feat: secure MQTT broker with passwords

2023-03-14 02:54:54 +01:00 · 2023-03-14 02:54:54 +01:00 · 47d1d73ad1
commit 47d1d73ad1
parent 9028295fd5
11 changed files with 140 additions and 33 deletions
--- a/hosts/zackbiene/README.md
+++ b/hosts/zackbiene/README.md
@ -0,0 +1,5 @@
+# First Setup
+
+- In HomeAssistant, MQTT integration needs to be added
+  manually, and the mqtt connection details must be entered
+  localhost:1883, user=home_assistant, pass=<see corresponding secret file>
--- a/hosts/zackbiene/default.nix
+++ b/hosts/zackbiene/default.nix
@ -15,7 +15,11 @@

    ./fs.nix
    ./net.nix
+
    ./home-assistant.nix
+    ./mosquitto.nix
+    ./zigbee2mqtt.nix
+    ./esphome.nix
  ];

  boot.loader.grub.enable = false;
--- a/hosts/zackbiene/esphome.nix
+++ b/hosts/zackbiene/esphome.nix
@ -41,8 +41,7 @@ in {
      ReadWritePaths = dataDir;
      RemoveIPC = true;
      RestrictAddressFamilies = [
-        "AF_INET"
-        "AF_INET6"
+        "AF_UNIX"
      ];
      RestrictNamespaces = true;
      RestrictRealtime = true;
--- a/hosts/zackbiene/home-assistant-secrets.yaml.age
+++ b/hosts/zackbiene/home-assistant-secrets.yaml.age
@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> X25519 90GQu1DAxHxwy1GWOAE1rHYoQs77Q35YPuQCRTgcWFk
+3AefIIsdsaE/exhb7acz/Vh4OBKIl15rRxFnndo6g2I
+-> piv-p256 xqSe8Q A+/OdhOqSsDgiaYVOoa7Tnk/JZdSGgHJ094mtoort+V3
+tBDFM3y1wDUt2UzjMLgFWprcFSPp25djnJAqXah4/+4
+-> ;[OuQ^De-grease Ce@IYqTR
+B85uiwRHPv4yBPoaXxIvJJb9s+UGkfF/KQ1mEIoBu9XBArYESFmj+kLcSWgLI1r5
+CI26cYM
+--- K9FHvO0db0Xe6pGjnbLeJRqHGI+lFFnFoo6/R5d8dZ4
+>©ˆqñOhÓ¦qP
+)Ä†°„%®É>ÂôÔ|ÁÀÒzNjóG•<à3S´àÝR‰2¶±^?\|ßD�EÏ2œÕ'€ �±[l‡fL³*GªùQ
ùUk#JEÞGàxÐª-Šù*Ì¬Bnµƒç"šq;£©¾Â‘{Ê
+ì¬{üåƒ¦°�ì{!)ðŒ˜w÷ÝÃU
w½H„}àŒòýœüîïæDÕ„5jRWîLC�l8_Ù¢G
--- a/hosts/zackbiene/home-assistant.nix
+++ b/hosts/zackbiene/home-assistant.nix
@ -1,4 +1,8 @@
 {
+  lib,
+  config,
+  ...
+}: {
  services.home-assistant = {
    enable = true;
    extraComponents = [
@ -13,6 +17,22 @@
    ];
    openFirewall = true;
    config = {
+      homeassistant = {
+        name = "!secret ha_name";
+        latitude = "!secret ha_latitude";
+        longitude = "!secret ha_longitude";
+        elevation = "!secret ha_elevation";
+        currency = "!secret ha_currency";
+        time_zone = "!secret ha_time_zone";
+        unit_system = "metric";
+        #external_url = "https://";
+        packages = {
+          manual = "!include manual.yaml";
+        };
+      };
+      #frontend = {
+      #  themes = "!include_dir_merge_named themes";
+      #};
      default_config = {};
      met = {};
    };
@ -24,35 +44,20 @@
      ];
  };

