From 0b11d8fd6ed0621cc19bf4257adbc52d38f50041 Mon Sep 17 00:00:00 2001 From: "ewilly@neuf.fr" Date: Sun, 9 Jun 2019 18:30:25 +0200 Subject: [PATCH 1/3] update --- conf/app.src | 1 - .../homeassistant_conf_files/automations.yaml | 3 - .../bin/upgrade_homeassistant.sh | 23 +++ .../bin/ynh_ldap-auth.sh | 148 ++++++++++++++++++ .../configuration.yaml | 77 +++++---- conf/homeassistant_conf_files/customize.yaml | 3 - conf/homeassistant_conf_files/groups.yaml | 3 - .../known_devices.yaml | 3 - conf/homeassistant_conf_files/scripts.yaml | 3 - conf/homeassistant_conf_files/secrets.yaml | 3 - conf/homeassistant_conf_files/sensors.yaml | 3 - scripts/_common.sh | 2 +- scripts/install | 3 +- 13 files changed, 218 insertions(+), 57 deletions(-) delete mode 100644 conf/app.src delete mode 100644 conf/homeassistant_conf_files/automations.yaml create mode 100755 conf/homeassistant_conf_files/bin/upgrade_homeassistant.sh create mode 100755 conf/homeassistant_conf_files/bin/ynh_ldap-auth.sh delete mode 100644 conf/homeassistant_conf_files/customize.yaml delete mode 100644 conf/homeassistant_conf_files/groups.yaml delete mode 100644 conf/homeassistant_conf_files/known_devices.yaml delete mode 100644 conf/homeassistant_conf_files/scripts.yaml delete mode 100644 conf/homeassistant_conf_files/secrets.yaml delete mode 100644 conf/homeassistant_conf_files/sensors.yaml diff --git a/conf/app.src b/conf/app.src deleted file mode 100644 index 9d0389a..0000000 --- a/conf/app.src +++ /dev/null @@ -1 +0,0 @@ -UPSTREAM_HA_VERSION=0.78.3 diff --git a/conf/homeassistant_conf_files/automations.yaml b/conf/homeassistant_conf_files/automations.yaml deleted file mode 100644 index 97ff5fc..0000000 --- a/conf/homeassistant_conf_files/automations.yaml +++ /dev/null @@ -1,3 +0,0 @@ -########################## -# Automations -########################## diff --git a/conf/homeassistant_conf_files/bin/upgrade_homeassistant.sh b/conf/homeassistant_conf_files/bin/upgrade_homeassistant.sh new file mode 100755 index 0000000..82d127a --- /dev/null +++ b/conf/homeassistant_conf_files/bin/upgrade_homeassistant.sh @@ -0,0 +1,23 @@ +#!/bin/bash + +# define usefull variables +app="homeassistant" +final_path="/opt/yunohost/$app" + +# stop homeassistant systemd service +#sudo systemctl stop $app@$app.service + +# create the virtual environment +python3 -m venv "$final_path" + +# activate the virtual environment +. "$final_path/bin/activate" + +# upgrade required python package +pip install --upgrade wheel + +# upgrade homeassistant python package +pip install --upgrade $app + +# restart homeassistant systemd service +sudo systemctl restart $app@$app.service diff --git a/conf/homeassistant_conf_files/bin/ynh_ldap-auth.sh b/conf/homeassistant_conf_files/bin/ynh_ldap-auth.sh new file mode 100755 index 0000000..4f091d0 --- /dev/null +++ b/conf/homeassistant_conf_files/bin/ynh_ldap-auth.sh @@ -0,0 +1,148 @@ +#!/bin/sh +# +# ldap-auth.sh - Simple shell script to authenticate users against LDAP +# + +# Uncomment to enable debugging to stderr (prints full client output +# and more). +#DEBUG=1 + +# Must be one of "curl" and "ldapsearch". +# NOTE: +# - When choosing "curl", make sure "curl --version | grep ldap" outputs +# something. Otherwise, curl was compiled without LDAP support. +# - When choosing "ldapsearch", make sure the ldapwhoami command is +# available as well, as that might be needed in some cases. +CLIENT="ldapsearch" + +# Usernames should be validated using a regular expression to be of +# a known format. Special characters will be escaped anyway, but it is +# generally not recommended to allow more than necessary. +# This pattern is set by default. In your config file, you can either +# overwrite it with a different one or use "unset USERNAME_PATTERN" to +# disable validation completely. +USERNAME_PATTERN='^[a-z|A-Z|0-9|_|-|.]