diff --git a/group_vars/home-assistant.yml b/group_vars/home-assistant.yml index a8aee10..2555cfb 100644 --- a/group_vars/home-assistant.yml +++ b/group_vars/home-assistant.yml @@ -8,3 +8,5 @@ mosquitto_listeners: - port: 1883 address: ::1 mosquitto_password_file: /etc/mosquitto/passwd +apache_default_ssl_vhost: false +homeassistant_server_name: homeassistant.pyrocufflink.blue diff --git a/homeassistant.yml b/homeassistant.yml index eea2c08..712b278 100644 --- a/homeassistant.yml +++ b/homeassistant.yml @@ -1,6 +1,9 @@ - hosts: home-assistant roles: - - apache + - role: apache + vars: + default_apache_ssl_vhost: false + tags: apache - role: homeassistant tags: homeassistant - role: mosquitto diff --git a/roles/homeassistant/defaults/main.yml b/roles/homeassistant/defaults/main.yml index 901d523..f342d82 100644 --- a/roles/homeassistant/defaults/main.yml +++ b/roles/homeassistant/defaults/main.yml @@ -1 +1,6 @@ homeassistant_image_name: '{{ homeassistant_default_image_name }}' +homeassistant_ssl_certificate: >- + {{ apache_ssl_certificate }} +homeassistant_ssl_certificate_key: >- + {{ apache_ssl_certificate_key }} +homeassistant_proxy_zwavejs2mqtt: true diff --git a/roles/homeassistant/tasks/main.yml b/roles/homeassistant/tasks/main.yml index 18c50eb..27b565c 100644 --- a/roles/homeassistant/tasks/main.yml +++ b/roles/homeassistant/tasks/main.yml @@ -92,9 +92,9 @@ dest: /etc/httpd/conf.d/homeassistant.conf mode: '0644' notify: - - restart httpd + - reload httpd tags: - - apache + - proxy-config - name: ensure selinux allows apache to proxy seboolean: name: httpd_can_network_connect diff --git a/roles/homeassistant/templates/homeassistant.httpd.conf.j2 b/roles/homeassistant/templates/homeassistant.httpd.conf.j2 index a0166f4..a849ef6 100644 --- a/roles/homeassistant/templates/homeassistant.httpd.conf.j2 +++ b/roles/homeassistant/templates/homeassistant.httpd.conf.j2 @@ -1,19 +1,37 @@ -ProxyPreserveHost On -ProxyRequests Off - -ProxyPass /api/websocket ws://localhost:8123/api/websocket -ProxyPassReverse /api/websocket ws://localhost:8123/api/websocket -ProxyPass / http://localhost:8123/ -ProxyPassReverse / http://localhost:8123/ - RewriteEngine on RewriteCond %{HTTPS} !on RewriteRule /.* https://%{SERVER_NAME}$0 [R=301,L] -RewriteCond %{HTTP:Upgrade} =websocket [NC] -RewriteRule /(.*) ws://localhost:8123/$1 [P,L] -RewriteCond %{HTTP:Upgrade} !=websocket [NC] -RewriteRule /(.*) http://localhost:8123/$1 [P,L] + + ServerName {{ homeassistant_server_name }} -Header always set \ - Strict-Transport-Security "max-age=63072000; includeSubDomains" + SSLCertificateFile {{ homeassistant_ssl_certificate }} + SSLCertificateKeyFile {{ homeassistant_ssl_certificate_key }} + SSLCertificateChainFile {{ homeassistant_ssl_certificate }} + + ProxyPreserveHost On + ProxyRequests Off + + RewriteEngine on +{% if homeassistant_proxy_zwavejs2mqtt %} + + RewriteRule ^/zwave$ /zwave/ [R=301,L] + RewriteCond %{HTTP:Upgrade} =websocket [NC] + RewriteRule /zwave/(.*) ws://localhost:8091/$1 [P,L] + RewriteRule /zwave/(.*) http://localhost:8091/$1 [P,L] + # ZwaveJS2Mqtt doesn't respect X-External-Path for the logo URL + RewriteRule ^/static/logo\.png$ http://localhost:8091$0 [P,L] + + RequestHeader set X-External-Path /zwave + + ProxyPassReverse /zwave/ http://localhost:8091/ +{% endif %} + + RewriteCond %{HTTP:Upgrade} =websocket [NC] + RewriteRule /(.*) ws://localhost:8123/$1 [P,L] + RewriteRule /(.*) http://localhost:8123/$1 [P,L] + ProxyPassReverse / http://localhost:8123/ + + Header always set \ + Strict-Transport-Security "max-age=63072000; includeSubDomains" +