roles/homeassistant: Install in a virtualenv

Because the Home Assistant user's home directory is on `/var`, Python
packages installed in the "user site" do not get the correct SELinux
labels and thus run in the wrong domain.  This causes a lot of AVC
denials and other issues that prevent Home Assistant from working
correctly.

To resolve this issue, Home Assistant is now installed in a virtual
environment at `/usr/local/homeassistant`.  This directory is still
owned by the Home Assistant user, allowing Home Assistant to manage
packages installed there.  Since it is rooted under `/usr`, files are
labelled correctly and processes launched from executables there will
run in the correct domain.

roles/homeassistant/files/hass.sh

@@ -1,3 +1,3 @@
 #!/bin/sh
 
-exec /var/lib/homeassistant/.local/bin/hass
+exec /usr/local/homeassistant/bin/hass

roles/homeassistant/files/homeassistant.service

@@ -4,6 +4,7 @@ Description=Home Assistant
 
 [Service]
 Type=simple
+Environment=TMPDIR=/var/lib/homeassistant/tmp
 ExecStart=/usr/local/bin/hass
 User=homeassistant
 UMask=0077

roles/homeassistant/handlers/main.yml

@@ -1,3 +1,5 @@
+- name: relabel home assistant dir
+  command: restorecon -RF /usr/local/homeassistant
 - name: reload systemd
   command: systemctl daemon-reload
 - name: restart homeassistant

roles/homeassistant/tasks/main.yml

@@ -1,7 +1,13 @@
+- name: load architecture-specific values
+  include_vars: '{{ item }}'
+  with_first_found:
+  - '{{ ansible_architecture }}.yml'
+  - defaults.yml
+
 - name: ensure system dependencies are installed
   package:
-    name:
-    - python3-pip
+    name: >-
+      {{ homeassistant_common_system_deps + homeassistant_arch_system_deps }}
     state: present
   tags:
   - install
@@ -12,18 +18,46 @@
     system: true
     home: /var/lib/homeassistant
 
+- name: ensure homeassistant tmp dir exists
+  file:
+    path: /var/lib/homeassistant/tmp
+    mode: '0700'
+    owner: homeassistant
+    group: homeassistant
+    state: directory
+
+- name: ensure homeassistant install dir exists
+  file:
+    path: /usr/local/homeassistant
+    mode: '0755'
+    owner: homeassistant
+    group: homeassistant
+    state: directory
 - name: ensure homeassistant is installed
+  environment:
+    TMPDIR: /var/lib/homeassistant/tmp
   become: true
   become_user: homeassistant
   pip:
     name: homeassistant
     extra_args: >-
-      --user
+      --prefer-binary
+    virtualenv: /usr/local/homeassistant
+    virtualenv_command: '/usr/bin/python3 -m venv'
+
+- name: ensure selinux file context map is correct for home assistant dir
+  sefcontext:
+    ftype: a
+    setype: bin_t
+    target: /usr/local/homeassistant/bin(/.*)?
+    state: present
+  notify: relabel home assistant dir
 
 - name: ensure homeassistant entry point is installed
   copy:
     src: hass.sh
     dest: /usr/local/bin/hass
+    setype: bin_t
     mode: '0755'
   notify:
   - restart homeassistant

roles/homeassistant/vars/armv7l.yml

@@ -0,0 +1,12 @@
+# These are required to build Python packages that do not have wheels
+# on pypi.org for armv7hl
+homeassistant_arch_system_deps:
+- gcc
+- gcc-c++
+- libffi-devel
+- libopenzwave-devel
+- libudev-devel
+- make
+- openssl-devel
+- python3-devel
+- which

roles/homeassistant/vars/defaults.yml

@@ -0,0 +1 @@
+homeassistant_arch_system_deps: []

roles/homeassistant/vars/main.yml

@@ -0,0 +1,2 @@
+homeassistant_common_system_deps:
+- python3-pip