diff --git a/.gitignore b/.gitignore
index 83cf9dd..3392089 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,4 @@
site.retry
ansible.log
*.swp
+*.pyc
diff --git a/host_vars/lasagne.binary.kitchen b/host_vars/lasagne.binary.kitchen
index b480848..d4bbc05 100644
--- a/host_vars/lasagne.binary.kitchen
+++ b/host_vars/lasagne.binary.kitchen
@@ -9,3 +9,40 @@ root_keys_host:
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062"
uau_reboot: "false"
+
+mosquitto_listeners:
+ # Listeners for Mosquitto MQTT Broker
+ - name: "default"
+ listener: "1883"
+ protocol: "mqtt"
+ use_username_as_clientid: "false"
+ allow_zero_length_clientid: "true"
+ allow_anonymous: "false"
+ users:
+ - username: admin
+ password: "{{ vault_mosquitto_arwen_admin_passwd }}"
+ acl:
+ - permissions: readwrite
+ topic: "#"
+
+ - username: homeassistant
+ password: "{{ vault_mosquitto_arwen_homeassistant_passwd }}"
+ acl:
+ - permissions: readwrite
+ topic: "#"
+
+mosquitto_bridges:
+ - connection: pizza
+ address: 172.23.4.6:1883
+ topics:
+ - topic: "# out 0"
+ - topic: "# in 0"
+
+ha_pg_db_pass: "{{ vault_ha_pg_db_pass }}"
+pgadmin4_db_password: "{{ vault_pgadmin4_db_password }}"
+pgadmin4_initial_user_email: noby@binary-kitchen.de
+pgadmin4_initial_user_password: "{{ vault_pgadmin4_initial_user_password }}"
+ha_pg_grafana_db_pass: "{{ vault_ha_pg_grafana_db_pass }}"
+
+ha_domains:
+ - lasagne.binary.kitchen
diff --git a/roles/homeassistant/defaults/main.yml b/roles/homeassistant/defaults/main.yml
new file mode 100644
index 0000000..099a1c2
--- /dev/null
+++ b/roles/homeassistant/defaults/main.yml
@@ -0,0 +1,22 @@
+---
+
+# Python version required for home assistant
+ha_python_version: '3.12'
+
+# The location of the config directory
+ha_conf_dir: /etc/homeassistant
+
+# The location of the installatin directory
+ha_venv_dir: "/opt/homeassistant"
+
+# The default user
+ha_user: homeassistant
+
+ha_pg_db_version: 15
+ha_pg_db_name: homeassistant
+ha_pg_db_user: homeassistant
+ha_pg_db_pass: xxxxx
+
+ha_pg_grafana_db_name: grafana
+ha_pg_grafana_db_user: grafana
+ha_pg_grafana_db_pass: xxxxx
diff --git a/roles/homeassistant/handlers/main.yml b/roles/homeassistant/handlers/main.yml
new file mode 100644
index 0000000..b3e8144
--- /dev/null
+++ b/roles/homeassistant/handlers/main.yml
@@ -0,0 +1,21 @@
+---
+
+- name: Restart postgresql
+ ansible.builtin.service:
+ name: postgresql
+ state: restarted
+
+- name: Restart homeassistant
+ ansible.builtin.service:
+ name: home-assistant
+ state: restarted
+
+- name: Restart grafana
+ ansible.builtin.service:
+ name: grafana-server
+ state: restarted
+
+- name: Restart nginx
+ ansible.builtin.service:
+ name: nginx
+ state: restarted
diff --git a/roles/homeassistant/meta/main.yml b/roles/homeassistant/meta/main.yml
new file mode 100644
index 0000000..cb90fe0
--- /dev/null
+++ b/roles/homeassistant/meta/main.yml
@@ -0,0 +1,14 @@
+---
+
+galaxy_info:
+ author: Thomas Basler
+ description: Install HomeAssistant environment
+ license: None
+ platforms:
+ - name: Debian
+ min_ansible_version: "2.4"
+
+dependencies:
+ - { role: mosquitto }
+ - { role: pgadmin4 }
