homeassistant: Run service as non root user

2025-01-28 15:13:10 +00:00 · 2025-01-28 15:13:10 +00:00 · ec1b8cb9e6
commit ec1b8cb9e6
parent 8b90b85b8f
4 changed files with 193 additions and 10 deletions
--- a/roles/homeassistant/files/homeassistant-docker-venv.patch
+++ b/roles/homeassistant/files/homeassistant-docker-venv.patch
@ -0,0 +1,139 @@
+--- run.orig	2025-01-28 08:45:53.981024625 +0000
+++ run	2025-01-28 08:45:38.177986885 +0000
+@@ -21,49 +21,52 @@
+ # Create user
+ #
+ 
+-# Some HA commands seem to fail if we don't have an actual user.
+-# ie: shell_command would return error code 255
+-bashio::log.info "Creating user $USER with $PUID:$PGID"
+-
+-deluser "$USER" >/dev/null 2>&1 || true
+-delgroup "$GROUP" >/dev/null 2>&1 || true
+-
+-# Re-use existing group (can't delgroup a group that is in use)
+-group="$(getent group "$PGID" | cut -d: -f1 || true)"
+-if [ -z "$group" ]; then
+-  addgroup -g "$PGID" "$GROUP"
+-else
+-  bashio::log.notice "Re-using existing group with gid $PGID: $group"
+-  GROUP="$group"
+-fi
+-
+-# Replace existing user (ensures correct shell and primary group)
+-user="$(getent passwd "$PUID" | cut -d: -f1 || true)"
+-if [ -n "$user" ]; then
+-  bashio::log.notice "Replacing existing user with uid $PUID: $user"
+-  deluser "$user"
+-fi
+-adduser -G "$GROUP" -D -u "$PUID" "$USER"
+if [ "$(whoami)" != "homeassistant" ]; then
+ 
+-if [ -n "${EXTRA_GID:-}" ]; then
+-  bashio::log.info "Resolving supplementary GIDs: $EXTRA_GID"
+-  supplementary_groups=()
+-
+-  for gid in $EXTRA_GID; do
+-    group="$(getent group "$gid" | cut -d: -f1 || true)"
+-
+-    if [ -z "$group" ]; then
+-      group="$USER-$gid"
+-      addgroup -g "$gid" "$group"
+-    fi
+  # Some HA commands seem to fail if we don't have an actual user.
+  # ie: shell_command would return error code 255
+  bashio::log.info "Creating user $USER with $PUID:$PGID"
+
+  deluser "$USER" >/dev/null 2>&1 || true
+  delgroup "$GROUP" >/dev/null 2>&1 || true
+
+  # Re-use existing group (can't delgroup a group that is in use)
+  group="$(getent group "$PGID" | cut -d: -f1 || true)"
+  if [ -z "$group" ]; then
+    addgroup -g "$PGID" "$GROUP"
+  else
+    bashio::log.notice "Re-using existing group with gid $PGID: $group"
+    GROUP="$group"
+  fi
+ 
+-    supplementary_groups+=( "$group" )
+-  done
+  # Replace existing user (ensures correct shell and primary group)
+  user="$(getent passwd "$PUID" | cut -d: -f1 || true)"
+  if [ -n "$user" ]; then
+    bashio::log.notice "Replacing existing user with uid $PUID: $user"
+    deluser "$user"
+  fi
+  adduser -G "$GROUP" -D -u "$PUID" "$USER"
+ 
+-  bashio::log.info "Appending supplementary groups: ${supplementary_groups[*]}"
+-  for group in "${supplementary_groups[@]}"; do
+-    addgroup "$USER" "$group"
+-  done
+  if [ -n "${EXTRA_GID:-}" ]; then
+    bashio::log.info "Resolving supplementary GIDs: $EXTRA_GID"
+    supplementary_groups=()
+
+    for gid in $EXTRA_GID; do
+      group="$(getent group "$gid" | cut -d: -f1 || true)"
+
+      if [ -z "$group" ]; then
+        group="$USER-$gid"
+        addgroup -g "$gid" "$group"
+      fi
+
+      supplementary_groups+=( "$group" )
+    done
+
+    bashio::log.info "Appending supplementary groups: ${supplementary_groups[*]}"
+    for group in "${supplementary_groups[@]}"; do
+      addgroup "$USER" "$group"
+    done
+  fi
+ fi
+ 
+ #
+@@ -82,8 +85,12 @@
+ #
+ 
+ bashio::log.info "Initializing venv in $VENV_PATH"
+-su "$USER" \
+-  -c "python3 -m venv --system-site-packages '$VENV_PATH'"
+if [ "$(whoami)" = "homeassistant" ]; then
+  python3 -m venv --system-site-package "$VENV_PATH"
+else
+  su "$USER" \
+    -c "python3 -m venv --system-site-packages '$VENV_PATH'"
+fi
+ 
+ #
+ # Fix permissions
+@@ -104,8 +111,12 @@
+ export UV_SYSTEM_PYTHON=false
+ 
+ bashio::log.info "Installing uv into venv"
+-uv --version && su "$USER" \
+-  -c "uv pip freeze --system|grep ^uv=|xargs uv pip install"
+if [ "$(whoami)" = "homeassistant" ]; then
+  uv --version && uv pip freeze --system|grep ^uv=|xargs uv pip install
+else
+  uv --version && su "$USER" \
+    -c "uv pip freeze --system|grep ^uv=|xargs uv pip install"
+fi
+ 
+ bashio::log.info "Setting new \$HOME"
+ HOME="$( getent passwd "$USER" | cut -d: -f6 )"
+@@ -122,6 +133,10 @@
+ fi
+ 
+ bashio::log.info "Starting homeassistant"
+-exec \
+-  s6-setuidgid "$USER" \
+-  python3 -m homeassistant --config "$CONFIG_PATH"
+if [ "$(whoami)" = "homeassistant" ]; then
+  exec python3 -m homeassistant --config "$CONFIG_PATH"
+else
+  exec \
+    s6-setuidgid "$USER" \
+    python3 -m homeassistant --config "$CONFIG_PATH"
+fi