feat: add home assistant capability with pi-relay

Cargo.lock

@@ -906,6 +906,19 @@ dependencies = [
  "tracing-subscriber",
 ]
 
+[[package]]
+name = "noisebell-relay"
+version = "0.1.0"
+dependencies = [
+ "anyhow",
+ "axum",
+ "noisebell-common",
+ "reqwest",
+ "tokio",
+ "tracing",
+ "tracing-subscriber",
+]
+
 [[package]]
 name = "noisebell-rss"
 version = "0.1.0"

Cargo.toml

@@ -1,6 +1,7 @@
 [workspace]
 members = [
     "pi/pi-service",
+    "pi/pi-relay",
     "remote/noisebell-common",
     "remote/cache-service",
     "remote/rss-service",

flake.nix

@@ -108,6 +108,23 @@
         cargoExtraArgs = "-p noisebell";
       };
 
+      piRelayArgs = {
+        inherit src;
+        pname = "noisebell-pi-relay";
+        version = "0.1.0";
+        strictDeps = true;
+        doCheck = false;
+
+        CARGO_BUILD_TARGET = "aarch64-unknown-linux-gnu";
+        CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER = "${crossPkgs.stdenv.cc.targetPrefix}cc";
+        TARGET_CC = "${crossPkgs.stdenv.cc.targetPrefix}cc";
+        CC_aarch64_unknown_linux_gnu = "${crossPkgs.stdenv.cc.targetPrefix}cc";
+        HOST_CC = "${pkgs.stdenv.cc.nativePrefix}cc";
+
+        depsBuildBuild = [ crossPkgs.stdenv.cc ];
+        cargoExtraArgs = "-p noisebell-relay";
+      };
+
       piArtifacts = piCraneLib.buildDepsOnly piArgs;
 
       noisebell-pi = piCraneLib.buildPackage (
@@ -117,6 +134,15 @@
         }
       );
 
+      piRelayArtifacts = piCraneLib.buildDepsOnly piRelayArgs;
+
+      noisebell-pi-relay = piCraneLib.buildPackage (
+        piRelayArgs
+        // {
+          cargoArtifacts = piRelayArtifacts;
+        }
+      );
+
       piStaticArgs = {
         inherit src;
         pname = "noisebell-pi-static";
@@ -134,6 +160,23 @@
         cargoExtraArgs = "-p noisebell";
       };
 
+      piRelayStaticArgs = {
+        inherit src;
+        pname = "noisebell-pi-relay-static";
+        version = "0.1.0";
+        strictDeps = true;
+        doCheck = false;
+
+        CARGO_BUILD_TARGET = "aarch64-unknown-linux-musl";
+        CARGO_TARGET_AARCH64_UNKNOWN_LINUX_MUSL_LINKER = "${muslPkgs.stdenv.cc.targetPrefix}cc";
+        TARGET_CC = "${muslPkgs.stdenv.cc.targetPrefix}cc";
+        CC_aarch64_unknown_linux_musl = "${muslPkgs.stdenv.cc.targetPrefix}cc";
+        HOST_CC = "${pkgs.stdenv.cc.nativePrefix}cc";
+
+        depsBuildBuild = [ muslPkgs.stdenv.cc ];
+        cargoExtraArgs = "-p noisebell-relay";
+      };
+
       piStaticArtifacts = piCraneLib.buildDepsOnly piStaticArgs;
 
       noisebell-pi-static = piCraneLib.buildPackage (
@@ -143,6 +186,15 @@
         }
       );
 
+      piRelayStaticArtifacts = piCraneLib.buildDepsOnly piRelayStaticArgs;
+
+      noisebell-pi-relay-static = piCraneLib.buildPackage (
+        piRelayStaticArgs
+        // {
+          cargoArtifacts = piRelayStaticArtifacts;
+        }
+      );
+
       piImageBaseModule =
         {
           lib,
@@ -359,7 +411,9 @@
 
       packages.aarch64-linux = {
         noisebell = noisebell-pi;
+        noisebell-relay = noisebell-pi-relay;
         noisebell-static = noisebell-pi-static;
+        noisebell-relay-static = noisebell-pi-relay-static;
         default = noisebell-pi;
       };
 

pi/README.md

@@ -111,25 +111,32 @@ scripts/deploy-pios-pi.sh pi@10.21.x.x
 That script:
 