+ - { role: nginx, nginx_ssl: false }
diff --git a/roles/homeassistant/tasks/grafana.yml b/roles/homeassistant/tasks/grafana.yml
new file mode 100644
index 0000000..819a5e9
--- /dev/null
+++ b/roles/homeassistant/tasks/grafana.yml
@@ -0,0 +1,77 @@
+---
+
+- name: Grafana | add GPG signing key
+ become: true
+ ansible.builtin.apt_key:
+ url: "https://apt.grafana.com/gpg.key"
+ state: present
+ validate_certs: true
+
+- name: Grafana | add official repository
+ become: true
+ ansible.builtin.apt_repository:
+ repo: "deb https://apt.grafana.com stable main"
+ state: present
+ filename: grafana
+ update_cache: true
+ tags: install
+
+- name: Grafana | establish dependencies
+ become: true
+ ansible.builtin.apt:
+ name: "{{ item }}"
+ state: present
+ loop: ["grafana"]
+ tags: install
+
+- name: Grafana | Configure PostgreSQL database
+ community.general.postgresql_db:
+ name: "{{ ha_pg_grafana_db_name }}"
+ template: template0
+ encoding: utf8
+ become: true
+ become_user: postgres
+
+- name: Grafana | Configure PostgreSQL user
+ community.general.postgresql_user:
+ db: "{{ ha_pg_grafana_db_name }}"
+ name: "{{ ha_pg_grafana_db_user }}"
+ password: "{{ ha_pg_grafana_db_pass }}"
+ become: true
+ become_user: postgres
+
+- name: Grafana | GRANT ALL PRIVILEGES ON SCHEMA public TO {{ pgadmin4_db_user }}
+ community.postgresql.postgresql_privs:
+ db: "{{ ha_pg_grafana_db_name }}"
+ privs: ALL
+ type: schema
+ objs: public
+ role: "{{ ha_pg_grafana_db_user }}"
+ become: true
+ become_user: postgres
+
+- name: GRANT SELECT PRIVILEGES ON DATABASE {{ ha_pg_db_name }} TO {{ ha_pg_grafana_db_user }}
+ community.general.postgresql_privs:
+ db: "{{ ha_pg_db_name }}"
+ privs: SELECT
+ type: table
+ objs: statistics,statistics_meta
+ role: "{{ ha_pg_grafana_db_user }}"
+ become: true
+ become_user: postgres
+ ignore_errors: true
+
+- name: Grafana | install config file
+ ansible.builtin.template:
+ src: grafana.ini.j2
+ dest: "/etc/grafana/grafana.ini"
+ owner: root
+ group: root
+ mode: "0644"
+ notify: Restart grafana
+
+- name: Grafana | Start service
+ ansible.builtin.service:
+ name: grafana-server
+ state: started
+ enabled: true
diff --git a/roles/homeassistant/tasks/installation.yml b/roles/homeassistant/tasks/installation.yml
new file mode 100644
index 0000000..64d88af
--- /dev/null
+++ b/roles/homeassistant/tasks/installation.yml
@@ -0,0 +1,33 @@
+---
+
+- name: Install defined version of Home Assistant
+ ansible.builtin.pip:
+ name:
+ - wheel
+ - psycopg2
+ - packaging
+ - uv
+ - netifaces
+ - homeassistant=={{ ha_version }}
+ virtualenv: '{{ ha_venv_dir }}'
+ virtualenv_command: 'python{{ ha_python_version }} -m venv'
+ when: ha_version is defined
+ become: true
+ become_user: "{{ ha_user }}"
+ notify: Restart homeassistant
+
+- name: Install latest version of Home Assistant
+ ansible.builtin.pip:
+ name:
+ - wheel
+ - psycopg2
+ - packaging
+ - uv
+ - homeassistant
+ extra_args: "--upgrade"
+ virtualenv: "{{ ha_venv_dir }}"
+ virtualenv_command: 'python{{ ha_python_version }} -m venv'
+ when: ha_version is undefined
+ become: true
+ become_user: "{{ ha_user }}"
+ notify: Restart homeassistant
