In April, I continued last month’s work on deployment automation using Ansible.
My idea is to fully automate the deployment of Home Assistant, an open source home automation software, to a gateway device (a Raspberry Pi in this case). Home Assistant is just one piece of the deployment puzzle — others include automated TLS certificates, dynamic DNS updates, client-side certificate authentication and monitoring.
The biggest obstacle has been trying to figure out the boundaries between different Ansible roles. The current list of roles is as follows:
- common: The base Debian configuration
- unattended-upgrades: Automatic installation of Debian updates with automatic restarts if needed
- dyfi: Dynamic DNS updates with monitoring using dy.fi
- webserver: Nginx with a set of pre-defined TLS parameter configuration
- letsencrypt: Let’s Encrypt certificate request and automatic renewal with monitoring
- tls-client-auth: Nginx configuration required to set up TLS client certificate authentication
- ups: Uninterruptible power supply configuration
- homeassistant: Home Assistant software installation
The Nginx configuration has posed the most problems. For example, where should TLS parameters (such ciphers suites) be set: as part of webserver, letsencrypt or homeassistant role? What responsibilities should homeassistant have in configuring TLS client side certificate authentication? How should the letsencrypt role affect the HTTP server configuration?
Currently, all TLS certificate parameters except the certificate themselves are deployed as part of the webserver role as additional configuration file to Nginx config.d. Once an HTTPS is server is taken in to use, the configuration applies. The letsencrypt role configures an HTTP server but only handles the challenge and passes everything else to a HTTPS server. Role configured homeassistant is such HTTPS server but doesn’t have to be. The tls-client-auth role configures everything ready for TLS client side certificate authentication but requires a few lines in the HTTPS server (e.g. homeassistant) to be in use.
Monitoring is handled by healthchecks.io with an integration to Pushover for mobile push notifications. Let’s Encrypt renewals, dynamic DNS updates and UPS status are monitored and I immediately get a push notification to my phone if something unexpected happens.
I will release the Ansible scripts once I have the setup in a working order.
That’s all I have for this month, see you in the next one!