homeassistant: Add installation procedures for nginx

host_vars/lasagne.binary.kitchen

@@ -36,4 +36,13 @@ mosquitto_bridges:
     address: 172.23.4.6:1883
     topics:
       - topic: "# out 0"
-      - topic: "# in 0"
+      - topic: "# in 0"
+
+ha_pg_db_pass: "{{ vault_ha_pg_db_pass }}"
+pgadmin4_db_password: "{{ vault_pgadmin4_db_password }}"
+pgadmin4_initial_user_email: noby@binary-kitchen.de
+pgadmin4_initial_user_password: "{{ vault_pgadmin4_initial_user_password }}"
+ha_pg_grafana_db_pass: "{{ vault_ha_pg_grafana_db_pass }}"
+
+ha_domains:
+  - lasagne.binary.kitchen

roles/homeassistant/defaults/main.yml

@@ -0,0 +1,22 @@
+---
+
+# Python version required for home assistant
+ha_python_version: '3.12'
+
+# The location of the config directory
+ha_conf_dir: /etc/homeassistant
+
+# The location of the installatin directory
+ha_venv_dir: "/opt/homeassistant"
+
+# The default user
+ha_user: homeassistant
+
+ha_pg_db_version: 15
+ha_pg_db_name: homeassistant
+ha_pg_db_user: homeassistant
+ha_pg_db_pass: xxxxx
+
+ha_pg_grafana_db_name: grafana
+ha_pg_grafana_db_user: grafana
+ha_pg_grafana_db_pass: xxxxx

roles/homeassistant/handlers/main.yml

@@ -0,0 +1,21 @@
+---
+
+- name: Restart postgresql
+  ansible.builtin.service:
+    name: postgresql
+    state: restarted
+
+- name: Restart homeassistant
+  ansible.builtin.service:
+    name: home-assistant
+    state: restarted
+
+- name: Restart grafana
+  ansible.builtin.service:
+    name: grafana-server
+    state: restarted
+
+- name: Restart nginx
+  ansible.builtin.service:
+    name: nginx
+    state: restarted

roles/homeassistant/meta/main.yml

@@ -10,3 +10,5 @@ galaxy_info:
 
 dependencies:
   - { role: mosquitto }
+  - { role: pgadmin4 }
+  - { role: nginx, nginx_ssl: false }

roles/homeassistant/tasks/grafana.yml

@@ -0,0 +1,77 @@
+---
+
+- name: Grafana | add GPG signing key
+  become: true
+  ansible.builtin.apt_key:
+    url: "https://apt.grafana.com/gpg.key"
+    state: present
+    validate_certs: true
+
+- name: Grafana | add official repository
+  become: true
+  ansible.builtin.apt_repository:
+    repo: "deb https://apt.grafana.com stable main"
+    state: present
+    filename: grafana
+    update_cache: true
+  tags: install
+
+- name: Grafana | establish dependencies
+  become: true
+  ansible.builtin.apt:
+    name: "{{ item }}"
+    state: present
+  loop: ["grafana"]
+  tags: install
+
+- name: Grafana | Configure PostgreSQL database
+  community.general.postgresql_db:
+    name: "{{ ha_pg_grafana_db_name }}"
+    template: template0
+    encoding: utf8
+  become: true
+  become_user: postgres
+
+- name: Grafana | Configure PostgreSQL user
+  community.general.postgresql_user:
+    db: "{{ ha_pg_grafana_db_name }}"
+    name: "{{ ha_pg_grafana_db_user }}"
+    password: "{{ ha_pg_grafana_db_pass }}"
+  become: true
+  become_user: postgres
+
+- name: Grafana | GRANT ALL PRIVILEGES ON SCHEMA public TO {{ pgadmin4_db_user }}
+  community.postgresql.postgresql_privs:
+    db: "{{ ha_pg_grafana_db_name }}"
+    privs: ALL
+    type: schema
+    objs: public
+    role: "{{ ha_pg_grafana_db_user }}"
+  become: true
+  become_user: postgres
+
+- name: GRANT SELECT PRIVILEGES ON DATABASE {{ ha_pg_db_name }} TO {{ ha_pg_grafana_db_user }}
+  community.general.postgresql_privs:
+    db: "{{ ha_pg_db_name }}"
+    privs: SELECT
+    type: table
+    objs: statistics,statistics_meta
+    role: "{{ ha_pg_grafana_db_user }}"
+  become: true
+  become_user: postgres
+  ignore_errors: true
+
+- name: Grafana | install config file
+  ansible.builtin.template:
+    src: grafana.ini.j2
+    dest: "/etc/grafana/grafana.ini"
+    owner: root
+    group: root
+    mode: "0644"
+  notify: Restart grafana
+
+- name: Grafana | Start service
+  ansible.builtin.service:
+    name: grafana-server
+    state: started
+    enabled: true