+$' + +# Adapt to your needs. +SERVER="ldap://127.0.0.1:389" +USERDN="uid=$username,ou=users,dc=yunohost,dc=org" +BASEDN="$USERDN" +SCOPE="base" +FILTER="(&(uid=$username)(objectClass=posixAccount))" +NAME_ATTR="cn" +ATTRS="$ATTRS $NAME_ATTR" + +# When the timeout (in seconds) is exceeded (e.g. due to slow networking), +# authentication fails. +TIMEOUT=3 + +########## END OF CONFIGURATION ########## + + +########## SCRIPT CODE FOLLOWS, DON'T TOUCH! ########## + +# Log messages to log file. +log() { + echo "$(date)\t$1" >> $LOG_FILE +} + +# Check permission of ynh user. +ynh_user_app_permission() { + access=$(cat "/etc/ssowat/conf.json" | jq ".users."$username"" | grep "Home Assistant") + [ ! -z "$access" ] && return 1 + return 0 +} + +ldap_auth_ldapsearch() { + common_opts="-o nettimeout=$TIMEOUT -H $SERVER -x" + [ ! -z "$DEBUG" ] && common_opts="-v $common_opts" + output=$(ldapsearch $common_opts -LLL \ + -D "$USERDN" -w "$password" \ + -s "$SCOPE" -b "$BASEDN" "$FILTER" dn $ATTRS) + [ $? -ne 0 ] && return 1 + return 0 +} + +on_auth_success() { + # print the meta entries for use in HA + if [ ! -z "$NAME_ATTR" ]; then + name=$(echo "$output" | sed -nr "s/^\s*$NAME_ATTR:\s*(.+)\s*\$/\1/Ip") + [ -z "$name" ] || echo "name=$name" + fi +} + +# Reset log file. +if [ ! -z "$DEBUG" ]; then + LOG_FILE=$(cd -P -- "$(dirname -- "$0")" && pwd -P)"/ldap-auth.log" + [ -f "$LOG_FILE" ] && :> "$LOG_FILE" +fi + +# Check app access permisssion for the ynh user. +ynh_user_app_permission +if [ $? -eq 0 ]; then + [ ! -z "$DEBUG" ] && log "User '$username' does not have the permission to access these app." + exit 1 +else + [ ! -z "$DEBUG" ] && log "User '$username' have the permission to access these app." +fi + +# Validate config. +err=0 +if [ -z "$SERVER" ] || [ -z "$USERDN" ]; then + [ ! -z "$DEBUG" ] && log "SERVER and USERDN need to be configured." + err=1 +fi +if [ -z "$TIMEOUT" ]; then + [ ! -z "$DEBUG" ] && log "TIMEOUT needs to be configured." + err=1 +fi +if [ ! -z "$BASEDN" ]; then + if [ -z "$SCOPE" ] || [ -z "$FILTER" ]; then + [ ! -z "$DEBUG" ] && log "BASEDN, SCOPE and FILTER may only be configured together." + err=1 + fi +elif [ ! -z "$ATTRS" ]; then + [ ! -z "$DEBUG" ] && log "Configuring ATTRS only makes sense when enabling searching." + err=1 +fi + +# Check username and password are present and not malformed. +if [ -z "$username" ] || [ -z "$password" ]; then + [ ! -z "$DEBUG" ] && log "Need username and password environment variables." + err=1 +elif [ ! -z "$USERNAME_PATTERN" ]; then + username_match=$(echo "$username" | sed -r "s/$USERNAME_PATTERN/x/") + if [ "$username_match" != "x" ]; then + [ ! -z "$DEBUG" ] && log "Username '$username' has an invalid format." + err=1 + fi +fi + +[ $err -ne 0 ] && exit 2 + +# Do the authentication. +ldap_auth_ldapsearch +result=$? + +entries=0 +if [ $result -eq 0 ]; then + entries=$(echo "$output" | grep -cie '^dn\s*:') + [ "$entries" != "1" ] && result=1 +fi + +if [ ! -z "$DEBUG" ]; then + log "Result: $result" + log "Number of entries: $entries" + log "Client output:" + log "$output" +fi + +if [ $result -ne 0 ]; then + [ ! -z "$DEBUG" ] && log "User '$username' failed to authenticate." + type on_auth_failure > /dev/null && on_auth_failure + exit 1 +fi + +[ ! -z "$DEBUG" ] && log "User '$username' authenticated successfully." +type on_auth_success > /dev/null && on_auth_success +exit 0 diff --git a/conf/homeassistant_conf_files/configuration.yaml b/conf/homeassistant_conf_files/configuration.yaml index e4d3488..5a9d2a8 100644 --- a/conf/homeassistant_conf_files/configuration.yaml +++ b/conf/homeassistant_conf_files/configuration.yaml @@ -1,60 +1,51 @@ homeassistant: - # Auth providers - #auth_providers: - # - type: homeassistant - # - type: trusted_networks - # - type: legacy_api_password - # Name of the location where Home Assistant is running + auth_providers: + - type: command_line + command: /home/homeassistant/.homeassistant/bin/ynh_ldap-auth.sh + meta: true + - type: homeassistant + - type: trusted_networks + trusted_networks: + - 127.0.0.1 + - ::1 + - 192.168.0.0/24 + - fd00::/8 name: Home - # Location required to calculate the time the sun rises and sets latitude: 0 longitude: 0 - # Impacts weather/sunrise data (altitude above sea level in meters) elevation: 0 - # metric for Metric, imperial for Imperial unit_system: metric - # Pick yours from here: http://en.wikipedia.org/wiki/List_of_tz_database_time_zones time_zone: UTC - # Customization file - customize: !include customize.yaml http: - # Uncomment this if you are using SSL/TLS, running in Docker container, etc. base_url: __DOMAIN__:__PORT__ server_port: __PORT__ - cors_allowed_origins: - - https://google.com - - https://www.home-assistant.io use_x_forwarded_for: True trusted_proxies: - 127.0.0.1 - ::1 ip_ban_enabled: True login_attempts_threshold: 5 - # If trusted_networks is active as auth_provider - trusted_networks: - - 192.168.0.0/24 - - fd00::/8 - # If legacy_api_password is active as auth_provider - #api_password: !secret http_password + +# Lovelace mode +lovelace: + mode: yaml # Show links to resources in log and frontend introduction: # Enables the frontend frontend: + javascript_version: latest # Enables configuration UI config: +# Enables health +system_health: + # Checks for available updates -# Note: This component will send some information about your system to -# the developers to assist with development of Home Assistant. -# For more information, please see: -# https://home-assistant.io/blog/2016/10/25/explaining-the-updater/ updater: - # Optional, allows Home Assistant developers to focus on popular components. - # include_used_components: true # Discover some devices automatically discovery: @@ -81,8 +72,28 @@ tts: # Cloud cloud: -# Display -group: !include groups.yaml -automation: !include automations.yaml -script: !include scripts.yaml -sensor: !include sensors.yaml +# Sensors +sensor: + - platform: version + - platform: rest + resource: https://pypi.python.org/pypi/homeassistant/json + name: "Latest Available Version" + value_template: '{{ value_json.info.version }}' + scan_interval: 3600 + +# Binary sensors +binary_sensor: + - platform: template + sensors: + ha_update_available: + friendly_name: An update is available + value_template: >- + {{states.sensor.latest_available_version.state != "unavailable" and states.sensor.latest_available_version.state != states.sensor.current_version.state}} + +# Switches +switch: + - platform: command_line + switches: + upgrade_homeassistant: + command_on: "bash -c /home/homeassistant/.homeassistant/bin/upgrade_homeassistant.sh" + friendly_name: Upgrade Home Assistant diff --git a/conf/homeassistant_conf_files/customize.yaml b/conf/homeassistant_conf_files/customize.yaml deleted file mode 100644 index ca0f867..0000000 --- a/conf/homeassistant_conf_files/customize.yaml +++ /dev/null @@ -1,3 +0,0 @@ -########################## -# Customizations -########################## diff --git a/conf/homeassistant_conf_files/groups.yaml b/conf/homeassistant_conf_files/groups.yaml deleted file mode 100644 index 5781254..0000000 --- a/conf/homeassistant_conf_files/groups.yaml +++ /dev/null @@ -1,3 +0,0 @@ -########################## -# Groups -########################## diff --git a/conf/homeassistant_conf_files/known_devices.yaml b/conf/homeassistant_conf_files/known_devices.yaml deleted file mode 100644 index d7eda4a..0000000 --- a/conf/homeassistant_conf_files/known_devices.yaml +++ /dev/null @@ -1,3 +0,0 @@ -########################## -# Known Devices -########################## diff --git a/conf/homeassistant_conf_files/scripts.yaml b/conf/homeassistant_conf_files/scripts.yaml deleted file mode 100644 index 52c904b..0000000 --- a/conf/homeassistant_conf_files/scripts.yaml +++ /dev/null @@ -1,3 +0,0 @@ -########################## -# Scripts -########################## diff --git a/conf/homeassistant_conf_files/secrets.yaml b/conf/homeassistant_conf_files/secrets.yaml