 1. builds `.#packages.aarch64-linux.noisebell-static` locally
-2. decrypts the Pi-facing secrets locally with `agenix`
-3. uploads the binary and secrets to the Pi
-4. installs Tailscale and Avahi if needed
-5. writes `/etc/noisebell/noisebell.env`
-6. installs `noisebell.service`
-7. enables and starts the service
-8. runs `tailscale up` with the decrypted auth key
+2. builds `.#packages.aarch64-linux.noisebell-relay-static` locally
+3. decrypts the Pi-facing secrets locally with `agenix`
+4. uploads the binaries and secrets to the Pi
+5. installs Tailscale and Avahi if needed
+6. writes `/etc/noisebell/noisebell.env`
+7. writes `/etc/noisebell/noisebell-relay.env`
+8. installs `noisebell.service` and `noisebell-relay.service`
+9. enables and starts both services
+10. runs `tailscale up` with the decrypted auth key
 
 ## Files written on the Pi
 
 The deploy script creates:
 
 - `/opt/noisebell/releases/<timestamp>/noisebell`
+- `/opt/noisebell/releases/<timestamp>/noisebell-relay`
 - `/opt/noisebell/current` -> current release symlink
 - `/etc/noisebell/pi-to-cache-key`
 - `/etc/noisebell/cache-to-pi-key`
+- `/etc/noisebell/relay-webhook-secret`
+- `/etc/noisebell/homeassistant-webhook-id`
 - `/etc/noisebell/tailscale-auth-key`
 - `/etc/noisebell/noisebell.env`
+- `/etc/noisebell/noisebell-relay.env`
 - `/etc/systemd/system/noisebell.service`
+- `/etc/systemd/system/noisebell-relay.service`
 
 All secret files are root-only.
 
@@ -171,6 +178,34 @@ The deployed service uses these environment variables:
 | `NOISEBELL_BIND_ADDRESS` | `0.0.0.0` | HTTP bind address |
 | `NOISEBELL_ACTIVE_LOW` | `true` | Low GPIO = door open |
 
+## Relay service configuration
+
+The optional relay service accepts authenticated webhooks from cache-service and forwards them to Home Assistant on the local network.
+
+| Variable | Default | Description |
+|---|---|---|
+| `NOISEBELL_RELAY_PORT` | `8090` | HTTP port for the relay webhook endpoint |
+| `NOISEBELL_RELAY_BIND_ADDRESS` | `0.0.0.0` | HTTP bind address |
+| `NOISEBELL_RELAY_TARGET_BASE_URL` | `http://homeassistant.local:8123` | Base URL for Home Assistant |
+| `NOISEBELL_RELAY_TARGET_WEBHOOK_ID` | required | Home Assistant webhook ID |
+| `NOISEBELL_RELAY_INBOUND_API_KEY` | required | Bearer token expected from cache-service |
+| `NOISEBELL_RELAY_RETRY_ATTEMPTS` | `3` | Forward retry count |
+| `NOISEBELL_RELAY_RETRY_BASE_DELAY_SECS` | `1` | Exponential backoff base delay |
+| `NOISEBELL_RELAY_HTTP_TIMEOUT_SECS` | `10` | Outbound request timeout |
+
+Example cache target for the relay:
+
+```nix
+{
+  services.noisebell-cache.outboundWebhooks = [
+    {
+      url = "http://noisebell-pi.local:8090/webhook";
+      secretFile = /run/agenix/noisebell-relay-webhook-secret;
+    }
+  ];
+}
+```
+
 ## API
 
 All endpoints require `Authorization: Bearer <token>`.