roles/homeassistant/tasks/installation.yml

@@ -0,0 +1,33 @@
+---
+
+- name: Install defined version of Home Assistant
+  ansible.builtin.pip:
+    name:
+      - wheel
+      - psycopg2
+      - packaging
+      - uv
+      - netifaces
+      - homeassistant=={{ ha_version }}
+    virtualenv: '{{ ha_venv_dir }}'
+    virtualenv_command: 'python{{ ha_python_version }} -m venv'
+  when: ha_version is defined
+  become: true
+  become_user: "{{ ha_user }}"
+  notify: Restart homeassistant
+
+- name: Install latest version of Home Assistant
+  ansible.builtin.pip:
+    name:
+      - wheel
+      - psycopg2
+      - packaging
+      - uv
+      - homeassistant
+    extra_args: "--upgrade"
+    virtualenv: "{{ ha_venv_dir }}"
+    virtualenv_command: 'python{{ ha_python_version }} -m venv'
+  when: ha_version is undefined
+  become: true
+  become_user: "{{ ha_user }}"
+  notify: Restart homeassistant

roles/homeassistant/tasks/main.yml

@@ -1 +1,15 @@
 ---
+
+- name: Install python if required
+  ansible.builtin.include_tasks: python_312.yml
+  when: ha_python_version == '3.12'
+
+- name: Include sub-tasks
+  ansible.builtin.include_tasks: '{{ item }}'
+  loop:
+    - preparation.yml
+    - postgres.yml
+    - systemd.yml
+    - installation.yml
+    - grafana.yml
+    - nginx.yml

roles/homeassistant/tasks/nginx.yml

@@ -0,0 +1,15 @@
+---
+
+- name: Configure vhost
+  ansible.builtin.template:
+    src: vhost.j2
+    dest: /etc/nginx/sites-available/homeassistant
+    mode: "0644"
+  notify: Restart nginx
+
+- name: Enable vhost
+  ansible.builtin.file:
+    src: /etc/nginx/sites-available/homeassistant
+    dest: /etc/nginx/sites-enabled/homeassistant
+    state: link
+  notify: Restart nginx

roles/homeassistant/tasks/postgres.yml

@@ -0,0 +1,54 @@
+---
+
+- name: Postgres | establish dependencies
+  ansible.builtin.package:
+    name: "{{ item }}"
+    state: present
+  loop:
+    - postgresql-{{ ha_pg_db_version }}
+    - libpq-dev
+    - python3-psycopg2
+
+- name: Postgres | Configure PostgreSQL database
+  community.general.postgresql_db:
+    name: "{{ ha_pg_db_name }}"
+    template: template0
+    encoding: utf8
+  become: true
+  become_user: postgres
+
+- name: Postgres | Configure PostgreSQL user
+  community.general.postgresql_user:
+    db: "{{ ha_pg_db_name }}"
+    name: "{{ ha_pg_db_user }}"
+    password: "{{ ha_pg_db_pass }}"
+  become: true
+  become_user: postgres
+
+- name: Postgres | GRANT ALL PRIVILEGES ON SCHEMA public TO {{ ha_pg_db_user }}
+  community.postgresql.postgresql_privs:
+    db: "{{ ha_pg_db_user }}"
+    privs: ALL
+    type: schema
+    objs: public
+    role: "{{ ha_pg_db_user }}"
+  become: true
+  become_user: postgres
+
+- name: Postgres | Grant all users access to all dbs
+  community.general.postgresql_pg_hba:
+    dest: /etc/postgresql/{{ ha_pg_db_version }}/main/pg_hba.conf
+    contype: host
+    users: all
+    databases: all
+    method: scram-sha-256
+    source: 0.0.0.0/0
+  notify: Restart postgresql
+
+- name: Postgres | Listen to external interfaces
+  community.general.postgresql_set:
+    name: listen_addresses
+    value: "*"
+  become: true
+  become_user: postgres
+  notify: Restart postgresql