deleted file mode 100644 index 7c0124d..0000000 --- a/conf/homeassistant_conf_files/secrets.yaml +++ /dev/null @@ -1,3 +0,0 @@ -# Use this file to store secrets like usernames and passwords. -# Learn more at https://home-assistant.io/docs/configuration/secrets/ -http_password: diff --git a/conf/homeassistant_conf_files/sensors.yaml b/conf/homeassistant_conf_files/sensors.yaml deleted file mode 100644 index 1dad596..0000000 --- a/conf/homeassistant_conf_files/sensors.yaml +++ /dev/null @@ -1,3 +0,0 @@ -########################## -# Sensors -########################## diff --git a/scripts/_common.sh b/scripts/_common.sh index 0b5a468..b32d5cf 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -3,7 +3,7 @@ # # Package dependencies -PKG_DEPENDENCIES="python3 python3-venv python3-pip" +PKG_DEPENDENCIES="python3 python3-venv python3-pip build-essential libssl-dev libffi-dev python3-dev" # Check if directory/file already exists (path in argument) myynh_check_path () { diff --git a/scripts/install b/scripts/install index 805b846..230d171 100644 --- a/scripts/install +++ b/scripts/install @@ -63,8 +63,9 @@ exec_as $app -H -s /bin/bash -c " \ # set default configuration files ynh_replace_string "__PORT__" "$port" "../conf/homeassistant_conf_files/configuration.yaml" ynh_replace_string "__DOMAIN__" "$domain" "../conf/homeassistant_conf_files/configuration.yaml" +chmod -R +x "../conf/homeassistant_conf_files/bin/" -## move all homeassistant_conf_files +# move all homeassistant_conf_files cp -r "../conf/homeassistant_conf_files/." "$data_path/" chown -R $app: "$data_path" From f2f522398d4b65e97bb9e3e13703bd6492904c03 Mon Sep 17 00:00:00 2001 From: "ewilly@neuf.fr" Date: Sun, 9 Jun 2019 21:59:41 +0200 Subject: [PATCH 2/3] Remove introduction --- conf/homeassistant_conf_files/configuration.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/conf/homeassistant_conf_files/configuration.yaml b/conf/homeassistant_conf_files/configuration.yaml index 5a9d2a8..c02777b 100644 --- a/conf/homeassistant_conf_files/configuration.yaml +++ b/conf/homeassistant_conf_files/configuration.yaml @@ -31,9 +31,6 @@ http: lovelace: mode: yaml -# Show links to resources in log and frontend -introduction: - # Enables the frontend frontend: javascript_version: latest From d50e417da2b26e98b2545bfb632b27c39451f174 Mon Sep 17 00:00:00 2001 From: "ewilly@neuf.fr" Date: Mon, 10 Jun 2019 12:07:28 +0200 Subject: [PATCH 3/3] update --- manifest.json | 4 ++++ scripts/install | 34 +++++++++++++++++++++------------- scripts/restore | 3 ++- 3 files changed, 27 insertions(+), 14 deletions(-) diff --git a/manifest.json b/manifest.json index 66096df..acc662f 100644 --- a/manifest.json +++ b/manifest.json @@ -38,6 +38,10 @@ "en": "Should this application be public ? (if not, Smartphone app will not work)", "fr": "Est-ce que cette application doit ĂȘtre visible publiquement ? (dans le cas contraire, l'application sur Smartphone ne fonctionnera pas)" }, + "help": { + "en": "If not public, Smartphone app will not work", + "fr": "Dans le cas contraire, l'application sur Smartphone ne fonctionnera pas" + }, "default": true } ] diff --git a/scripts/install b/scripts/install index 230d171..0dbbb6a 100644 --- a/scripts/install +++ b/scripts/install @@ -17,38 +17,41 @@ home_path="/home/$app" data_path="/home/$app/.$app" # check domain/path availability +ynh_script_progression --message="Validating installation parameters..." path_url=$(ynh_normalize_url_path "/") ynh_webpath_available "$domain" "$path_url" || ynh_die "$domain/$path_url is not available, please use an other domain." ynh_webpath_register $app "$domain" "$path_url" # add required packages +ynh_script_progression --message="Installing dependencies..." ynh_install_app_dependencies "$PKG_DEPENDENCIES" # save app settings +ynh_script_progression --message="Storing installation settings..." ynh_app_setting_set $app domain "$domain" ynh_app_setting_set $app