pi/pi-relay/Cargo.toml

@@ -0,0 +1,16 @@
+[package]
+name = "noisebell-relay"
+version = "0.1.0"
+edition = "2021"
+
+[lints]
+workspace = true
+
+[dependencies]
+anyhow = "1.0"
+axum = "0.8"
+noisebell-common = { path = "../../remote/noisebell-common" }
+reqwest = { version = "0.12", default-features = false, features = ["json", "rustls-tls"] }
+tokio = { version = "1", features = ["rt-multi-thread", "macros", "net", "signal", "time"] }
+tracing = "0.1"
+tracing-subscriber = { version = "0.3", features = ["env-filter"] }

pi/pi-relay/src/main.rs

@@ -0,0 +1,148 @@
+use std::sync::Arc;
+use std::time::Duration;
+
+use anyhow::{Context, Result};
+use axum::extract::State;
+use axum::http::{HeaderMap, StatusCode};
+use axum::routing::{get, post};
+use axum::{Json, Router};
+use noisebell_common::{validate_bearer, WebhookPayload};
+use tracing::{error, info, warn};
+
+#[derive(Clone)]
+struct AppState {
+    client: reqwest::Client,
+    inbound_api_key: String,
+    target_url: String,
+    target_secret: Option<String>,
+    retry_attempts: u32,
+    retry_base_delay_secs: u64,
+}
+
+async fn post_webhook(
+    State(state): State<Arc<AppState>>,
+    headers: HeaderMap,
+    Json(payload): Json<WebhookPayload>,
+) -> StatusCode {
+    if !validate_bearer(&headers, &state.inbound_api_key) {
+        return StatusCode::UNAUTHORIZED;
+    }
+
+    info!(status = %payload.status, timestamp = payload.timestamp, "relay received webhook");
+
+    for attempt in 0..=state.retry_attempts {
+        let mut req = state.client.post(&state.target_url).json(&payload);
+        if let Some(secret) = &state.target_secret {
+            req = req.bearer_auth(secret);
+        }
+
+        match req.send().await {
+            Ok(resp) if resp.status().is_success() => {
+                info!(status = %payload.status, "relay forwarded webhook");
+                return StatusCode::OK;
+            }
+            result => {
+                let err_msg = match &result {
+                    Ok(resp) => format!("HTTP {}", resp.status()),
+                    Err(err) => err.to_string(),
+                };
+                if attempt == state.retry_attempts {
+                    error!(error = %err_msg, "relay failed to forward webhook after {} attempts", state.retry_attempts + 1);
+                    return StatusCode::BAD_GATEWAY;
+                }
+
+                let delay = Duration::from_secs(state.retry_base_delay_secs * 2u64.pow(attempt));
+                warn!(error = %err_msg, attempt = attempt + 1, "relay forward failed, retrying in {:?}", delay);
+                tokio::time::sleep(delay).await;
+            }
+        }
+    }
+
+    StatusCode::BAD_GATEWAY
+}
+
+async fn health() -> StatusCode {
+    StatusCode::OK
+}
+
+#[tokio::main]
+async fn main() -> Result<()> {
+    tracing_subscriber::fmt()
+        .with_env_filter(tracing_subscriber::EnvFilter::from_default_env())
+        .init();
+
+    let port: u16 = std::env::var("NOISEBELL_RELAY_PORT")
+        .unwrap_or_else(|_| "8090".into())
+        .parse()
+        .context("NOISEBELL_RELAY_PORT must be a valid u16")?;
+
+    let bind_address =
+        std::env::var("NOISEBELL_RELAY_BIND_ADDRESS").unwrap_or_else(|_| "0.0.0.0".into());
+
+    let inbound_api_key = std::env::var("NOISEBELL_RELAY_INBOUND_API_KEY")
+        .context("NOISEBELL_RELAY_INBOUND_API_KEY is required")?;
+
+    let target_base_url = std::env::var("NOISEBELL_RELAY_TARGET_BASE_URL")
+        .unwrap_or_else(|_| "http://homeassistant.local:8123".into())
+        .trim_end_matches('/')
+        .to_string();
+
+    let target_webhook_id = std::env::var("NOISEBELL_RELAY_TARGET_WEBHOOK_ID")
+        .context("NOISEBELL_RELAY_TARGET_WEBHOOK_ID is required")?;
+
+    let target_secret =
+        std::env::var("NOISEBELL_RELAY_TARGET_SECRET").ok().filter(|value| !value.is_empty());
+
+    let retry_attempts: u32 = std::env::var("NOISEBELL_RELAY_RETRY_ATTEMPTS")
+        .unwrap_or_else(|_| "3".into())
+        .parse()
+        .context("NOISEBELL_RELAY_RETRY_ATTEMPTS must be a valid u32")?;
+
+    let retry_base_delay_secs: u64 = std::env::var("NOISEBELL_RELAY_RETRY_BASE_DELAY_SECS")
+        .unwrap_or_else(|_| "1".into())
+        .parse()
+        .context("NOISEBELL_RELAY_RETRY_BASE_DELAY_SECS must be a valid u64")?;
+
+    let http_timeout_secs: u64 = std::env::var("NOISEBELL_RELAY_HTTP_TIMEOUT_SECS")
+        .unwrap_or_else(|_| "10".into())
+        .parse()
+        .context("NOISEBELL_RELAY_HTTP_TIMEOUT_SECS must be a valid u64")?;
+
+    let target_url = format!("{target_base_url}/api/webhook/{target_webhook_id}");
+
+    let client = reqwest::Client::builder()
+        .timeout(Duration::from_secs(http_timeout_secs))
+        .build()
+        .context("failed to build HTTP client")?;
+
+    let state = Arc::new(AppState {
+        client,
+        inbound_api_key,
+        target_url,
+        target_secret,
+        retry_attempts,
+        retry_base_delay_secs,
+    });
+
+    let app = Router::new()
+        .route("/health", get(health))
+        .route("/webhook", post(post_webhook))
+        .with_state(state);
+
+    let listener = tokio::net::TcpListener::bind((&*bind_address, port))
+        .await
+        .context(format!("failed to bind to {bind_address}:{port}"))?;
+
+    info!(port, "relay listening");
+
+    let mut sigterm = tokio::signal::unix::signal(tokio::signal::unix::SignalKind::terminate())
+        .context("failed to register SIGTERM handler")?;
+    axum::serve(listener, app)
+        .with_graceful_shutdown(async move {
+            sigterm.recv().await;
+        })
+        .await
+        .context("relay server error")?;
+
+    Ok(())
+}