roles/homeassistant/tasks/preparation.yml

@@ -0,0 +1,41 @@
+---
+
+- name: Install commonly-named packages
+  ansible.builtin.package:
+    name: "{{ item }}"
+    state: present
+  loop:
+    - python3
+    - python3-dev
+    - python3-venv
+    - python3-pip
+    - libffi-dev
+    - libssl-dev
+    - libjpeg-dev
+    - zlib1g-dev
+    - autoconf
+    - build-essential
+    - libopenjp2-7
+    - libtiff6
+    - libturbojpeg0
+    - tzdata
+    - git
+    - ffmpeg
+
+- name: Create user
+  ansible.builtin.user:
+    name: "{{ ha_user }}"
+    comment: "Home Assistant"
+    system: true
+    shell: "/sbin/nologin"
+
+- name: Create directory
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: "02775"
+    owner: "{{ ha_user }}"
+    group: "{{ ha_user }}"
+  loop:
+    - "{{ ha_conf_dir }}"
+    - "{{ ha_venv_dir }}"

roles/homeassistant/tasks/python_312.yml

@@ -0,0 +1,26 @@
+---
+
+- name: Python 3.12 | add GPG signing key
+  become: true
+  ansible.builtin.apt_key:
+    url: "https://pascalroeleven.nl/deb-pascalroeleven.gpg"
+    state: present
+    validate_certs: true
+  tags: install
+
+- name: Python 3.12 | add official repository
+  become: true
+  ansible.builtin.apt_repository:
+    repo: "deb http://deb.pascalroeleven.nl/python3.12 bookworm-backports main"
+    state: present
+    filename: python312
+    update_cache: true
+  tags: install
+
+- name: Python 3.12 | establish dependencies
+  become: true
+  ansible.builtin.apt:
+    name: "{{ item }}"
+    state: present
+  loop: "{{ python312_dependencies }}"
+  tags: install

roles/homeassistant/tasks/systemd.yml

@@ -0,0 +1,17 @@
+---
+
+- name: Install systemd unit file
+  ansible.builtin.template:
+    src: home-assistant.service.j2
+    dest: "/etc/systemd/system/home-assistant.service"
+    owner: root
+    group: root
+    mode: "0644"
+  notify: Restart homeassistant
+
+- name: Enable home assistant service
+  ansible.builtin.systemd:
+    name: home-assistant
+    daemon_reload: true
+    enabled: true
+  notify: Restart homeassistant

roles/homeassistant/templates/home-assistant.service.j2

@@ -0,0 +1,14 @@
+[Unit]
+Description=Home Assistant
+After=network.target postgresql.service
+
+[Service]
+Type=simple
+User={{ ha_user }}
+Environment="PATH=/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:{{ ha_venv_dir }}/bin"
+ExecStart={{ ha_venv_dir }}/bin/hass --config {{ ha_conf_dir }}
+Restart=always
+RestartSec=3
+
+[Install]
+WantedBy=multi-user.target