diff --git a/roles/homeassistant/tasks/main.yml b/roles/homeassistant/tasks/main.yml
new file mode 100644
index 0000000..7e387e1
--- /dev/null
+++ b/roles/homeassistant/tasks/main.yml
@@ -0,0 +1,15 @@
+---
+
+- name: Install python if required
+ ansible.builtin.include_tasks: python_312.yml
+ when: ha_python_version == '3.12'
+
+- name: Include sub-tasks
+ ansible.builtin.include_tasks: '{{ item }}'
+ loop:
+ - preparation.yml
+ - postgres.yml
+ - systemd.yml
+ - installation.yml
+ - grafana.yml
+ - nginx.yml
diff --git a/roles/homeassistant/tasks/nginx.yml b/roles/homeassistant/tasks/nginx.yml
new file mode 100644
index 0000000..62d5179
--- /dev/null
+++ b/roles/homeassistant/tasks/nginx.yml
@@ -0,0 +1,15 @@
+---
+
+- name: Configure vhost
+ ansible.builtin.template:
+ src: vhost.j2
+ dest: /etc/nginx/sites-available/homeassistant
+ mode: "0644"
+ notify: Restart nginx
+
+- name: Enable vhost
+ ansible.builtin.file:
+ src: /etc/nginx/sites-available/homeassistant
+ dest: /etc/nginx/sites-enabled/homeassistant
+ state: link
+ notify: Restart nginx
diff --git a/roles/homeassistant/tasks/postgres.yml b/roles/homeassistant/tasks/postgres.yml
new file mode 100644
index 0000000..eee0f56
--- /dev/null
+++ b/roles/homeassistant/tasks/postgres.yml
@@ -0,0 +1,54 @@
+---
+
+- name: Postgres | establish dependencies
+ ansible.builtin.package:
+ name: "{{ item }}"
+ state: present
+ loop:
+ - postgresql-{{ ha_pg_db_version }}
+ - libpq-dev
+ - python3-psycopg2
+
+- name: Postgres | Configure PostgreSQL database
+ community.general.postgresql_db:
+ name: "{{ ha_pg_db_name }}"
+ template: template0
+ encoding: utf8
+ become: true
+ become_user: postgres
+
+- name: Postgres | Configure PostgreSQL user
+ community.general.postgresql_user:
+ db: "{{ ha_pg_db_name }}"
+ name: "{{ ha_pg_db_user }}"
+ password: "{{ ha_pg_db_pass }}"
+ become: true
+ become_user: postgres
+
+- name: Postgres | GRANT ALL PRIVILEGES ON SCHEMA public TO {{ ha_pg_db_user }}
+ community.postgresql.postgresql_privs:
+ db: "{{ ha_pg_db_user }}"
+ privs: ALL
+ type: schema
+ objs: public
+ role: "{{ ha_pg_db_user }}"
+ become: true
+ become_user: postgres
+
+- name: Postgres | Grant all users access to all dbs
+ community.general.postgresql_pg_hba:
+ dest: /etc/postgresql/{{ ha_pg_db_version }}/main/pg_hba.conf
+ contype: host
+ users: all
+ databases: all
+ method: scram-sha-256
+ source: 0.0.0.0/0
+ notify: Restart postgresql
+
+- name: Postgres | Listen to external interfaces
+ community.general.postgresql_set:
+ name: listen_addresses
+ value: "*"
+ become: true
+ become_user: postgres
+ notify: Restart postgresql
diff --git a/roles/homeassistant/tasks/preparation.yml b/roles/homeassistant/tasks/preparation.yml
new file mode 100644
index 0000000..1c74213
--- /dev/null
+++ b/roles/homeassistant/tasks/preparation.yml
@@ -0,0 +1,41 @@
+---
+
+- name: Install commonly-named packages
+ ansible.builtin.package:
+ name: "{{ item }}"
+ state: present
+ loop:
+ - python3
+ - python3-dev
+ - python3-venv
+ - python3-pip
+ - libffi-dev
+ - libssl-dev
+ - libjpeg-dev
+ - zlib1g-dev
+ - autoconf
+ - build-essential
+ - libopenjp2-7
+ - libtiff6
