From c98b8c6f051535752c4224dc9889445eee6426a0 Mon Sep 17 00:00:00 2001
From: CroneKorkN <i@ckn.li>
Date: Sun, 13 Jul 2025 13:10:37 +0200
Subject: [PATCH] homeassistant letsencrypt

---
 bundles/letsencrypt/files/hook.sh |  6 ++++++
 bundles/ssh/items.py              |  8 +-------
 bundles/ssh/metadata.py           | 18 ++++++++++++++++++
 nodes/home.homeassistant.py       | 31 +++++++++++++++++++++++++++++++
 nodes/home.server.py              | 14 ++++++++++++++
 5 files changed, 70 insertions(+), 7 deletions(-)

diff --git a/bundles/letsencrypt/files/hook.sh b/bundles/letsencrypt/files/hook.sh
index 7289a1f..ae8eab4 100644
--- a/bundles/letsencrypt/files/hook.sh
+++ b/bundles/letsencrypt/files/hook.sh
@@ -31,6 +31,12 @@ deploy_cert() {
   % for domain, conf in sorted(domains.items()):
 <%   if not conf: continue %>\
     ${domain})
+      % if conf.get('scp', None):
+      scp "$KEYFILE" "${conf['scp']}/${conf.get('privkey_name', 'privkey.pem')}"
+      scp "$CERTFILE" "${conf['scp']}/${conf.get('cert_name', 'cert.pem')}"
+      scp "$FULLCHAINFILE" "${conf['scp']}/${conf.get('fullchain_name', 'fullchain.pem')}"
+      scp "$CHAINFILE" "${conf['scp']}/${conf.get('chain_name', 'chain.pem')}"
+      % endif
       % if conf.get('location', None):
       cat "$KEYFILE" > "${conf['location']}/${conf.get('privkey_name', 'privkey.pem')}"
       cat "$CERTFILE" > "${conf['location']}/${conf.get('cert_name', 'cert.pem')}"
diff --git a/bundles/ssh/items.py b/bundles/ssh/items.py
index cc6d693..ffb1a75 100644
--- a/bundles/ssh/items.py
+++ b/bundles/ssh/items.py
@@ -66,13 +66,7 @@ files = {
         ],
     },
     '/etc/ssh/ssh_known_hosts': {
-        'content': '\n'.join(sorted(
-            line
-                for other_node in repo.nodes
-                if other_node != node
-                and other_node.has_bundle('ssh')
-                for line in other_node.metadata.get('ssh/is_known_as')
-        )) + '\n',
+        'content': '\n'.join(sorted(node.metadata.get('ssh/known_hosts'))) + '\n',
     },
 }
 
diff --git a/bundles/ssh/metadata.py b/bundles/ssh/metadata.py
index 549ac9c..b6e3583 100644
--- a/bundles/ssh/metadata.py
+++ b/bundles/ssh/metadata.py
@@ -5,6 +5,7 @@ defaults = {
     'ssh': {
         'multiplex_incoming': True,
         'is_known_as': set(), # known_hosts for other nodes
+        'known_hosts': set(), # known_hosts for this node
     },
 }
 
@@ -86,3 +87,20 @@ def is_known_as(metadata):
             ),
         },
     }
+
+
+@metadata_reactor.provides(
+    'ssh/known_hosts',
+)
+def known_hosts(metadata):
+    return {
+        'ssh': {
+            'known_hosts': set(
+                line
+                    for other_node in repo.nodes
+                    if other_node != node
+                    and other_node.has_bundle('ssh')
+                    for line in other_node.metadata.get('ssh/is_known_as')
+            )
+        }
+    }
diff --git a/nodes/home.homeassistant.py b/nodes/home.homeassistant.py
index aa77e30..6a69865 100644
--- a/nodes/home.homeassistant.py
+++ b/nodes/home.homeassistant.py
@@ -11,5 +11,36 @@
                 'gateway4': '10.0.0.1',
             },
         },
+        'dns': {
+            'homeassistant.ckn.li': {
+                'A': {
+                    '10.0.0.16',
+                },
+            },
+        },
     },
 }
+
+# LETSENCRYPT
+# - cant use the letsencrypt addon, because it doesnt suppeort supplying a different zone (which would be acme.sublimity.de)
+
+# Advanced SSH & Web Terminal:
+#
+# username: root
+# password: ""
+# authorized_keys:
+#   - >-
+#     ssh-ed25519
+#     AAAAC3NzaC1lZDI1NTE5AAAAIJT9Spe+BYue7iiutl3rSf6PlU6dthHizyK+ZWnLodrA
+#     root@home.server
+# sftp: true
+# compatibility_mode: false
+# allow_agent_forwarding: false
+# allow_remote_port_forwarding: false
+# allow_tcp_forwarding: false
+
+# add to /homeassistant/configuration.yaml:
+# http:
+#   http_port: 443
+#   ssl_certificate: /ssl/fullchain.pem
+#   ssl_key: /ssl/privkey.pem
diff --git a/nodes/home.server.py b/nodes/home.server.py
index 16a8c6f..e73bae2 100644
--- a/nodes/home.server.py
+++ b/nodes/home.server.py
@@ -100,6 +100,13 @@
             'readonly_token': '!decrypt:encrypt$gAAAAABg3z1-0hnUdzsfivocxhJm58YnPLn96OUvnHiPaehdRhKd6TZBgEPc5YyR07t2-GEUfOvEwoie-O6QsVhWYxrwxNTBXux_iUSx7W6e-fLQA_3MgWf5G97q_3kx_wCgQ6V0iKRyxH988TpNSMACfS4WhCXdSes1CaMpic4VV3S3ox_gCrSHxO7yVXQkJDnOW0MixY5T',
             'writeonly_token': '!decrypt:encrypt$gAAAAABg3z6fGrOy2tNdo03RoYAXmpJoJYkfhBfpblPh_wxYfqmdjtABaD7XyV9mSh9xl8oWQlTAtCk9KndVCDQy7BJ-ju7S3HCKJ0k244Y5YKxUnQtqt9fc9nnm8XD-NOJqLKyfy0QhL_I8dFT02pygoJeCUR5NkZcTKf6julb-iGXI6vWcQgolJTYrW643pHObd-Z-vIEl',
         },
+        'letsencrypt': {
+            'domains': {
+                'homeassistant.ckn.li': {
+                    'scp': 'root@10.0.0.16:/ssl',
+                },
+            },
+        },
         'mosquitto': {
             'hostname': 'mqtt.sublimity.de',
             'users': {
@@ -134,6 +141,13 @@
                 'windows-backup': {},
             },
         },
+        'ssh': {
+            'known_hosts': libs.ssh.known_hosts_entry_for(
+                node_id='3d67964d-1270-4d3c-b93f-9c44219b3d59',
+                hostnames=('homeassistant.ckn.li', '10.0.0.16'),
+                pubkey='ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9SOqQ7tcJAOWOZkbQwFLOEfqpILuiDmeMHAEiY9G/I',
+            ),
+        },
         'steam_chat_logger': {
             'STEAM_USERNAME': 'snake_452',
             'STEAM_ID': 'STEAM_0:0:12376499',