From 4f7ac0e7d7f183e1198c844c9aab573040995493 Mon Sep 17 00:00:00 2001 From: Jet Date: Mon, 23 Mar 2026 22:45:49 -0700 Subject: [PATCH] feat: add home assistant capability with pi-relay --- Cargo.lock | 13 +++ Cargo.toml | 1 + flake.nix | 54 ++++++++++ pi/README.md | 49 +++++++-- pi/pi-relay/Cargo.toml | 16 +++ pi/pi-relay/src/main.rs | 148 +++++++++++++++++++++++++++ remote/README.md | 1 + remote/hosted-module.nix | 66 +++++++----- scripts/deploy-pios-pi.sh | 51 ++++++++- scripts/nhs | 12 +++ secrets/homeassistant-webhook-id.age | 13 +++ secrets/relay-webhook-secret.age | 15 +++ secrets/secrets.nix | 11 ++ 13 files changed, 415 insertions(+), 35 deletions(-) create mode 100644 pi/pi-relay/Cargo.toml create mode 100644 pi/pi-relay/src/main.rs create mode 100755 scripts/nhs create mode 100644 secrets/homeassistant-webhook-id.age create mode 100644 secrets/relay-webhook-secret.age diff --git a/Cargo.lock b/Cargo.lock index 9fa68da..618d4dd 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -906,6 +906,19 @@ dependencies = [ "tracing-subscriber", ] +[[package]] +name = "noisebell-relay" +version = "0.1.0" +dependencies = [ + "anyhow", + "axum", + "noisebell-common", + "reqwest", + "tokio", + "tracing", + "tracing-subscriber", +] + [[package]] name = "noisebell-rss" version = "0.1.0" diff --git a/Cargo.toml b/Cargo.toml index b7ad6d7..48c0d7c 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,7 @@ [workspace] members = [ "pi/pi-service", + "pi/pi-relay", "remote/noisebell-common", "remote/cache-service", "remote/rss-service", diff --git a/flake.nix b/flake.nix index eb3404f..3cf74f2 100644 --- a/flake.nix +++ b/flake.nix @@ -108,6 +108,23 @@ cargoExtraArgs = "-p noisebell"; }; + piRelayArgs = { + inherit src; + pname = "noisebell-pi-relay"; + version = "0.1.0"; + strictDeps = true; + doCheck = false; + + CARGO_BUILD_TARGET = "aarch64-unknown-linux-gnu"; + CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER = "${crossPkgs.stdenv.cc.targetPrefix}cc"; + TARGET_CC = "${crossPkgs.stdenv.cc.targetPrefix}cc"; + CC_aarch64_unknown_linux_gnu = "${crossPkgs.stdenv.cc.targetPrefix}cc"; + HOST_CC = "${pkgs.stdenv.cc.nativePrefix}cc"; + + depsBuildBuild = [ crossPkgs.stdenv.cc ]; + cargoExtraArgs = "-p noisebell-relay"; + }; + piArtifacts = piCraneLib.buildDepsOnly piArgs; noisebell-pi = piCraneLib.buildPackage ( @@ -117,6 +134,15 @@ } ); + piRelayArtifacts = piCraneLib.buildDepsOnly piRelayArgs; + + noisebell-pi-relay = piCraneLib.buildPackage ( + piRelayArgs + // { + cargoArtifacts = piRelayArtifacts; + } + ); + piStaticArgs = { inherit src; pname = "noisebell-pi-static"; @@ -134,6 +160,23 @@ cargoExtraArgs = "-p noisebell"; }; + piRelayStaticArgs = { + inherit src; + pname = "noisebell-pi-relay-static"; + version = "0.1.0"; + strictDeps = true; + doCheck = false; + + CARGO_BUILD_TARGET = "aarch64-unknown-linux-musl"; + CARGO_TARGET_AARCH64_UNKNOWN_LINUX_MUSL_LINKER = "${muslPkgs.stdenv.cc.targetPrefix}cc"; + TARGET_CC = "${muslPkgs.stdenv.cc.targetPrefix}cc"; + CC_aarch64_unknown_linux_musl = "${muslPkgs.stdenv.cc.targetPrefix}cc"; + HOST_CC = "${pkgs.stdenv.cc.nativePrefix}cc"; + + depsBuildBuild = [ muslPkgs.stdenv.cc ]; + cargoExtraArgs = "-p noisebell-relay"; + }; + piStaticArtifacts = piCraneLib.buildDepsOnly piStaticArgs; noisebell-pi-static = piCraneLib.buildPackage ( @@ -143,6 +186,15 @@ } ); + piRelayStaticArtifacts = piCraneLib.buildDepsOnly piRelayStaticArgs; + + noisebell-pi-relay-static = piCraneLib.buildPackage ( + piRelayStaticArgs + // { + cargoArtifacts = piRelayStaticArtifacts; + } + ); + piImageBaseModule = { lib, @@ -359,7 +411,9 @@ packages.aarch64-linux = { noisebell = noisebell-pi; + noisebell-relay = noisebell-pi-relay; noisebell-static = noisebell-pi-static; + noisebell-relay-static = noisebell-pi-relay-static; default = noisebell-pi; }; diff --git a/pi/README.md b/pi/README.md index fe555c7..8271391 100644 --- a/pi/README.md +++ b/pi/README.md @@ -111,25 +111,32 @@ scripts/deploy-pios-pi.sh pi@10.21.x.x That script: 1. builds `.#packages.aarch64-linux.noisebell-static` locally -2. decrypts the Pi-facing secrets locally with `agenix` -3. uploads the binary and secrets to the Pi -4. installs Tailscale and Avahi if needed -5. writes `/etc/noisebell/noisebell.env` -6. installs `noisebell.service` -7. enables and starts the service -8. runs `tailscale up` with the decrypted auth key +2. builds `.#packages.aarch64-linux.noisebell-relay-static` locally +3. decrypts the Pi-facing secrets locally with `agenix` +4. uploads the binaries and secrets to the Pi +5. installs Tailscale and Avahi if needed +6. writes `/etc/noisebell/noisebell.env` +7. writes `/etc/noisebell/noisebell-relay.env` +8. installs `noisebell.service` and `noisebell-relay.service` +9. enables and starts both services +10. runs `tailscale up` with the decrypted auth key ## Files written on the Pi The deploy script creates: - `/opt/noisebell/releases//noisebell` +- `/opt/noisebell/releases//noisebell-relay` - `/opt/noisebell/current` -> current release symlink - `/etc/noisebell/pi-to-cache-key` - `/etc/noisebell/cache-to-pi-key` +- `/etc/noisebell/relay-webhook-secret` +- `/etc/noisebell/homeassistant-webhook-id` - `/etc/noisebell/tailscale-auth-key` - `/etc/noisebell/noisebell.env` +- `/etc/noisebell/noisebell-relay.env` - `/etc/systemd/system/noisebell.service` +- `/etc/systemd/system/noisebell-relay.service` All secret files are root-only. @@ -171,6 +178,34 @@ The deployed service uses these environment variables: | `NOISEBELL_BIND_ADDRESS` | `0.0.0.0` | HTTP bind address | | `NOISEBELL_ACTIVE_LOW` | `true` | Low GPIO = door open | +## Relay service configuration + +The optional relay service accepts authenticated webhooks from cache-service and forwards them to Home Assistant on the local network. + +| Variable | Default | Description | +|---|---|---| +| `NOISEBELL_RELAY_PORT` | `8090` | HTTP port for the relay webhook endpoint | +| `NOISEBELL_RELAY_BIND_ADDRESS` | `0.0.0.0` | HTTP bind address | +| `NOISEBELL_RELAY_TARGET_BASE_URL` | `http://homeassistant.local:8123` | Base URL for Home Assistant | +| `NOISEBELL_RELAY_TARGET_WEBHOOK_ID` | required | Home Assistant webhook ID | +| `NOISEBELL_RELAY_INBOUND_API_KEY` | required | Bearer token expected from cache-service | +| `NOISEBELL_RELAY_RETRY_ATTEMPTS` | `3` | Forward retry count | +| `NOISEBELL_RELAY_RETRY_BASE_DELAY_SECS` | `1` | Exponential backoff base delay | +| `NOISEBELL_RELAY_HTTP_TIMEOUT_SECS` | `10` | Outbound request timeout | + +Example cache target for the relay: + +```nix +{ + services.noisebell-cache.outboundWebhooks = [ + { + url = "http://noisebell-pi.local:8090/webhook"; + secretFile = /run/agenix/noisebell-relay-webhook-secret; + } + ]; +} +``` + ## API All endpoints require `Authorization: Bearer `. diff --git a/pi/pi-relay/Cargo.toml b/pi/pi-relay/Cargo.toml new file mode 100644 index 0000000..4d8c4cb --- /dev/null +++ b/pi/pi-relay/Cargo.toml @@ -0,0 +1,16 @@ +[package] +name = "noisebell-relay" +version = "0.1.0" +edition = "2021" + +[lints] +workspace = true + +[dependencies] +anyhow = "1.0" +axum = "0.8" +noisebell-common = { path = "../../remote/noisebell-common" } +reqwest = { version = "0.12", default-features = false, features = ["json", "rustls-tls"] } +tokio = { version = "1", features = ["rt-multi-thread", "macros", "net", "signal", "time"] } +tracing = "0.1" +tracing-subscriber = { version = "0.3", features = ["env-filter"] } diff --git a/pi/pi-relay/src/main.rs b/pi/pi-relay/src/main.rs new file mode 100644 index 0000000..9da54eb --- /dev/null +++ b/pi/pi-relay/src/main.rs @@ -0,0 +1,148 @@ +use std::sync::Arc; +use std::time::Duration; + +use anyhow::{Context, Result}; +use axum::extract::State; +use axum::http::{HeaderMap, StatusCode}; +use axum::routing::{get, post}; +use axum::{Json, Router}; +use noisebell_common::{validate_bearer, WebhookPayload}; +use tracing::{error, info, warn}; + +#[derive(Clone)] +struct AppState { + client: reqwest::Client, + inbound_api_key: String, + target_url: String, + target_secret: Option, + retry_attempts: u32, + retry_base_delay_secs: u64, +} + +async fn post_webhook( + State(state): State>, + headers: HeaderMap, + Json(payload): Json, +) -> StatusCode { + if !validate_bearer(&headers, &state.inbound_api_key) { + return StatusCode::UNAUTHORIZED; + } + + info!(status = %payload.status, timestamp = payload.timestamp, "relay received webhook"); + + for attempt in 0..=state.retry_attempts { + let mut req = state.client.post(&state.target_url).json(&payload); + if let Some(secret) = &state.target_secret { + req = req.bearer_auth(secret); + } + + match req.send().await { + Ok(resp) if resp.status().is_success() => { + info!(status = %payload.status, "relay forwarded webhook"); + return StatusCode::OK; + } + result => { + let err_msg = match &result { + Ok(resp) => format!("HTTP {}", resp.status()), + Err(err) => err.to_string(), + }; + if attempt == state.retry_attempts { + error!(error = %err_msg, "relay failed to forward webhook after {} attempts", state.retry_attempts + 1); + return StatusCode::BAD_GATEWAY; + } + + let delay = Duration::from_secs(state.retry_base_delay_secs * 2u64.pow(attempt)); + warn!