remote/README.md

@@ -69,6 +69,7 @@ The flake exports a NixOS module for the hosted remote machine. It imports `agen
 | `secrets/pi-to-cache-key.age` | Pi + remote | Pi authenticates to cache `/webhook` |
 | `secrets/cache-to-pi-key.age` | Pi + remote | cache authenticates to Pi GET endpoints |
 | `secrets/discord-webhook-secret.age` | remote | cache authenticates to Discord bot `/webhook` |
+| `secrets/relay-webhook-secret.age` | Pi + remote | cache authenticates to the Pi relay `/webhook` |
 | `secrets/zulip-webhook-secret.age` | remote | cache authenticates to Zulip bridge `/webhook` |
 | `secrets/discord-token.age` | remote | Discord bot login |
 | `secrets/zulip-api-key.age` | remote | Zulip bot API authentication |

remote/hosted-module.nix

@@ -12,10 +12,20 @@ in
 
   users.groups.noisebell = { };
 
-  users.users.noisebell-cache.extraGroups = lib.mkIf cfgCache.enable [ "noisebell" ];
-  users.users.noisebell-rss.extraGroups = lib.mkIf cfgRss.enable [ "noisebell" ];
-  users.users.noisebell-discord.extraGroups = lib.mkIf cfgDiscord.enable [ "noisebell" ];
-  users.users.noisebell-zulip.extraGroups = lib.mkIf cfgZulip.enable [ "noisebell" ];
+  users.users = lib.mkMerge [
+    (lib.mkIf cfgCache.enable {
+      noisebell-cache.extraGroups = [ "noisebell" ];
+    })
+    (lib.mkIf cfgRss.enable {
+      noisebell-rss.extraGroups = [ "noisebell" ];
+    })
+    (lib.mkIf cfgDiscord.enable {
+      noisebell-discord.extraGroups = [ "noisebell" ];
+    })
+    (lib.mkIf cfgZulip.enable {
+      noisebell-zulip.extraGroups = [ "noisebell" ];
+    })
+  ];
 
   age.secrets.noisebell-pi-to-cache-key = {
     file = "${self}/secrets/pi-to-cache-key.age";
@@ -47,6 +57,12 @@ in
     mode = "0440";
   };
 