+ - libturbojpeg0
+ - tzdata
+ - git
+ - ffmpeg
+
+- name: Create user
+ ansible.builtin.user:
+ name: "{{ ha_user }}"
+ comment: "Home Assistant"
+ system: true
+ shell: "/sbin/nologin"
+
+- name: Create directory
+ ansible.builtin.file:
+ path: "{{ item }}"
+ state: directory
+ mode: "02775"
+ owner: "{{ ha_user }}"
+ group: "{{ ha_user }}"
+ loop:
+ - "{{ ha_conf_dir }}"
+ - "{{ ha_venv_dir }}"
diff --git a/roles/homeassistant/tasks/python_312.yml b/roles/homeassistant/tasks/python_312.yml
new file mode 100644
index 0000000..cb9cfc2
--- /dev/null
+++ b/roles/homeassistant/tasks/python_312.yml
@@ -0,0 +1,26 @@
+---
+
+- name: Python 3.12 | add GPG signing key
+ become: true
+ ansible.builtin.apt_key:
+ url: "https://pascalroeleven.nl/deb-pascalroeleven.gpg"
+ state: present
+ validate_certs: true
+ tags: install
+
+- name: Python 3.12 | add official repository
+ become: true
+ ansible.builtin.apt_repository:
+ repo: "deb http://deb.pascalroeleven.nl/python3.12 bookworm-backports main"
+ state: present
+ filename: python312
+ update_cache: true
+ tags: install
+
+- name: Python 3.12 | establish dependencies
+ become: true
+ ansible.builtin.apt:
+ name: "{{ item }}"
+ state: present
+ loop: "{{ python312_dependencies }}"
+ tags: install
diff --git a/roles/homeassistant/tasks/systemd.yml b/roles/homeassistant/tasks/systemd.yml
new file mode 100644
index 0000000..2c6c63f
--- /dev/null
+++ b/roles/homeassistant/tasks/systemd.yml
@@ -0,0 +1,17 @@
+---
+
+- name: Install systemd unit file
+ ansible.builtin.template:
+ src: home-assistant.service.j2
+ dest: "/etc/systemd/system/home-assistant.service"
+ owner: root
+ group: root
+ mode: "0644"
+ notify: Restart homeassistant
+
+- name: Enable home assistant service
+ ansible.builtin.systemd:
+ name: home-assistant
+ daemon_reload: true
+ enabled: true
+ notify: Restart homeassistant
\ No newline at end of file
diff --git a/roles/homeassistant/templates/grafana.ini.j2 b/roles/homeassistant/templates/grafana.ini.j2
new file mode 100644
index 0000000..9ab8426
--- /dev/null
+++ b/roles/homeassistant/templates/grafana.ini.j2
@@ -0,0 +1,1082 @@
+{{ ansible_managed | comment }}
+
+##################### Grafana Configuration Example #####################
+#
+# Everything has defaults so you only need to uncomment things you want to
+# change
+
+# possible values : production, development
+;app_mode = production
+
+# instance name, defaults to HOSTNAME environment variable value or hostname if HOSTNAME var is empty
+;instance_name = ${HOSTNAME}
+
+#################################### Paths ####################################
+[paths]
+# Path to where grafana can store temp files, sessions, and the sqlite3 db (if that is used)
+;data = /var/lib/grafana
+
+# Temporary files in `data` directory older than given duration will be removed
+;temp_data_lifetime = 24h
+
+# Directory where grafana can store logs
+;logs = /var/log/grafana
+
+# Directory where grafana will automatically scan and look for plugins
+;plugins = /var/lib/grafana/plugins
+
+# folder that contains provisioning config files that grafana will apply on startup and while running.