(error = %err_msg, attempt = attempt + 1, "relay forward failed, retrying in {:?}", delay); + tokio::time::sleep(delay).await; + } + } + } + + StatusCode::BAD_GATEWAY +} + +async fn health() -> StatusCode { + StatusCode::OK +} + +#[tokio::main] +async fn main() -> Result<()> { + tracing_subscriber::fmt() + .with_env_filter(tracing_subscriber::EnvFilter::from_default_env()) + .init(); + + let port: u16 = std::env::var("NOISEBELL_RELAY_PORT") + .unwrap_or_else(|_| "8090".into()) + .parse() + .context("NOISEBELL_RELAY_PORT must be a valid u16")?; + + let bind_address = + std::env::var("NOISEBELL_RELAY_BIND_ADDRESS").unwrap_or_else(|_| "0.0.0.0".into()); + + let inbound_api_key = std::env::var("NOISEBELL_RELAY_INBOUND_API_KEY") + .context("NOISEBELL_RELAY_INBOUND_API_KEY is required")?; + + let target_base_url = std::env::var("NOISEBELL_RELAY_TARGET_BASE_URL") + .unwrap_or_else(|_| "http://homeassistant.local:8123".into()) + .trim_end_matches('/') + .to_string(); + + let target_webhook_id = std::env::var("NOISEBELL_RELAY_TARGET_WEBHOOK_ID") + .context("NOISEBELL_RELAY_TARGET_WEBHOOK_ID is required")?; + + let target_secret = + std::env::var("NOISEBELL_RELAY_TARGET_SECRET").ok().filter(|value| !value.is_empty()); + + let retry_attempts: u32 = std::env::var("NOISEBELL_RELAY_RETRY_ATTEMPTS") + .unwrap_or_else(|_| "3".into()) + .parse() + .context("NOISEBELL_RELAY_RETRY_ATTEMPTS must be a valid u32")?; + + let retry_base_delay_secs: u64 = std::env::var("NOISEBELL_RELAY_RETRY_BASE_DELAY_SECS") + .unwrap_or_else(|_| "1".into()) + .parse() + .context("NOISEBELL_RELAY_RETRY_BASE_DELAY_SECS must be a valid u64")?; + + let http_timeout_secs: u64 = std::env::var("NOISEBELL_RELAY_HTTP_TIMEOUT_SECS") + .unwrap_or_else(|_| "10".into()) + .parse() + .context("NOISEBELL_RELAY_HTTP_TIMEOUT_SECS must be a valid u64")?; + + let target_url = format!("{target_base_url}/api/webhook/{target_webhook_id}"); + + let client = reqwest::Client::builder() + .timeout(Duration::from_secs(http_timeout_secs)) + .build() + .context("failed to build HTTP client")?; + + let state = Arc::new(AppState { + client, + inbound_api_key, + target_url, + target_secret, + retry_attempts, + retry_base_delay_secs, + }); + + let app = Router::new() + .route("/health", get(health)) + .route("/webhook", post(post_webhook)) + .with_state(state); + + let listener = tokio::net::TcpListener::bind((&*bind_address, port)) + .await + .context(format!("failed to bind to {bind_address}:{port}"))?; + + info!(port, "relay listening"); + + let mut sigterm = tokio::signal::unix::signal(tokio::signal::unix::SignalKind::terminate()) + .context("failed to register SIGTERM handler")?; + axum::serve(listener, app) + .with_graceful_shutdown(async move { + sigterm.recv().await; + }) + .await + .context("relay server error")?; + + Ok(()) +} diff --git a/remote/README.md b/remote/README.md index 6304fa5..30b14d4 100644 --- a/remote/README.md +++ b/remote/README.md @@ -69,6 +69,7 @@ The flake exports a NixOS module for the hosted remote machine. It imports `agen | `secrets/pi-to-cache-key.age` | Pi + remote | Pi authenticates to cache `/webhook` | | `secrets/cache-to-pi-key.age` | Pi + remote | cache authenticates to Pi GET endpoints | | `secrets/discord-webhook-secret.age` | remote | cache authenticates to Discord bot `/webhook` | +| `secrets/relay-webhook-secret.age` | Pi + remote | cache authenticates to the Pi relay `/webhook` | | `secrets/zulip-webhook-secret.age` | remote | cache authenticates to Zulip bridge `/webhook` | | `secrets/discord-token.age` | remote | Discord bot login | | `secrets/zulip-api-key.age` | remote | Zulip bot API authentication | diff --git a/remote/hosted-module.nix b/remote/hosted-module.nix index 9b80661..610fc4f 100644 --- a/remote/hosted-module.nix +++ b/remote/hosted-module.nix @@ -12,10 +12,20 @@ in users.groups.noisebell = { }; - users.users.noisebell-cache.extraGroups = lib.mkIf cfgCache.enable [ "noisebell" ]; - users.users.noisebell-rss.extraGroups = lib.mkIf cfgRss.enable [ "noisebell" ]; - users.users.noisebell-discord.extraGroups = lib.mkIf cfgDiscord.enable [ "noisebell" ]; - users.users.noisebell-zulip.extraGroups = lib.mkIf cfgZulip.enable [ "noisebell" ]; + users.users = lib.mkMerge [ + (lib.mkIf cfgCache.enable { + noisebell-cache.extraGroups = [ "noisebell" ]; + }) + (lib.mkIf cfgRss.enable { + noisebell-rss.extraGroups = [ "noisebell" ]; + }) + (lib.mkIf cfgDiscord.enable { + noisebell-discord.extraGroups = [ "noisebell" ]; + }) + (lib.mkIf cfgZulip.enable { + noisebell-zulip.extraGroups = [ "noisebell" ]; + }) + ]; age.secrets.noisebell-pi-to-cache-key = { file = "${self}/secrets/pi-to-cache-key.age"; @@ -47,6 +57,12 @@ in mode = "0440"; }; + age.secrets.noisebell-relay-webhook-secret = { + file = "${self}/secrets/relay-webhook-secret.age"; + group = "noisebell"; + mode = "0440"; + }; + age.secrets.noisebell-zulip-webhook-secret = { file = "${self}/secrets/zulip-webhook-secret.age"; group = "noisebell"; @@ -68,30 +84,30 @@ in ); }; - services.noisebell-rss = lib.mkIf cfgRss.enable ( - lib.optionalAttrs cfgCache.enable { - cacheUrl = lib.mkDefault "http://127.0.0.1:${toString cfgCache.port}"; - } + services.noisebell-rss.cacheUrl = lib.mkIf (cfgRss.enable && cfgCache.enable) ( + lib.mkDefault "http://127.0.0.1:${toString cfgCache.port}" ); - services.noisebell-discord = lib.mkIf cfgDiscord.enable ( - { - discordTokenFile = lib.mkDefault config.age.secrets.noisebell-discord-token.path; - webhookSecretFile = lib.mkDefault config.age.secrets.noisebell-discord-webhook-secret.path; - } - // lib.optionalAttrs cfgCache.enable { - cacheUrl = lib.mkDefault "http://127.0.0.1:${toString cfgCache.port}"; - imageBaseUrl = lib.mkDefault "https://${cfgCache.domain}/image"; - } + services.noisebell-discord.discordTokenFile = lib.mkIf cfgDiscord.enable ( + lib.mkDefault config.age.secrets.noisebell-discord-token.path + ); + services.noisebell-discord.webhookSecretFile = lib.mkIf cfgDiscord.enable ( + lib.mkDefault config.age.secrets.noisebell-discord-webhook-secret.path + ); + services.noisebell-discord.cacheUrl = lib.mkIf (cfgDiscord.enable && cfgCache.enable) ( + lib.mkDefault "http://127.0.0.1:${toString