+  age.secrets.noisebell-relay-webhook-secret = {
+    file = "${self}/secrets/relay-webhook-secret.age";
+    group = "noisebell";
+    mode = "0440";
+  };
+
   age.secrets.noisebell-zulip-webhook-secret = {
     file = "${self}/secrets/zulip-webhook-secret.age";
     group = "noisebell";
@@ -68,30 +84,30 @@ in
     );
   };
 
-  services.noisebell-rss = lib.mkIf cfgRss.enable (
-    lib.optionalAttrs cfgCache.enable {
-      cacheUrl = lib.mkDefault "http://127.0.0.1:${toString cfgCache.port}";
-    }
+  services.noisebell-rss.cacheUrl = lib.mkIf (cfgRss.enable && cfgCache.enable) (
+    lib.mkDefault "http://127.0.0.1:${toString cfgCache.port}"
   );
 
-  services.noisebell-discord = lib.mkIf cfgDiscord.enable (
-    {
-      discordTokenFile = lib.mkDefault config.age.secrets.noisebell-discord-token.path;
-      webhookSecretFile = lib.mkDefault config.age.secrets.noisebell-discord-webhook-secret.path;
-    }
-    // lib.optionalAttrs cfgCache.enable {
-      cacheUrl = lib.mkDefault "http://127.0.0.1:${toString cfgCache.port}";
-      imageBaseUrl = lib.mkDefault "https://${cfgCache.domain}/image";
-    }
+  services.noisebell-discord.discordTokenFile = lib.mkIf cfgDiscord.enable (
+    lib.mkDefault config.age.secrets.noisebell-discord-token.path
+  );
+  services.noisebell-discord.webhookSecretFile = lib.mkIf cfgDiscord.enable (
+    lib.mkDefault config.age.secrets.noisebell-discord-webhook-secret.path
+  );
+  services.noisebell-discord.cacheUrl = lib.mkIf (cfgDiscord.enable && cfgCache.enable) (
+    lib.mkDefault "http://127.0.0.1:${toString cfgCache.port}"
+  );
+  services.noisebell-discord.imageBaseUrl = lib.mkIf (cfgDiscord.enable && cfgCache.enable) (
+    lib.mkDefault "https://${cfgCache.domain}/image"
   );
 
-  services.noisebell-zulip = lib.mkIf cfgZulip.enable (
-    {
-      apiKeyFile = lib.mkDefault config.age.secrets.noisebell-zulip-api-key.path;
-      webhookSecretFile = lib.mkDefault config.age.secrets.noisebell-zulip-webhook-secret.path;
-    }
-    // lib.optionalAttrs cfgCache.enable {
-      imageBaseUrl = lib.mkDefault "https://${cfgCache.domain}/image";
-    }
+  services.noisebell-zulip.apiKeyFile = lib.mkIf cfgZulip.enable (
+    lib.mkDefault config.age.secrets.noisebell-zulip-api-key.path
+  );
+  services.noisebell-zulip.webhookSecretFile = lib.mkIf cfgZulip.enable (
+    lib.mkDefault config.age.secrets.noisebell-zulip-webhook-secret.path
+  );
+  services.noisebell-zulip.imageBaseUrl = lib.mkIf (cfgZulip.enable && cfgCache.enable) (
+    lib.mkDefault "https://${cfgCache.domain}/image"
   );
 }

scripts/deploy-pios-pi.sh

@@ -23,12 +23,19 @@ SSH_OPTS=(
 echo "Building static aarch64 Noisebell binary locally..."
 PACKAGE_PATH=$(nix build .#packages.aarch64-linux.noisebell-static --print-out-paths --no-link)
 BIN_PATH="$PACKAGE_PATH/bin/noisebell"
+RELAY_PACKAGE_PATH=$(nix build .#packages.aarch64-linux.noisebell-relay-static --print-out-paths --no-link)
+RELAY_BIN_PATH="$RELAY_PACKAGE_PATH/bin/noisebell-relay"
 
 if [[ ! -x "$BIN_PATH" ]]; then
   echo "built binary not found: $BIN_PATH" >&2
   exit 1
 fi
 
