feat: secure MQTT broker with passwords

hosts/zackbiene/README.md

@@ -0,0 +1,5 @@
+# First Setup
+
+- In HomeAssistant, MQTT integration needs to be added
+  manually, and the mqtt connection details must be entered
+  localhost:1883, user=home_assistant, pass=<see corresponding secret file>

hosts/zackbiene/default.nix

@@ -15,7 +15,11 @@
 
     ./fs.nix
     ./net.nix
+
     ./home-assistant.nix
+    ./mosquitto.nix
+    ./zigbee2mqtt.nix
+    ./esphome.nix
   ];
 
   boot.loader.grub.enable = false;

hosts/zackbiene/esphome.nix

@@ -41,8 +41,7 @@ in {
       ReadWritePaths = dataDir;
       RemoveIPC = true;
       RestrictAddressFamilies = [
-        "AF_INET"
-        "AF_INET6"
+        "AF_UNIX"
       ];
       RestrictNamespaces = true;
       RestrictRealtime = true;

hosts/zackbiene/home-assistant-secrets.yaml.age

@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> X25519 90GQu1DAxHxwy1GWOAE1rHYoQs77Q35YPuQCRTgcWFk
+3AefIIsdsaE/exhb7acz/Vh4OBKIl15rRxFnndo6g2I
+-> piv-p256 xqSe8Q A+/OdhOqSsDgiaYVOoa7Tnk/JZdSGgHJ094mtoort+V3
+tBDFM3y1wDUt2UzjMLgFWprcFSPp25djnJAqXah4/+4
+-> ;[OuQ^De-grease Ce@IYqTR
+B85uiwRHPv4yBPoaXxIvJJb9s+UGkfF/KQ1mEIoBu9XBArYESFmj+kLcSWgLI1r5
+CI26cYM
+--- K9FHvO0db0Xe6pGjnbLeJRqHGI+lFFnFoo6/R5d8dZ4
+>©ˆqñOhÓ¦qP
+)Ć°„%®É>ÂôÔ|ÁÀÒzNjóG•<à3S´àÝR‰2¶±^?\
|ßD
�EÏ2œÕ'€ �±[l‡fL³*GªùQ
ùUk#JEÞGàxЪ-
Šù*̬Bnµƒç"šq;£©¾Â‘{Ê
+ì¬{ü僦°�ì{!)ðŒ˜w÷ÝÃU
w½H„}àŒòýœüîïæDÕ„5jRWîLC�l8_Ù¢G

hosts/zackbiene/home-assistant.nix

@@ -1,4 +1,8 @@
 {
+  lib,
+  config,
+  ...
+}: {
   services.home-assistant = {
     enable = true;
     extraComponents = [
@@ -13,6 +17,22 @@
     ];
     openFirewall = true;
     config = {
+      homeassistant = {
+        name = "!secret ha_name";
+        latitude = "!secret ha_latitude";
+        longitude = "!secret ha_longitude";
+        elevation = "!secret ha_elevation";
+        currency = "!secret ha_currency";
+        time_zone = "!secret ha_time_zone";
+        unit_system = "metric";
+        #external_url = "https://";
+        packages = {
+          manual = "!include manual.yaml";
+        };
+      };
+      #frontend = {
+      #  themes = "!include_dir_merge_named themes";
+      #};
       default_config = {};
       met = {};
     };
@@ -24,35 +44,20 @@
       ];
   };
 
-  # TODO set lat long etc here not manually
+  rekey.secrets."home-assistant-secrets.yaml" = {
+    file = ./home-assistant-secrets.yaml.age;
+    owner = "hass";
+  };
+
+  systemd.services.home-assistant = {
+    preStart = lib.mkBefore ''
+      ln -sf ${config.rekey.secrets."home-assistant-secrets.yaml".path} ${config.services.home-assistant.configDir}/secrets.yaml
+      touch -a ${config.services.home-assistant.configDir}/{automations,scenes,scripts,manual}.yaml
+    '';
+  };
+
   # TODO HA and zigbee2mqtt behind nginx please
-  #   - auth for zigbee2mqtt
+  #   - auth for zigbee2mqtt frontend
   #   - auth for esphome dashboard
   #   - only allow connections from privileged LAN to HA or from vpn range
-  # TODO use password auth for mosquitto
-  services.mosquitto = {
-    enable = true;
-    persistence = true;
-    listeners = [
-      {
-        acl = ["pattern readwrite #"];
-        omitPasswordAuth = true;
-        settings.allow_anonymous = true;
-      }
-    ];
-  };
-  networking.firewall.allowedTCPPorts = [8072];
-  services.zigbee2mqtt = {
-    enable = true;
-    settings = {
-      homeassistant = true;
-      permit_join = true;
-      serial = {
-        port = "/dev/serial/by-id/usb-Silicon_Labs_Sonoff_Zigbee_3.0_USB_Dongle_Plus_0001-if00-port0";
-      };
-      frontend = {
-        port = 8072;
-      };
-    };
-  };
 }

