homeassistant: закрытие доступа к zigbee2mqtt, поправлен запуск по https, улучшения настроек nginx

profiles/templates/homeassistant/nginx/0-ini.env

@@ -0,0 +1,3 @@
+# Calculate format=samba path=/var/calculate name=#-cut(1)-# grep(/var/calculate/ini.env,\[nginx\])== protected
+[nginx]
+zigbee2mqtt_subpath = #-rnd(pas,32)-#

profiles/templates/homeassistant/nginx/homeassistant.conf

@@ -1,49 +1,54 @@
-# Calculate path=/etc/nginx/sites-enabled exists(/etc/nginx/sites-enabled/#-cut()-#)== comment=#
+# Calculate path=/etc/nginx/sites-enabled exists(/etc/nginx/sites-enabled/#-cut()-#)== exists(/var/calculate/www/homeassistant/homeassistant-live)!= comment=#
 map $http_upgrade $connection_upgrade {
 	default upgrade;
 	'' close;
 }
+#?ini(homeassistant.protocol)==https#
+server {
+	listen 80;
+	server_name #-ini(homeassistant.domain)-#;
+	return 301 https://#-ini(homeassistant.domain)-#$request_uri;
+}
+#ini#
 
 server {
+	server_name #-ini(homeassistant.domain)-#;
+
+#?ini(homeassistant.protocol)==https#
+	ssl_certificate /var/calculate/ssl/fullchain.pem;
+	ssl_certificate_key /var/calculate/ssl/privkey.pem;
+
+	listen 443 ssl;
+#!ini#
 	listen 80;
+#ini#
+
+	# Home Assistant
 	location / {
-		proxy_pass "http://127.0.0.1:8123";
-		proxy_connect_timeout 60;
+		proxy_pass http://127.0.0.1:8123;
+		proxy_set_header Host $host;
+		proxy_redirect http:// https://;
 		proxy_http_version 1.1;
-		proxy_intercept_errors off;
-		proxy_read_timeout 60;
-		proxy_send_timeout 60;
-		proxy_set_header Connection $connection_upgrade;
-		proxy_set_header Host $http_host;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 		proxy_set_header Upgrade $http_upgrade;
-		proxy_set_header X-Forwarded-For $remote_addr;
-		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_set_header Connection $connection_upgrade;
+	}
+
+	# Zigbee2MQTT
+	location /#-ini(nginx.zigbee2mqtt_subpath)-#/ {
+		proxy_pass http://localhost:8080/;
+		proxy_set_header Host $host;
 		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	}
+
+	location /#-ini(nginx.zigbee2mqtt_subpath)-#/api {
+		proxy_pass http://localhost:8080/api;
+		proxy_set_header Host $host;
+
+		proxy_http_version 1.1;
+		proxy_set_header Upgrade $http_upgrade;
+		proxy_set_header Connection "upgrade";
 	}
-}
 
-server {
-    server_name #-ini(homeassistant.domain)-#;
-
-    ssl_certificate /var/calculate/ssl/fullchain.pem;
-    ssl_certificate_key /var/calculate/ssl/privkey.pem;
-
-    listen 443 ssl;
-    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
-    ssl_protocols TLSv1.2;
-    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
-    ssl_prefer_server_ciphers on;
-    ssl_session_cache shared:SSL:10m;
-
-    proxy_buffering off;
-
-    location / {
-        proxy_pass http://127.0.0.1:8123;
-        proxy_set_header Host $host;
-        proxy_redirect http:// https://;
-        proxy_http_version 1.1;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection $connection_upgrade;
-    }
 }

scripts/homeassistant/step/3-zigbee2mqtt.sh

@@ -74,6 +74,8 @@ mqtt:
 serial:
   # Location of USB sniffer
   port: ${ini[zigbee2mqtt.dev]}
-frontend: true
+frontend:
+  port: 8080
+  host: 127.0.0.1
 EOF
 eend

scripts/homeassistant/step/4-config.sh

@@ -35,7 +35,7 @@ recorder:
 panel_iframe:
   zigbee:
     title: "Zigbee2mqtt"
-    url: "http://${ini[homeassistant.domain]}:8080"
+    url: "${ini[homeassistant.protocol]}://${ini[homeassistant.domain]}/${ini[nginx.zigbee2mqtt_subpath]}"
     icon: mdi:zigbee
 EOF