+if [[ ! -x "$RELAY_BIN_PATH" ]]; then
+  echo "built relay binary not found: $RELAY_BIN_PATH" >&2
+  exit 1
+fi
+
 if ! command -v agenix >/dev/null 2>&1; then
   echo "agenix is required in your shell to decrypt secrets locally" >&2
   exit 1
@@ -39,17 +46,22 @@ echo "Decrypting Pi secrets locally..."
   cd "$REPO_ROOT/secrets"
   RULES="$REPO_ROOT/secrets/secrets.nix" agenix -d pi-to-cache-key.age > "$TMP_DIR/pi-to-cache-key"
   RULES="$REPO_ROOT/secrets/secrets.nix" agenix -d cache-to-pi-key.age > "$TMP_DIR/cache-to-pi-key"
+  RULES="$REPO_ROOT/secrets/secrets.nix" agenix -d relay-webhook-secret.age > "$TMP_DIR/relay-webhook-secret"
+  RULES="$REPO_ROOT/secrets/secrets.nix" agenix -d homeassistant-webhook-id.age > "$TMP_DIR/homeassistant-webhook-id"
   RULES="$REPO_ROOT/secrets/secrets.nix" agenix -d tailscale-auth-key.age > "$TMP_DIR/tailscale-auth-key"
 )
 chmod 600 "$TMP_DIR"/*
 
 echo "Preparing remote directories on $TARGET_HOST..."
-ssh "${SSH_OPTS[@]}" "$TARGET_HOST" "mkdir -p '$REMOTE_TMP_DIR' && rm -f '$REMOTE_TMP_DIR/noisebell' '$REMOTE_TMP_DIR/pi-to-cache-key' '$REMOTE_TMP_DIR/cache-to-pi-key' '$REMOTE_TMP_DIR/tailscale-auth-key' && sudo mkdir -p '$REMOTE_RELEASE_DIR' /etc/noisebell /opt/noisebell/releases /var/lib/noisebell"
+ssh "${SSH_OPTS[@]}" "$TARGET_HOST" "mkdir -p '$REMOTE_TMP_DIR' && rm -f '$REMOTE_TMP_DIR/noisebell' '$REMOTE_TMP_DIR/noisebell-relay' '$REMOTE_TMP_DIR/pi-to-cache-key' '$REMOTE_TMP_DIR/cache-to-pi-key' '$REMOTE_TMP_DIR/relay-webhook-secret' '$REMOTE_TMP_DIR/homeassistant-webhook-id' '$REMOTE_TMP_DIR/tailscale-auth-key' && sudo mkdir -p '$REMOTE_RELEASE_DIR' /etc/noisebell /opt/noisebell/releases /var/lib/noisebell"
 
 echo "Uploading binary and secret files..."
 scp "${SSH_OPTS[@]}" "$BIN_PATH" "$TARGET_HOST:$REMOTE_TMP_DIR/noisebell"
+scp "${SSH_OPTS[@]}" "$RELAY_BIN_PATH" "$TARGET_HOST:$REMOTE_TMP_DIR/noisebell-relay"
 scp "${SSH_OPTS[@]}" "$TMP_DIR/pi-to-cache-key" "$TARGET_HOST:$REMOTE_TMP_DIR/pi-to-cache-key"
 scp "${SSH_OPTS[@]}" "$TMP_DIR/cache-to-pi-key" "$TARGET_HOST:$REMOTE_TMP_DIR/cache-to-pi-key"
+scp "${SSH_OPTS[@]}" "$TMP_DIR/relay-webhook-secret" "$TARGET_HOST:$REMOTE_TMP_DIR/relay-webhook-secret"
+scp "${SSH_OPTS[@]}" "$TMP_DIR/homeassistant-webhook-id" "$TARGET_HOST:$REMOTE_TMP_DIR/homeassistant-webhook-id"
 scp "${SSH_OPTS[@]}" "$TMP_DIR/tailscale-auth-key" "$TARGET_HOST:$REMOTE_TMP_DIR/tailscale-auth-key"
 