hosts/zackbiene/mosquitto-pw-zigbee2mqtt.age

@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> X25519 fnG14tqQJow7aCttB48iukNYbIENNYSCOdnGmzsUR08
+CUgbzHmMTVDjVvwXoJ1Li1HJuCQcexOwTA8vyI1qBy0
+-> piv-p256 xqSe8Q A2lUZF0cZPhAduYPGQg/vrpLPVidJQuIXMh1KCIw2fJu
+SVtOdeJXECGJtNsJkDGnrljvO1xWqmCueMS7dISppP0
+-> 97L6-grease 9 Uv0 :8=|&
+5sV9Y2boLn0oRELbKB1PHp/1YbofZfNprKwUjrcXHTl2qsc02mVOVGBcoghUg7qa
+z99fVBeVj+nR/E6In8lDKR7mUf7ZF8oHxIDEGQcQ9hysO3jbWFA6CMH48h9ICcen
+hEI
+--- gP2qI8vwLWirtwKRpx3iyNc+MUi03qQ353vfzxjYA+8
+RN¯±c<�’{rÏ2_Zèj|žÆAõ.�ê*=9C‘öÈÞ¸qp‰Ê•/PÓ@¬ÈO-± 

hosts/zackbiene/mosquitto.nix

@@ -0,0 +1,39 @@
+{
+  lib,
+  config,
+  ...
+}: {
+  rekey.secrets.mosquitto-pw-zigbee2mqtt = {
+    file = ./mosquitto-pw-zigbee2mqtt.age;
+    mode = "440";
+    owner = "zigbee2mqtt";
+    group = "mosquitto";
+  };
+  rekey.secrets.mosquitto-pw-home_assistant = {
+    file = ./mosquitto-pw-home_assistant.age;
+    mode = "440";
+    owner = "hass";
+    group = "mosquitto";
+  };
+
+  services.mosquitto = {
+    enable = true;
+    persistence = true;
+    listeners = [
+      {
+        acl = ["pattern readwrite #"];
+        users = {
+          zigbee2mqtt = {
+            passwordFile = config.rekey.secrets.mosquitto-pw-zigbee2mqtt.path;
+            acl = ["readwrite #"];
+          };
+          home_assistant = {
+            passwordFile = config.rekey.secrets.mosquitto-pw-home_assistant.path;
+            acl = ["readwrite #"];
+          };
+        };
+        settings.allow_anonymous = false;
+      }
+    ];
+  };
+}

hosts/zackbiene/zigbee2mqtt.nix

@@ -0,0 +1,32 @@
+{
+  lib,
+  config,
+  ...
+}: {
+  rekey.secrets."mosquitto-pw-zigbee2mqtt.yaml" = {
+    file = ./mosquitto-pw-zigbee2mqtt.yaml.age;
+    mode = "440";
+    owner = "zigbee2mqtt";
+    group = "mosquitto";
+  };
+
+  networking.firewall.allowedTCPPorts = [8072];
+  services.zigbee2mqtt = {
+    enable = true;
+    settings = {
+      homeassistant = true;
+      permit_join = true;
+      serial = {
+        port = "/dev/serial/by-id/usb-Silicon_Labs_Sonoff_Zigbee_3.0_USB_Dongle_Plus_0001-if00-port0";
+      };
+      mqtt = {
+        server = "mqtt://localhost:1883";
+        user = "zigbee2mqtt";
+        password = "!${config.rekey.secrets."mosquitto-pw-zigbee2mqtt.yaml".path} password";
+      };
+      frontend = {
+        port = 8072;
+      };
+    };
+  };
+}