From b99c7aa27db46e77a92ca2d819bb32e10cda6c8a Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sat, 4 Jul 2020 13:53:55 -0500
Subject: [PATCH] roles/homeassistant: Install in a virtualenv

Because the Home Assistant user's home directory is on `/var`, Python
packages installed in the "user site" do not get the correct SELinux
labels and thus run in the wrong domain.  This causes a lot of AVC
denials and other issues that prevent Home Assistant from working
correctly.

To resolve this issue, Home Assistant is now installed in a virtual
environment at `/usr/local/homeassistant`.  This directory is still
owned by the Home Assistant user, allowing Home Assistant to manage
packages installed there.  Since it is rooted under `/usr`, files are
labelled correctly and processes launched from executables there will
run in the correct domain.
---
 roles/homeassistant/files/hass.sh             |  2 +-
 .../homeassistant/files/homeassistant.service |  1 +
 roles/homeassistant/handlers/main.yml         |  2 +
 roles/homeassistant/tasks/main.yml            | 40 +++++++++++++++++--
 roles/homeassistant/vars/armv7l.yml           | 12 ++++++
 roles/homeassistant/vars/defaults.yml         |  1 +
 roles/homeassistant/vars/main.yml             |  2 +
 7 files changed, 56 insertions(+), 4 deletions(-)
 create mode 100644 roles/homeassistant/vars/armv7l.yml
 create mode 100644 roles/homeassistant/vars/defaults.yml
 create mode 100644 roles/homeassistant/vars/main.yml

diff --git a/roles/homeassistant/files/hass.sh b/roles/homeassistant/files/hass.sh
index c579028..7969908 100644
--- a/roles/homeassistant/files/hass.sh
+++ b/roles/homeassistant/files/hass.sh
@@ -1,3 +1,3 @@
 #!/bin/sh
 
-exec /var/lib/homeassistant/.local/bin/hass
+exec /usr/local/homeassistant/bin/hass
diff --git a/roles/homeassistant/files/homeassistant.service b/roles/homeassistant/files/homeassistant.service
index ca3bced..3248908 100644
--- a/roles/homeassistant/files/homeassistant.service
+++ b/roles/homeassistant/files/homeassistant.service
@@ -4,6 +4,7 @@ Description=Home Assistant
 
 [Service]
 Type=simple
+Environment=TMPDIR=/var/lib/homeassistant/tmp
 ExecStart=/usr/local/bin/hass
 User=homeassistant
 UMask=0077
diff --git a/roles/homeassistant/handlers/main.yml b/roles/homeassistant/handlers/main.yml
index 7bb1fd3..fec0129 100644
--- a/roles/homeassistant/handlers/main.yml
+++ b/roles/homeassistant/handlers/main.yml
@@ -1,3 +1,5 @@
+- name: relabel home assistant dir
+  command: restorecon -RF /usr/local/homeassistant
 - name: reload systemd
   command: systemctl daemon-reload
 - name: restart homeassistant
diff --git a/roles/homeassistant/tasks/main.yml b/roles/homeassistant/tasks/main.yml
index 431e7f8..522775c 100644
--- a/roles/homeassistant/tasks/main.yml
+++ b/roles/homeassistant/tasks/main.yml
@@ -1,7 +1,13 @@
+- name: load architecture-specific values
+  include_vars: '{{ item }}'
+  with_first_found:
+  - '{{ ansible_architecture }}.yml'
+  - defaults.yml
+
 - name: ensure system dependencies are installed
   package:
-    name:
-    - python3-pip
+    name: >-
+      {{ homeassistant_common_system_deps + homeassistant_arch_system_deps }}
     state: present
   tags:
   - install
@@ -12,18 +18,46 @@
     system: true
     home: /var/lib/homeassistant
 
+- name: ensure homeassistant tmp dir exists
+  file:
+    path: /var/lib/homeassistant/tmp
+    mode: '0700'
+    owner: homeassistant
+    group: homeassistant
+    state: directory
+
+- name: ensure homeassistant install dir exists
+  file:
+    path: /usr/local/homeassistant
+    mode: '0755'
+    owner: homeassistant
+    group: homeassistant
+    state: directory
 - name: ensure homeassistant is installed
+  environment:
+    TMPDIR: /var/lib/homeassistant/tmp
   become: true
   become_user: homeassistant
   pip:
     name: homeassistant
     extra_args: >-
-      --user
+      --prefer-binary
+    virtualenv: /usr/local/homeassistant
+    virtualenv_command: '/usr/bin/python3 -m venv'
+
+- name: ensure selinux file context map is correct for home assistant dir
+  sefcontext:
+    ftype: a
+    setype: bin_t
+    target: /usr/local/homeassistant/bin(/.*)?
+    state: present
+  notify: relabel home assistant dir
 
 - name: ensure homeassistant entry point is installed
   copy:
     src: hass.sh
     dest: /usr/local/bin/hass
+    setype: bin_t
     mode: '0755'
   notify:
   - restart homeassistant
diff --git a/roles/homeassistant/vars/armv7l.yml b/roles/homeassistant/vars/armv7l.yml
new file mode 100644
index 0000000..c8b9726
--- /dev/null
+++ b/roles/homeassistant/vars/armv7l.yml
@@ -0,0 +1,12 @@
+# These are required to build Python packages that do not have wheels
+# on pypi.org for armv7hl
+homeassistant_arch_system_deps:
+- gcc
+- gcc-c++
+- libffi-devel
+- libopenzwave-devel
+- libudev-devel
+- make
+- openssl-devel
+- python3-devel
+- which
diff --git a/roles/homeassistant/vars/defaults.yml b/roles/homeassistant/vars/defaults.yml
new file mode 100644
index 0000000..222f814
--- /dev/null
+++ b/roles/homeassistant/vars/defaults.yml
@@ -0,0 +1 @@
+homeassistant_arch_system_deps: []
diff --git a/roles/homeassistant/vars/main.yml b/roles/homeassistant/vars/main.yml
new file mode 100644
index 0000000..447fcd7
--- /dev/null
+++ b/roles/homeassistant/vars/main.yml
@@ -0,0 +1,2 @@
+homeassistant_common_system_deps:
+- python3-pip