From bb75070da9c9a7584f06b85ee31801ceae13ae56 Mon Sep 17 00:00:00 2001 From: oddlama Date: Sun, 26 Jan 2025 18:02:17 +0100 Subject: [PATCH] feat: allow several discovery protocols in hass --- hosts/sausebiene/mosquitto.nix | 12 ----------- hosts/sausebiene/net.nix | 38 ++++++++++++++++++++++++++++++++++ 2 files changed, 38 insertions(+), 12 deletions(-) diff --git a/hosts/sausebiene/mosquitto.nix b/hosts/sausebiene/mosquitto.nix index aa02959..7368466 100644 --- a/hosts/sausebiene/mosquitto.nix +++ b/hosts/sausebiene/mosquitto.nix @@ -27,16 +27,4 @@ } ]; }; - - networking.nftables.firewall.rules = { - # Allow devices and iot VLANs to access the MQTT server - access-mqtt = { - from = [ - "vlan-devices" - "vlan-iot" - ]; - to = [ "local" ]; - allowedTCPPorts = [ 1883 ]; - }; - }; } diff --git a/hosts/sausebiene/net.nix b/hosts/sausebiene/net.nix index d14e0ff..53f50fa 100644 --- a/hosts/sausebiene/net.nix +++ b/hosts/sausebiene/net.nix @@ -104,6 +104,44 @@ in "vlan-${vlanName}".interfaces = [ "vlan-${vlanName}" ]; } ); + + rules = { + # Allow devices to be discovered through various protocols + discovery-protocols = { + from = [ + "vlan-home" + "vlan-devices" + "vlan-iot" + ]; + to = [ "local" ]; + allowedUDPPorts = [ + 1900 # Simple Service Discovery Protocol, UPnP + ]; + allowedTCPPorts = [ + 40000 # UPnP HTTP + ]; + # HomeKit etc. may use random high-numbered ports. + # There's probably a better way to handle this + allowedUDPPortRanges = [ + { + from = 30000; + to = 65535; + } + ]; + }; + + # Allow devices to access some local services + access-services = { + from = [ + "vlan-devices" + "vlan-iot" + ]; + to = [ "local" ]; + allowedTCPPorts = [ + 1883 # MQTT + ]; + }; + }; }; wireguard.proxy-home.client.via = "ward";