vars/main.yml b/roles/homeassistant/vars/main.yml
new file mode 100644
index 0000000..447fcd7
--- /dev/null
+++ b/roles/homeassistant/vars/main.yml
@@ -0,0 +1,2 @@
+homeassistant_common_system_deps:
+- python3-pip

From f430032d49d212802e73fd96a063fec5f89c8588 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sat, 4 Jul 2020 13:57:05 -0500
Subject: [PATCH 5/6] homeassistant: Do not apply hass-dhcp

The UniFi Security Gateway now provides DHCP for the Home Assistant
network.  This simplifies management a bit, so I do not have to manage
three DHCP servers.  The USG has firewall rules to prevent Internet
traffic.
---
 homeassistant.yml | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/homeassistant.yml b/homeassistant.yml
index 1d46ed0..40d5f5f 100644
--- a/homeassistant.yml
+++ b/homeassistant.yml
@@ -11,12 +11,3 @@
     service:
       name: httpd
       state: started
-
-- hosts: home-assistant
-  roles:
-  - hass-dhcp
-  tasks:
-  - name: ensure dnsmasq is running
-    service:
-      name: dnsmasq
-      state: started

From b4db8eb74d7536086da9bcb11d7a74d45d9432cb Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sat, 4 Jul 2020 14:23:29 -0500
Subject: [PATCH 6/6] roles/homeassistant: Add HTTPS redirect

Enforce HTTPS access to Home Assistant web UI using a redirect and HSTS.
---
 roles/homeassistant/templates/homeassistant.httpd.conf.j2 | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/roles/homeassistant/templates/homeassistant.httpd.conf.j2 b/roles/homeassistant/templates/homeassistant.httpd.conf.j2
index 03fc35e..a0166f4 100644
--- a/roles/homeassistant/templates/homeassistant.httpd.conf.j2
+++ b/roles/homeassistant/templates/homeassistant.httpd.conf.j2
@@ -7,7 +7,13 @@ ProxyPass / http://localhost:8123/
 ProxyPassReverse / http://localhost:8123/
 
 RewriteEngine on
+RewriteCond %{HTTPS} !on
+RewriteRule /.* https://%{SERVER_NAME}$0 [R=301,L]
+
 RewriteCond %{HTTP:Upgrade} =websocket [NC]
 RewriteRule /(.*)  ws://localhost:8123/$1 [P,L]
 RewriteCond %{HTTP:Upgrade} !=websocket [NC]
 RewriteRule /(.*)  http://localhost:8123/$1 [P,L]
+
+Header always set \
+	Strict-Transport-Security "max-age=63072000; includeSubDomains"