cfgCache.port}" + ); + services.noisebell-discord.imageBaseUrl = lib.mkIf (cfgDiscord.enable && cfgCache.enable) ( + lib.mkDefault "https://${cfgCache.domain}/image" ); - services.noisebell-zulip = lib.mkIf cfgZulip.enable ( - { - apiKeyFile = lib.mkDefault config.age.secrets.noisebell-zulip-api-key.path; - webhookSecretFile = lib.mkDefault config.age.secrets.noisebell-zulip-webhook-secret.path; - } - // lib.optionalAttrs cfgCache.enable { - imageBaseUrl = lib.mkDefault "https://${cfgCache.domain}/image"; - } + services.noisebell-zulip.apiKeyFile = lib.mkIf cfgZulip.enable ( + lib.mkDefault config.age.secrets.noisebell-zulip-api-key.path + ); + services.noisebell-zulip.webhookSecretFile = lib.mkIf cfgZulip.enable ( + lib.mkDefault config.age.secrets.noisebell-zulip-webhook-secret.path + ); + services.noisebell-zulip.imageBaseUrl = lib.mkIf (cfgZulip.enable && cfgCache.enable) ( + lib.mkDefault "https://${cfgCache.domain}/image" ); } diff --git a/scripts/deploy-pios-pi.sh b/scripts/deploy-pios-pi.sh index 11242a1..21e2eb2 100755 --- a/scripts/deploy-pios-pi.sh +++ b/scripts/deploy-pios-pi.sh @@ -23,12 +23,19 @@ SSH_OPTS=( echo "Building static aarch64 Noisebell binary locally..." PACKAGE_PATH=$(nix build .#packages.aarch64-linux.noisebell-static --print-out-paths --no-link) BIN_PATH="$PACKAGE_PATH/bin/noisebell" +RELAY_PACKAGE_PATH=$(nix build .#packages.aarch64-linux.noisebell-relay-static --print-out-paths --no-link) +RELAY_BIN_PATH="$RELAY_PACKAGE_PATH/bin/noisebell-relay" if [[ ! -x "$BIN_PATH" ]]; then echo "built binary not found: $BIN_PATH" >&2 exit 1 fi +if [[ ! -x "$RELAY_BIN_PATH" ]]; then + echo "built relay binary not found: $RELAY_BIN_PATH" >&2 + exit 1 +fi + if ! command -v agenix >/dev/null 2>&1; then echo "agenix is required in your shell to decrypt secrets locally" >&2 exit 1 @@ -39,17 +46,22 @@ echo "Decrypting Pi secrets locally..." cd "$REPO_ROOT/secrets" RULES="$REPO_ROOT/secrets/secrets.nix" agenix -d pi-to-cache-key.age > "$TMP_DIR/pi-to-cache-key" RULES="$REPO_ROOT/secrets/secrets.nix" agenix -d cache-to-pi-key.age > "$TMP_DIR/cache-to-pi-key" + RULES="$REPO_ROOT/secrets/secrets.nix" agenix -d relay-webhook-secret.age > "$TMP_DIR/relay-webhook-secret" + RULES="$REPO_ROOT/secrets/secrets.nix" agenix -d homeassistant-webhook-id.age > "$TMP_DIR/homeassistant-webhook-id" RULES="$REPO_ROOT/secrets/secrets.nix" agenix -d tailscale-auth-key.age > "$TMP_DIR/tailscale-auth-key" ) chmod 600 "$TMP_DIR"/* echo "Preparing remote directories on $TARGET_HOST..." -ssh "${SSH_OPTS[@]}" "$TARGET_HOST" "mkdir -p '$REMOTE_TMP_DIR' && rm -f '$REMOTE_TMP_DIR/noisebell' '$REMOTE_TMP_DIR/pi-to-cache-key' '$REMOTE_TMP_DIR/cache-to-pi-key' '$REMOTE_TMP_DIR/tailscale-auth-key' && sudo mkdir -p '$REMOTE_RELEASE_DIR' /etc/noisebell /opt/noisebell/releases /var/lib/noisebell" +ssh "${SSH_OPTS[@]}" "$TARGET_HOST" "mkdir -p '$REMOTE_TMP_DIR' && rm -f '$REMOTE_TMP_DIR/noisebell' '$REMOTE_TMP_DIR/noisebell-relay' '$REMOTE_TMP_DIR/pi-to-cache-key' '$REMOTE_TMP_DIR/cache-to-pi-key' '$REMOTE_TMP_DIR/relay-webhook-secret' '$REMOTE_TMP_DIR/homeassistant-webhook-id' '$REMOTE_TMP_DIR/tailscale-auth-key' && sudo