roles/homeassistant/templates/vhost.j2

@@ -0,0 +1,41 @@
+{{ ansible_managed | comment }}
+
+server {
+        listen 80;
+        listen [::]:80;
+        server_name {{ ha_domains | join(' ') }};
+
+        proxy_buffering off;
+
+        location / {
+                proxy_pass http://127.0.0.1:8123;
+                proxy_set_header Host $host;
+                proxy_redirect http:// https://;
+                proxy_http_version 1.1;
+                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+                proxy_set_header Upgrade $http_upgrade;
+                proxy_set_header Connection "upgrade";
+        }
+
+        location /api/websocket {
+                proxy_pass http://127.0.0.1:8123;
+                proxy_set_header Host $host;
+                proxy_http_version 1.1;
+                proxy_set_header Upgrade $http_upgrade;
+                proxy_set_header Connection "upgrade";
+        }
+
+        location /grafana {
+                client_max_body_size 1024M;
+                proxy_set_header X-Real-IP $remote_addr;
+                proxy_set_header Host $http_host;
+                proxy_pass http://localhost:3000;
+        }
+
+        location = /pgadmin4 { rewrite ^ /pgadmin4/; }
+        location /pgadmin4 { try_files $uri @pgadmin4; }
+        location @pgadmin4 {
+                include uwsgi_params;
+                uwsgi_pass unix:/run/pgadmin4/pgadmin4.sock;
+        }
+}

roles/homeassistant/vars/main.yml

@@ -0,0 +1,6 @@
+---
+
+python312_dependencies:
+  - python3.12
+  - python3.12-venv
+  - python3.12-dev

roles/pgadmin4/defaults/main.yml

@@ -0,0 +1,10 @@
+---
+
+pgadmin4_user: pgadmin4
+pgadmin4_db_database: pgadmin4
+pgadmin4_db_user: pgadmin4
+pgadmin4_db_password: xxxxx
+pgadmin4_conf_dir: /etc/pgadmin
+
+pgadmin4_initial_user_email: admin@admin.com
+pgadmin4_initial_user_password: admin42

roles/pgadmin4/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+
+- name: Restart pgadmin4
+  ansible.builtin.service:
+    name: pgadmin4
+    state: restarted

roles/pgadmin4/meta/main.yml

@@ -0,0 +1,11 @@
+---
+
+galaxy_info:
+  author: Thomas Basler
+  description: Install PgAdmin4
+  license: None
+  platforms:
+    - name: Debian
+  min_ansible_version: "2.4"
+
+dependencies: []