+;provisioning = conf/provisioning
+
+#################################### Server ####################################
+[server]
+# Protocol (http, https, h2, socket)
+;protocol = http
+
+# The ip address to bind to, empty will bind to all interfaces
+;http_addr =
+
+# The http port to use
+;http_port = 3000
+
+# The public facing domain name used to access grafana from a browser
+;domain = localhost
+
+# Redirect to correct domain if host header does not match domain
+# Prevents DNS rebinding attacks
+;enforce_domain = false
+
+# The full public facing url you use in browser, used for redirects and emails
+# If you use reverse proxy and sub path specify full url (with sub path)
+root_url = %(protocol)s://%(domain)s:%(http_port)s/grafana/
+
+# Serve Grafana from subpath specified in `root_url` setting. By default it is set to `false` for compatibility reasons.
+serve_from_sub_path = true
+
+# Log web requests
+;router_logging = false
+
+# the path relative working path
+;static_root_path = public
+
+# enable gzip
+;enable_gzip = false
+
+# https certs & key file
+;cert_file =
+;cert_key =
+
+# Unix socket path
+;socket =
+
+# CDN Url
+;cdn_url =
+
+# Sets the maximum time using a duration format (5s/5m/5ms) before timing out read of an incoming request and closing idle connections.
+# `0` means there is no timeout for reading the request.
+;read_timeout = 0
+
+#################################### Database ####################################
+[database]
+# You can configure the database connection by specifying type, host, name, user and password
+# as separate properties or as on string using the url properties.
+
+# Either "mysql", "postgres" or "sqlite3", it's your choice
+;type = sqlite3
+;host = 127.0.0.1:3306
+;name = grafana
+;user = root
+# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
+;password =
+
+# Use either URL or the previous fields to configure the database
+# Example: mysql://user:secret@host:port/database
+url = postgres://{{ ha_pg_grafana_db_user }}:{{ ha_pg_grafana_db_pass }}@/{{ ha_pg_grafana_db_name }}
+
+# For "postgres" only, either "disable", "require" or "verify-full"
+;ssl_mode = disable
+
+# Database drivers may support different transaction isolation levels.
+# Currently, only "mysql" driver supports isolation levels.
+# If the value is empty - driver's default isolation level is applied.
+# For "mysql" use "READ-UNCOMMITTED", "READ-COMMITTED", "REPEATABLE-READ" or "SERIALIZABLE".
+;isolation_level =
+
+;ca_cert_path =
+;client_key_path =
+;client_cert_path =
+;server_cert_name =
+
+# For "sqlite3" only, path relative to data_path setting
+;path = grafana.db
+
+# Max idle conn setting default is 2
+;max_idle_conn = 2
+
+# Max conn setting default is 0 (mean not set)
+;max_open_conn =
+
+# Connection Max Lifetime default is 14400 (means 14400 seconds or 4 hours)
+;conn_max_lifetime = 14400
+
+# Set to true to log the sql calls and execution times.
+;log_queries =
+
+# For "sqlite3" only. cache mode setting used for connecting to the database. (private, shared)
+;cache_mode = private
+
+################################### Data sources #########################
+[datasources]
+# Upper limit of data sources that Grafana will return. This limit is a temporary configuration and it will be deprecated when pagination will be introduced on the list data sources API.
+;datasource_limit = 5000
+
+#################################### Cache server #############################
+[remote_cache]
+# Either "redis", "memcached" or "database" default is "database"
+;type = database
+
+# cache connectionstring options
+# database: will use Grafana primary database.
+# redis: config like redis server e.g. `addr=127.0.0.1:6379,pool_size=100,db=0,ssl=false`. Only addr is required. ssl may be 'true', 'false', or 'insecure'.