mkdir -p '$REMOTE_RELEASE_DIR' /etc/noisebell /opt/noisebell/releases /var/lib/noisebell" echo "Uploading binary and secret files..." scp "${SSH_OPTS[@]}" "$BIN_PATH" "$TARGET_HOST:$REMOTE_TMP_DIR/noisebell" +scp "${SSH_OPTS[@]}" "$RELAY_BIN_PATH" "$TARGET_HOST:$REMOTE_TMP_DIR/noisebell-relay" scp "${SSH_OPTS[@]}" "$TMP_DIR/pi-to-cache-key" "$TARGET_HOST:$REMOTE_TMP_DIR/pi-to-cache-key" scp "${SSH_OPTS[@]}" "$TMP_DIR/cache-to-pi-key" "$TARGET_HOST:$REMOTE_TMP_DIR/cache-to-pi-key" +scp "${SSH_OPTS[@]}" "$TMP_DIR/relay-webhook-secret" "$TARGET_HOST:$REMOTE_TMP_DIR/relay-webhook-secret" +scp "${SSH_OPTS[@]}" "$TMP_DIR/homeassistant-webhook-id" "$TARGET_HOST:$REMOTE_TMP_DIR/homeassistant-webhook-id" scp "${SSH_OPTS[@]}" "$TMP_DIR/tailscale-auth-key" "$TARGET_HOST:$REMOTE_TMP_DIR/tailscale-auth-key" echo "Installing service and Tailscale on $TARGET_HOST..." @@ -76,11 +88,14 @@ fi sudo systemctl enable --now ssh avahi-daemon tailscaled sudo install -m 755 "$REMOTE_TMP_DIR/noisebell" "$REMOTE_RELEASE_DIR/noisebell" +sudo install -m 755 "$REMOTE_TMP_DIR/noisebell-relay" "$REMOTE_RELEASE_DIR/noisebell-relay" sudo mv "$REMOTE_TMP_DIR/pi-to-cache-key" /etc/noisebell/pi-to-cache-key sudo mv "$REMOTE_TMP_DIR/cache-to-pi-key" /etc/noisebell/cache-to-pi-key +sudo mv "$REMOTE_TMP_DIR/relay-webhook-secret" /etc/noisebell/relay-webhook-secret +sudo mv "$REMOTE_TMP_DIR/homeassistant-webhook-id" /etc/noisebell/homeassistant-webhook-id sudo mv "$REMOTE_TMP_DIR/tailscale-auth-key" /etc/noisebell/tailscale-auth-key -sudo chown root:root /etc/noisebell/pi-to-cache-key /etc/noisebell/cache-to-pi-key /etc/noisebell/tailscale-auth-key -sudo chmod 600 /etc/noisebell/pi-to-cache-key /etc/noisebell/cache-to-pi-key /etc/noisebell/tailscale-auth-key +sudo chown root:root /etc/noisebell/pi-to-cache-key /etc/noisebell/cache-to-pi-key /etc/noisebell/relay-webhook-secret /etc/noisebell/homeassistant-webhook-id /etc/noisebell/tailscale-auth-key +sudo chmod 600 /etc/noisebell/pi-to-cache-key /etc/noisebell/cache-to-pi-key /etc/noisebell/relay-webhook-secret /etc/noisebell/homeassistant-webhook-id /etc/noisebell/tailscale-auth-key sudo tee /etc/noisebell/noisebell.env >/dev/null <<'ENVEOF' NOISEBELL_GPIO_PIN=17 @@ -96,6 +111,17 @@ RUST_LOG=info ENVEOF sudo chmod 600 /etc/noisebell/noisebell.env +sudo tee /etc/noisebell/noisebell-relay.env >/dev/null <<'ENVEOF' +NOISEBELL_RELAY_PORT=8090 +NOISEBELL_RELAY_BIND_ADDRESS=0.0.0.0 +NOISEBELL_RELAY_TARGET_BASE_URL=http://homeassistant.local:8123 +NOISEBELL_RELAY_RETRY_ATTEMPTS=3 +NOISEBELL_RELAY_RETRY_BASE_DELAY_SECS=1 +NOISEBELL_RELAY_HTTP_TIMEOUT_SECS=10 +RUST_LOG=info +ENVEOF +sudo chmod 600 /etc/noisebell/noisebell-relay.env + sudo tee /etc/systemd/system/noisebell.service >/dev/null <<'UNITEOF' [Unit] Description=Noisebell GPIO door monitor @@ -115,10 +141,29 @@ WatchdogSec=30 WantedBy=multi-user.target UNITEOF +sudo tee /etc/systemd/system/noisebell-relay.service >/dev/null <<'UNITEOF' +[Unit] +Description=Noisebell relay webhook bridge +After=network-online.target +Wants=network-online.target + +[Service] +Type=simple +EnvironmentFile=/etc/noisebell/noisebell-relay.env +ExecStart=/bin/bash -lc 'export NOISEBELL_RELAY_INBOUND_API_KEY="$$(cat /etc/noisebell/relay-webhook-secret)"; export NOISEBELL_RELAY_TARGET_WEBHOOK_ID="$$(cat /etc/noisebell/homeassistant-webhook-id)"; exec /opt/noisebell/current/noisebell-relay' +Restart=on-failure +RestartSec=5 + +[Install] +WantedBy=multi-user.target +UNITEOF + sudo ln -sfn "$REMOTE_RELEASE_DIR" "$REMOTE_CURRENT_LINK" sudo systemctl daemon-reload sudo systemctl enable noisebell.service +sudo systemctl enable noisebell-relay.service sudo systemctl restart noisebell.service +sudo systemctl restart noisebell-relay.service sudo systemctl restart avahi-daemon sudo tailscale up --auth-key="$(sudo cat /etc/noisebell/tailscale-auth-key)" --hostname=noisebell-pi || true diff --git a/scripts/nhs b/scripts/nhs new file mode 100755 index 0000000..82b5637 --- /dev/null +++ b/scripts/nhs @@ -0,0 +1,12 @@ +#!/usr/bin/env bash +set -euo pipefail + +SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd) +REPO_ROOT=$(cd -- "$SCRIPT_DIR/.." && pwd) + +exec nixos-rebuild switch \ + --flake /home/jet/Documents/extremist-software#extremist-software \ + --target-host jet@extremist-software \ + --sudo \ + --override-input noisebell "$REPO_ROOT" \ + "$@" diff --git a/secrets/homeassistant-webhook-id.age b/secrets/homeassistant-webhook-id.age new file mode 100644 index 0000000..78b774f --- /dev/null +++ b/secrets/homeassistant-webhook-id.age @@ -0,0 +1,13 @@ +age-encryption.org/v1 +-> ssh-ed25519 Ziw7aw v3z9Oh1DYMesxOG184H6mSS7NYqhdvjo8iYlJ5kQYzM +O+OWaXU7uwy8krNNjUdyUWjvEdb62cVt1+tSaEwfHkc +-> ssh-ed25519 NFB4qA k6ZSOTL5p6Ek3Dkw5sWnjdwwKWwMJEbXXq8vWosz1QI +vooc7eaB5s4ib9gzKdK9u/Cqyeud2h7BhMaxCZGbFWI +-> X25519 RmqIi6m7+iE8ACgfTRl7oiOdfCEMv7u2o0m/5wr87jY +8gUgzgjbVKhW6NagnFqUv849nD6UaUxZoRsEaPmS+SQ +-> 0\[*-grease ]^ Q< Ejv ndNP1G` +MVT8TeupnrxLy09AluP8AflxxORyLJSXclKVaqFjLKik20VE9Q0NvwhDPgcv24aS +zQTuJpmKDsTJV0I/WofypfV0hZFIbDBTuVTxCWqwtzU4IsfEIXHXUVdoyseL4FS6 + +--- eMEg3OcfDfdlEKSy688XEXQAXJ8xydvzWrkQwdrvIPg +nɹ,26o#cϬV-s[$>7-,D,ZZ% mgO \ No newline at end of file diff --git a/secrets/relay-webhook-secret.age b/secrets/relay-webhook-secret.age new file mode 100644 index 0000000..79c8d54 --- /dev/null +++ b/secrets/relay-webhook-secret.age @@ -0,0 +1,15 @@ +age-encryption.org/v1 +-> ssh-ed25519 Ziw7aw LgNC5vZwo/fdnY9FzszAmVBb6E6BkDsy302kU6psElE +AWMlR/lsYKT3d2i8af7bD98tBYLM9HIbMugcrzaKuPM +-> ssh-ed25519 NFB4qA 7SDpxJZHHr52Mv3MVxJj1hVc/ZiMSSo4tzmsh62/jHg +4qne6NwF53k/Ib03T/qlRvzrLdn0RSMxmzoD2c7b4po +-> X25519 Ps/z3IuGnygYRf6YAYa/TFpvHrNjx2BdplT9zswz/hY +Bjgas+BRm/1fi/S7i3NOEB703sYg5DFrEwWixYqGaeo +-> ssh-ed25519 uKftJg AMV3loJMEW6B+nW/IPxcJc2xqJubOlGXGJkWlMWoLEU +54zihHrr1sgdderBh/fyj3sifPQc+A/M8ca6vlq1/XE +-> 9.gStO-grease ]H[$m[ax Elz_qFV )#FNFqG b~mv$n8 +JKxci4Ph7xZCVBr4dX5Gh7Q1GMRxFM2lPcJfGL0iFhwvSGxec+QD0VkZ9+zLVCMD +bZvSQ0LJCh5XucekWtR66ZlVSrURWjxdJQh3YhBTUMEezLdZIbe/Rg +--- w6fTJ89HtOUIGgw1jUdITJwcahPHxxHKqR0KPi0Zphs + 3ൺO`=^WNx