 echo "Installing service and Tailscale on $TARGET_HOST..."
@@ -76,11 +88,14 @@ fi
 sudo systemctl enable --now ssh avahi-daemon tailscaled
 
 sudo install -m 755 "$REMOTE_TMP_DIR/noisebell" "$REMOTE_RELEASE_DIR/noisebell"
+sudo install -m 755 "$REMOTE_TMP_DIR/noisebell-relay" "$REMOTE_RELEASE_DIR/noisebell-relay"
 sudo mv "$REMOTE_TMP_DIR/pi-to-cache-key" /etc/noisebell/pi-to-cache-key
 sudo mv "$REMOTE_TMP_DIR/cache-to-pi-key" /etc/noisebell/cache-to-pi-key
+sudo mv "$REMOTE_TMP_DIR/relay-webhook-secret" /etc/noisebell/relay-webhook-secret
+sudo mv "$REMOTE_TMP_DIR/homeassistant-webhook-id" /etc/noisebell/homeassistant-webhook-id
 sudo mv "$REMOTE_TMP_DIR/tailscale-auth-key" /etc/noisebell/tailscale-auth-key
-sudo chown root:root /etc/noisebell/pi-to-cache-key /etc/noisebell/cache-to-pi-key /etc/noisebell/tailscale-auth-key
-sudo chmod 600 /etc/noisebell/pi-to-cache-key /etc/noisebell/cache-to-pi-key /etc/noisebell/tailscale-auth-key
+sudo chown root:root /etc/noisebell/pi-to-cache-key /etc/noisebell/cache-to-pi-key /etc/noisebell/relay-webhook-secret /etc/noisebell/homeassistant-webhook-id /etc/noisebell/tailscale-auth-key
+sudo chmod 600 /etc/noisebell/pi-to-cache-key /etc/noisebell/cache-to-pi-key /etc/noisebell/relay-webhook-secret /etc/noisebell/homeassistant-webhook-id /etc/noisebell/tailscale-auth-key
 
 sudo tee /etc/noisebell/noisebell.env >/dev/null <<'ENVEOF'
 NOISEBELL_GPIO_PIN=17
@@ -96,6 +111,17 @@ RUST_LOG=info
 ENVEOF
 sudo chmod 600 /etc/noisebell/noisebell.env
 
+sudo tee /etc/noisebell/noisebell-relay.env >/dev/null <<'ENVEOF'
+NOISEBELL_RELAY_PORT=8090
+NOISEBELL_RELAY_BIND_ADDRESS=0.0.0.0
+NOISEBELL_RELAY_TARGET_BASE_URL=http://homeassistant.local:8123
+NOISEBELL_RELAY_RETRY_ATTEMPTS=3
+NOISEBELL_RELAY_RETRY_BASE_DELAY_SECS=1
+NOISEBELL_RELAY_HTTP_TIMEOUT_SECS=10
+RUST_LOG=info
+ENVEOF
+sudo chmod 600 /etc/noisebell/noisebell-relay.env
+
 sudo tee /etc/systemd/system/noisebell.service >/dev/null <<'UNITEOF'
 [Unit]
 Description=Noisebell GPIO door monitor
@@ -115,10 +141,29 @@ WatchdogSec=30
 WantedBy=multi-user.target
 UNITEOF
 