roles/pgadmin4/tasks/main.yml

@@ -0,0 +1,119 @@
+---
+
+- name: PgAdmin 4 | add GPG signing key
+  become: true
+  ansible.builtin.apt_key:
+    url: "https://www.pgadmin.org/static/packages_pgadmin_org.pub"
+    state: present
+    validate_certs: true
+  tags: install
+
+- name: PgAdmin 4 | add official repository
+  become: true
+  ansible.builtin.apt_repository:
+    repo: "deb https://ftp.postgresql.org/pub/pgadmin/pgadmin4/apt/bookworm pgadmin4 main"
+    state: present
+    filename: pgadmin4
+    update_cache: true
+  tags: install
+
+- name: PgAdmin 4 | establish dependencies
+  become: true
+  ansible.builtin.apt:
+    name: "{{ item }}"
+    state: present
+  tags: install
+  loop: ["pgadmin4-server", "uwsgi-core", "uwsgi-plugin-python3", "python3-pexpect"]
+
+- name: PgAdmin 4 | Configure PostgreSQL database
+  community.general.postgresql_db:
+    name: "{{ pgadmin4_db_database }}"
+    template: template0
+    encoding: utf8
+  become: true
+  become_user: postgres
+  register: pgadmin4_db
+
+- name: PgAdmin 4 | Configure PostgreSQL user
+  community.general.postgresql_user:
+    db: "{{ pgadmin4_db_database }}"
+    name: "{{ pgadmin4_db_user }}"
+    password: "{{ pgadmin4_db_password }}"
+  become: true
+  become_user: postgres
+
+- name: PgAdmin 4 | Configure PostgreSQL user privileges
+  community.postgresql.postgresql_privs:
+    database: "{{ pgadmin4_db_database }}"
+    state: present
+    privs: ALL
+    type: database
+    role: "{{ pgadmin4_db_user }}"
+  become: true
+  become_user: postgres
+
+- name: PgAdmin 4 | GRANT ALL PRIVILEGES ON SCHEMA public TO {{ pgadmin4_db_user }}
+  community.postgresql.postgresql_privs:
+    db: "{{ pgadmin4_db_database }}"
+    privs: ALL
+    type: schema
+    objs: public
+    role: "{{ pgadmin4_db_user }}"
+  become: true
+  become_user: postgres
+
+- name: Create user
+  ansible.builtin.user:
+    name: "{{ pgadmin4_user }}"
+    comment: "pgAdmin 4"
+    createhome: false
+    system: true
+    shell: "/sbin/nologin"
+
+- name: PgAdmin 4 | create config directory
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: "02775"
+    owner: "root"
+    group: "root"
+  with_items:
+    - "{{ pgadmin4_conf_dir }}"
+
+- name: PgAdmin 4 | install config file
+  ansible.builtin.template:
+    src: config_system.py.j2
+    dest: "{{ pgadmin4_conf_dir }}/config_system.py"
+    owner: root
+    group: root
+    mode: "0644"
+  notify: Restart pgadmin4
+
+- name: PgAdmin 4 | install systemd unit file
+  ansible.builtin.template:
+    src: pgadmin4.service.j2
+    dest: "/etc/systemd/system/pgadmin4.service"
+    owner: root
+    group: root
+    mode: "0644"
+  notify: Restart pgadmin4
+
+- name: PgAdmin 4 | enable service
+  ansible.builtin.service:
+    name: pgadmin4
+    enabled: true
+
+- name: PgAdmin 4 | setup pgadmin # noqa: no-handler
+  ansible.builtin.expect:
+    command: /bin/bash -c "/usr/pgadmin4/venv/bin/python3 /usr/pgadmin4/web/setup.py setup-db"
+    chdir: /usr/pgadmin4/web/
+    echo: true
+    timeout: 300
+    responses:
+      'Email\ address:': "{{ pgadmin4_initial_user_email | trim }}"
+      'Password:': "{{ pgadmin4_initial_user_password | trim }}"
+      'Retype\ password:': "{{ pgadmin4_initial_user_password | trim }}"
+      'Do\ you\ wish\ to\ continue\ \(y/n\)\?': "y"
+      'Would\ you\ like\ to\ continue\ \(y/n\)\?': "y"
+  when: pgadmin4_db.changed
+  notify: Restart pgadmin4

roles/pgadmin4/templates/config_system.py.j2

@@ -0,0 +1,4 @@
+LOG_FILE = '/var/log/pgadmin/pgadmin4.log'
+CONFIG_DATABASE_URI = 'postgresql://{{ pgadmin4_db_user }}:{{ pgadmin4_db_password }}@localhost:5432/{{ pgadmin4_db_database }}'
+SESSION_DB_PATH = '/var/lib/pgadmin/sessions'
+STORAGE_DIR = '/var/lib/pgadmin/storage'

roles/pgadmin4/templates/pgadmin4.service.j2

@@ -0,0 +1,29 @@
+[Unit]
+Description = PgAdmin4 uwsgi Service
+After = network.target network-online.target
+Wants = network-online.target
+
+[Service]
+User={{ pgadmin4_user }}
+StateDirectory=pgadmin
+RuntimeDirectory=pgadmin4
+LogsDirectory=pgadmin
+ExecStart=uwsgi \
+      --socket /run/pgadmin4/pgadmin4.sock --chmod-socket=666 \
+      --plugin python3 \
+      -H /usr/pgadmin4/venv \
+      --processes 1 \
+      --threads 25 \
+      --chdir /usr/pgadmin4/web/ \
+      --manage-script-name \
+      --mount /pgadmin4=pgAdmin4:app
+ExecReload=/bin/kill -HUP $MAINPID
+ExecStop=/bin/kill -INT $MAINPID
+Restart=always
+Type=notify
+StandardError=syslog
+NotifyAccess=all
+KillSignal=SIGQUIT
+
+[Install]
+WantedBy = multi-user.target