nixpkgs/nixos/tests/home-assistant.nix
Martin Weinelt 36659d1efa
nixos/home-assistant: update hardening
This makes access to serial devices contingent on using certain
components and restricts the default setup even further.
2021-06-16 21:31:24 +02:00

107 lines
3.6 KiB
Nix

import ./make-test-python.nix ({ pkgs, lib, ... }:
let
configDir = "/var/lib/foobar";
mqttUsername = "homeassistant";
mqttPassword = "secret";
in {
name = "home-assistant";
meta.maintainers = lib.teams.home-assistant.members;
nodes.hass = { pkgs, ... }: {
environment.systemPackages = with pkgs; [ mosquitto ];
services.mosquitto = {
enable = true;
checkPasswords = true;
users = {
"${mqttUsername}" = {
acl = [ "topic readwrite #" ];
password = mqttPassword;
};
};
};
services.home-assistant = {
inherit configDir;
enable = true;
# includes the package with all tests enabled
package = pkgs.home-assistant;
config = {
homeassistant = {
name = "Home";
time_zone = "UTC";
latitude = "0.0";
longitude = "0.0";
elevation = 0;
};
frontend = {};
mqtt = {
broker = "127.0.0.1";
username = mqttUsername;
password = mqttPassword;
};
binary_sensor = [{
platform = "mqtt";
state_topic = "home-assistant/test";
payload_on = "let_there_be_light";
payload_off = "off";
}];
# tests component-based capability assignment (CAP_NET_BIND_SERVICE)
emulated_hue = {
host_ip = "127.0.0.1";
listen_port = 80;
};
logger = {
default = "info";
logs."homeassistant.components.mqtt" = "debug";
};
};
lovelaceConfig = {
title = "My Awesome Home";
views = [{
title = "Example";
cards = [{
type = "markdown";
title = "Lovelace";
content = "Welcome to your **Lovelace UI**.";
}];
}];
};
lovelaceConfigWritable = true;
};
};
testScript = ''
start_all()
hass.wait_for_unit("home-assistant.service")
with subtest("Check that YAML configuration file is in place"):
hass.succeed("test -L ${configDir}/configuration.yaml")
with subtest("lovelace config is copied because lovelaceConfigWritable = true"):
hass.succeed("test -f ${configDir}/ui-lovelace.yaml")
with subtest("Check that Home Assistant's web interface and API can be reached"):
hass.wait_for_open_port(8123)
hass.succeed("curl --fail http://localhost:8123/lovelace")
with subtest("Toggle a binary sensor using MQTT"):
hass.wait_for_open_port(1883)
hass.succeed(
"mosquitto_pub -V mqttv5 -t home-assistant/test -u ${mqttUsername} -P '${mqttPassword}' -m let_there_be_light"
)
with subtest("Check that capabilities are passed for emulated_hue to bind to port 80"):
hass.wait_for_open_port(80)
hass.succeed("curl --fail http://localhost:80/description.xml")
with subtest("Print log to ease debugging"):
output_log = hass.succeed("cat ${configDir}/home-assistant.log")
print("\n### home-assistant.log ###\n")
print(output_log + "\n")
with subtest("Check that no errors were logged"):
assert "ERROR" not in output_log
# example line: 2020-06-20 10:01:32 DEBUG (MainThread) [homeassistant.components.mqtt] Received message on home-assistant/test: b'let_there_be_light'
with subtest("Check we received the mosquitto message"):
assert "let_there_be_light" in output_log
with subtest("Check systemd unit hardening"):
hass.log(hass.succeed("systemctl show home-assistant.service"))
hass.log(hass.succeed("systemd-analyze security home-assistant.service"))
'';
})