+sudo tee /etc/systemd/system/noisebell-relay.service >/dev/null <<'UNITEOF'
+[Unit]
+Description=Noisebell relay webhook bridge
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+EnvironmentFile=/etc/noisebell/noisebell-relay.env
+ExecStart=/bin/bash -lc 'export NOISEBELL_RELAY_INBOUND_API_KEY="$$(cat /etc/noisebell/relay-webhook-secret)"; export NOISEBELL_RELAY_TARGET_WEBHOOK_ID="$$(cat /etc/noisebell/homeassistant-webhook-id)"; exec /opt/noisebell/current/noisebell-relay'
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+UNITEOF
+
 sudo ln -sfn "$REMOTE_RELEASE_DIR" "$REMOTE_CURRENT_LINK"
 sudo systemctl daemon-reload
 sudo systemctl enable noisebell.service
+sudo systemctl enable noisebell-relay.service
 sudo systemctl restart noisebell.service
+sudo systemctl restart noisebell-relay.service
 sudo systemctl restart avahi-daemon
 
 sudo tailscale up --auth-key="$(sudo cat /etc/noisebell/tailscale-auth-key)" --hostname=noisebell-pi || true

scripts/nhs

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd)
+REPO_ROOT=$(cd -- "$SCRIPT_DIR/.." && pwd)
+
+exec nixos-rebuild switch \
+  --flake /home/jet/Documents/extremist-software#extremist-software \
+  --target-host jet@extremist-software \
+  --sudo \
+  --override-input noisebell "$REPO_ROOT" \
+  "$@"

secrets/homeassistant-webhook-id.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 Ziw7aw o2OepqUVulb7kJMNRMs3MK4HjD9ufgXgPahtYydBbXk
+gFdMCu/Wk4q9g7xByhXyRIbdx7V45cwmxVn580WuFwM
+-> ssh-ed25519 NFB4qA fQRwLbNWTx/FWZBPjpbt4P0a2sZY3QR2szdRe1cfTE4
+DR0fSdupUNJfpnbB3Ogkp27me4J0IcQ6VVQmBKXlNoI
+-> X25519 fZhP22fLYaVseoaWRa+VPKqZ4aZFNibHgMp//vOp7AE
+JtwFvGYJEOD26cBhmSWrCNmFkigb/ku56xNXkYn4xMM
+--- pPugQ6fRUfnW6dG+GcIHDhAbn6/Za5g1vZmWZGXk3Wk
+Càü§<EFBFBD>
ìÖW™åQ]Ý1¼<31>`7ü"?‰ú]Uà9z²

secrets/relay-webhook-secret.age

@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 Ziw7aw s7p6bAEzWqyyF4yGBGyYi4IAVMofpY+vofEdnAUASAo
+3iFJpniAgjy9r5oSDO0w288S80iKWniV36RUfMRRubc
+-> ssh-ed25519 NFB4qA eP/M902eua/ytCKABTrgcCV3vKDfuMlvg31b9jIc7E4
+OI/iXdRD/Km1qMRpx9h2Kabn6HWtwnHstushKZfyi+E
+-> X25519 dNnIn/Tq/llh8NBvrAMcVeKVMl8C1nq6gCvI+TpxOQI
+vOLTD/uROCiPnG42MioEqA1A8Ei/acmI75Eg7CIJuL4
+-> ssh-ed25519 uKftJg K2ZIMhMIEzvaowRkHk90FK9Xkq01qvBh+xZ1tZ5H8Cc
+QE/BLIS+2W+kdKEaJdgJHoGWMJ3TsVmx3DZ2+B3spDw
+--- qY2aDrsCm4Xs2AchoDxhQzfhWrGWLJ6Z5t8/4Gc5lF4
+4!£2ýF³ì[(C}
+ål<EFBFBD>m‰"×#kæNæL·è1

secrets/secrets.nix

@@ -35,6 +35,17 @@ in
     jet
     server
   ];
+  "homeassistant-webhook-id.age".publicKeys = [
+    jet
+    pi
+    piBootstrap
+  ];
+  "relay-webhook-secret.age".publicKeys = [
+    jet
+    pi
+    piBootstrap
+    server
+  ];
   "zulip-webhook-secret.age".publicKeys = [
     jet
     server