+# memcache: 127.0.0.1:11211
+;connstr =
+
+#################################### Data proxy ###########################
+[dataproxy]
+
+# This enables data proxy logging, default is false
+;logging = false
+
+# How long the data proxy waits to read the headers of the response before timing out, default is 30 seconds.
+# This setting also applies to core backend HTTP data sources where query requests use an HTTP client with timeout set.
+;timeout = 30
+
+# How long the data proxy waits to establish a TCP connection before timing out, default is 10 seconds.
+;dialTimeout = 10
+
+# How many seconds the data proxy waits before sending a keepalive probe request.
+;keep_alive_seconds = 30
+
+# How many seconds the data proxy waits for a successful TLS Handshake before timing out.
+;tls_handshake_timeout_seconds = 10
+
+# How many seconds the data proxy will wait for a server's first response headers after
+# fully writing the request headers if the request has an "Expect: 100-continue"
+# header. A value of 0 will result in the body being sent immediately, without
+# waiting for the server to approve.
+;expect_continue_timeout_seconds = 1
+
+# Optionally limits the total number of connections per host, including connections in the dialing,
+# active, and idle states. On limit violation, dials will block.
+# A value of zero (0) means no limit.
+;max_conns_per_host = 0
+
+# The maximum number of idle connections that Grafana will keep alive.
+;max_idle_connections = 100
+
+# How many seconds the data proxy keeps an idle connection open before timing out.
+;idle_conn_timeout_seconds = 90
+
+# If enabled and user is not anonymous, data proxy will add X-Grafana-User header with username into the request, default is false.
+;send_user_header = false
+
+# Limit the amount of bytes that will be read/accepted from responses of outgoing HTTP requests.
+;response_limit = 0
+
+# Limits the number of rows that Grafana will process from SQL data sources.
+;row_limit = 1000000
+
+#################################### Analytics ####################################
+[analytics]
+# Server reporting, sends usage counters to stats.grafana.org every 24 hours.
+# No ip addresses are being tracked, only simple counters to track
+# running instances, dashboard and error counts. It is very helpful to us.
+# Change this option to false to disable reporting.
+;reporting_enabled = true
+
+# The name of the distributor of the Grafana instance. Ex hosted-grafana, grafana-labs
+;reporting_distributor = grafana-labs
+
+# Set to false to disable all checks to https://grafana.net
+# for new versions (grafana itself and plugins), check is used
+# in some UI views to notify that grafana or plugin update exists
+# This option does not cause any auto updates, nor send any information
+# only a GET request to http://grafana.com to get latest versions
+;check_for_updates = true
+
+# Google Analytics universal tracking code, only enabled if you specify an id here
+;google_analytics_ua_id =
+
+# Google Tag Manager ID, only enabled if you specify an id here
+;google_tag_manager_id =
+
+#################################### Security ####################################
+[security]
+# disable creation of admin user on first start of grafana
+;disable_initial_admin_creation = false
+
+# default admin user, created on startup
+;admin_user = admin
+
+# default admin password, can be changed before first start of grafana, or in profile settings
+;admin_password = admin
+
+# used for signing
+;secret_key = SW2YcwTIb9zpOOhoPsMm
+
+# current key provider used for envelope encryption, default to static value specified by secret_key
+;encryption_provider = secretKey
+
+# list of configured key providers, space separated (Enterprise only): e.g., awskms.v1 azurekv.v1
+;available_encryption_providers =
+
+# disable gravatar profile images
+;disable_gravatar = false
+
+# data source proxy whitelist (ip_or_domain:port separated by spaces)
+;data_source_proxy_whitelist =
+
+# disable protection against brute force login attempts
+;disable_brute_force_login_protection = false
+
+# set to true if you host Grafana behind HTTPS. default is false.
+;cookie_secure = false
+
+# set cookie SameSite attribute. defaults to `lax`. can be set to "lax", "strict", "none" and "disabled"
+;cookie_samesite = lax
+
+# set to true if you want to allow browsers to render Grafana in a ,