homeassistant: Run service as non root user

2025-01-28 15:13:10 +00:00 · 2025-01-28 15:13:10 +00:00 · ec1b8cb9e6
commit ec1b8cb9e6
parent 8b90b85b8f
4 changed files with 193 additions and 10 deletions
--- a/roles/homeassistant/tasks/main.yml
+++ b/roles/homeassistant/tasks/main.yml
@ -1,13 +1,13 @@
 ---
 - name: Create group
  ansible.builtin.group:
-    name: ha
+    name: homeassistant

 - name: Create user
  ansible.builtin.user:
-    name: ha
+    name: homeassistant
    comment: Podman HomeAssistant
-    group: ha
+    group: homeassistant
    shell: /sbin/nologin

 - name: Enable user lingering
@ -15,8 +15,8 @@
    argv:
      - loginctl
      - enable-linger
-      - ha
-    creates: /var/lib/systemd/linger/ha
+      - homeassistant
+    creates: /var/lib/systemd/linger/homeassistant

 - name: Install dependencies
  ansible.builtin.package:
@ -25,6 +25,46 @@
  with_items:
    - bluez
    - git
+    - patch
+
+- name: Get venv support for container
+  ansible.builtin.git:
+    dest: /usr/local/src/homeassistant-docker-venv
+    repo: https://github.com/tribut/homeassistant-docker-venv.git
+    update: true
+    version: master
+  register: git_result
+
+- name: Create venv support directory
+  ansible.builtin.file:
+    path: /usr/local/libexec/homeassistant-docker-venv
+    state: directory
+    mode: "0755"
+    owner: root
+    group: "{{ ansible_wheel }}"
+
+- name: Check if venv support script exists
+  ansible.builtin.stat:
+    path: /usr/local/libexec/homeassistant-docker-venv/run
+  changed_when: false
+  register: stat_result
+
+- name: Copy venv support script
+  ansible.builtin.copy:
+    dest: /usr/local/libexec/homeassistant-docker-venv/run
+    src: /usr/local/src/homeassistant-docker-venv/run
+    mode: "0755"
+    owner: root
+    group: "{{ ansible_wheel }}"
+    remote_src: true
+  when: not stat_result.stat.exists or git_result.changed
+
+# https://github.com/home-assistant/core/issues/128214
+- name: Patch venv support script
+  ansible.posix.patch:
+    dest: /usr/local/libexec/homeassistant-docker-venv/run
+    src: homeassistant-docker-venv.patch
+  notify: Restart homeassistant

 - name: Enable bluetooth services
  ansible.builtin.service:
@ -69,7 +109,7 @@
    state: true
    persistent: true

- name: Allow ha to connect specific devices
+- name: Allow homeassistant to connect specific devices
  ansible.builtin.copy:
    dest: /etc/udev/rules.d/99-homeassistant.rules
    src: 99-homeassistant.rules
@ -83,8 +123,8 @@
    path: /export/homeassistant
    state: directory
    mode: "0700"
-    owner: ha
-    group: ha
+    owner: homeassistant
+    group: homeassistant
    setype: _default

 - name: Link config directory