is_public $is_public # find a free port & open it +ynh_script_progression --message="Looking for a free port and opening it..." port=$(ynh_find_port 8123) ynh_app_setting_set $app port $port ynh_exec_fully_quiet yunohost firewall allow TCP $port # create a dedicated system user +ynh_script_progression --message="Creating dedicated user, rights and folders..." ynh_system_user_create $app - -# grant sudo permissions to the user to manage his own systemd service +## grant sudo permissions to the user to manage his own systemd service myynh_create_dir "/etc/sudoers.d" cp "../conf/sudoers" "/etc/sudoers.d/$app" - -# create a directory for the installation of Home Assistant +## create a directory for the installation of Home Assistant myynh_create_dir "$final_path" chown $app: "$final_path" - -# create a directory for the datas of Home Assistant +## create a directory for the datas of Home Assistant myynh_create_dir "$data_path" chown -R $app: "$home_path" # installation in a virtual environment +ynh_script_progression --message="Installing Home Assistant in a virtual environment..." exec_as $app -H -s /bin/bash -c " \ echo 'create the virtual environment' \ && python3 -m venv "$final_path" \ @@ -61,33 +64,38 @@ exec_as $app -H -s /bin/bash -c " \ " # set default configuration files +ynh_script_progression --message="Configuring the installation..." ynh_replace_string "__PORT__" "$port" "../conf/homeassistant_conf_files/configuration.yaml" ynh_replace_string "__DOMAIN__" "$domain" "../conf/homeassistant_conf_files/configuration.yaml" chmod -R +x "../conf/homeassistant_conf_files/bin/" - -# move all homeassistant_conf_files +## move all homeassistant_conf_files cp -r "../conf/homeassistant_conf_files/." "$data_path/" chown -R $app: "$data_path" # setup up autostart using systemd +ynh_script_progression --message="Adding the dedicated service..." ynh_add_systemd_config "$app@$app" - -# add service in admin panel -yunohost service add "$app@$app" --log "$data_path/home-assistant.log" +## add service in admin panel +yunohost service add "$app@$app" --log "$data_path/home-assistant.log" --description "Home Assistant server" # enable & restart systemd service +ynh_script_progression --message="Starting the Home Assistant server..." ynh_system_reload --service_name="$app@$app" --action=enable ynh_check_starting --line_to_match="Home Assistant initialized" --app_log="systemd" --timeout=1000 --service_name="$app@$app" # create a dedicated nginx config +ynh_script_progression --message="Configuring nginx web server..." ynh_add_nginx_config - -# reload nginx +## reload nginx ynh_system_reload --service_name=nginx # unprotect app access if public (needed for Android app to work) +ynh_script_progression --message="Configuring SSOwat..." [ $is_public -eq 1 ] && ynh_app_setting_set $app unprotected_uris "/" # alert about administrator creator message="Your installation is not yet secure : please, IMMEDIATELY go to $domain in order to create the admin user of Home Assistant." +ynh_script_progression --message="$message" ynh_send_readme_to_admin --app_message="$message" --recipients="root" + +ynh_script_progression --message="Installation of $app completed" --last diff --git a/scripts/restore b/scripts/restore index 1646f8c..7a4c6ce 100644 --- a/scripts/restore +++ b/scripts/restore @@ -47,6 +47,7 @@ fi if [ ! -d "$home_path" ]; then ynh_restore_file "$home_path" chown -R $app: "$home_path" + chmod -R +x "$home_path/.homeassistant/bin" else ynh_die "$home_path already exists and will not be overwritten" fi @@ -56,7 +57,7 @@ fi ynh_exec_fully_quiet yunohost firewall allow TCP $port # add service in admin panel -yunohost service add "$app@$app" --log "$data_path/home-assistant.log" +yunohost service add "$app@$app" --log "$data_path/home-assistant.log" --description "Home Assistant server" # enable & restart systemd service ynh_system_reload --service_name="$app@$app" --action=enable