-  # TODO set lat long etc here not manually
+  rekey.secrets."home-assistant-secrets.yaml" = {
+    file = ./home-assistant-secrets.yaml.age;
+    owner = "hass";
+  };
+
+  systemd.services.home-assistant = {
+    preStart = lib.mkBefore ''
+      ln -sf ${config.rekey.secrets."home-assistant-secrets.yaml".path} ${config.services.home-assistant.configDir}/secrets.yaml
+      touch -a ${config.services.home-assistant.configDir}/{automations,scenes,scripts,manual}.yaml
+    '';
+  };
+
  # TODO HA and zigbee2mqtt behind nginx please
-  #   - auth for zigbee2mqtt
+  #   - auth for zigbee2mqtt frontend
  #   - auth for esphome dashboard
  #   - only allow connections from privileged LAN to HA or from vpn range
-  # TODO use password auth for mosquitto
-  services.mosquitto = {
-    enable = true;
-    persistence = true;
-    listeners = [
-      {
-        acl = ["pattern readwrite #"];
-        omitPasswordAuth = true;
-        settings.allow_anonymous = true;
-      }
-    ];
-  };
-  networking.firewall.allowedTCPPorts = [8072];
-  services.zigbee2mqtt = {
-    enable = true;
-    settings = {
-      homeassistant = true;
-      permit_join = true;
-      serial = {
-        port = "/dev/serial/by-id/usb-Silicon_Labs_Sonoff_Zigbee_3.0_USB_Dongle_Plus_0001-if00-port0";
-      };
-      frontend = {
-        port = 8072;
-      };
-    };
-  };
 }
--- a/hosts/zackbiene/mosquitto-pw-home_assistant.age
+++ b/hosts/zackbiene/mosquitto-pw-home_assistant.age
--- a/hosts/zackbiene/mosquitto-pw-zigbee2mqtt.age
+++ b/hosts/zackbiene/mosquitto-pw-zigbee2mqtt.age
@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> X25519 fnG14tqQJow7aCttB48iukNYbIENNYSCOdnGmzsUR08
+CUgbzHmMTVDjVvwXoJ1Li1HJuCQcexOwTA8vyI1qBy0
+-> piv-p256 xqSe8Q A2lUZF0cZPhAduYPGQg/vrpLPVidJQuIXMh1KCIw2fJu
+SVtOdeJXECGJtNsJkDGnrljvO1xWqmCueMS7dISppP0
+-> 97L6-grease 9 Uv0 :8=|&
+5sV9Y2boLn0oRELbKB1PHp/1YbofZfNprKwUjrcXHTl2qsc02mVOVGBcoghUg7qa
+z99fVBeVj+nR/E6In8lDKR7mUf7ZF8oHxIDEGQcQ9hysO3jbWFA6CMH48h9ICcen
+hEI
+--- gP2qI8vwLWirtwKRpx3iyNc+MUi03qQ353vfzxjYA+8
+RN¯±c<�’{rÏ2_Zèj|žÆAõ.�ê*=9C‘öÈÞ¸qp‰Ê•/PÓ@¬ÈO-± 
--- a/hosts/zackbiene/mosquitto-pw-zigbee2mqtt.yaml.age
+++ b/hosts/zackbiene/mosquitto-pw-zigbee2mqtt.yaml.age
--- a/hosts/zackbiene/mosquitto.nix
+++ b/hosts/zackbiene/mosquitto.nix
@ -0,0 +1,39 @@
+{
+  lib,
+  config,
+  ...
+}: {
+  rekey.secrets.mosquitto-pw-zigbee2mqtt = {
+    file = ./mosquitto-pw-zigbee2mqtt.age;
+    mode = "440";
+    owner = "zigbee2mqtt";
+    group = "mosquitto";
+  };
+  rekey.secrets.mosquitto-pw-home_assistant = {
+    file = ./mosquitto-pw-home_assistant.age;
+    mode = "440";
+    owner = "hass";
+    group = "mosquitto";
+  };
+
+  services.mosquitto = {
+    enable = true;
+    persistence = true;
+    listeners = [
+      {
+        acl = ["pattern readwrite #"];
+        users = {
+          zigbee2mqtt = {
+            passwordFile = config.rekey.secrets.mosquitto-pw-zigbee2mqtt.path;
+            acl = ["readwrite #"];
+          };
+          home_assistant = {
+            passwordFile = config.rekey.secrets.mosquitto-pw-home_assistant.path;
+            acl = ["readwrite #"];
+          };
+        };
+        settings.allow_anonymous = false;
+      }
+    ];
+  };
+}
--- a/hosts/zackbiene/zigbee2mqtt.nix
+++ b/hosts/zackbiene/zigbee2mqtt.nix
@ -0,0 +1,32 @@
+{
+  lib,
+  config,
+  ...
+}: {
+  rekey.secrets."mosquitto-pw-zigbee2mqtt.yaml" = {
+    file = ./mosquitto-pw-zigbee2mqtt.yaml.age;
+    mode = "440";
+    owner = "zigbee2mqtt";
+    group = "mosquitto";
+  };
+
+  networking.firewall.allowedTCPPorts = [8072];
+  services.zigbee2mqtt = {
+    enable = true;
+    settings = {
+      homeassistant = true;
+      permit_join = true;
+      serial = {
+        port = "/dev/serial/by-id/usb-Silicon_Labs_Sonoff_Zigbee_3.0_USB_Dongle_Plus_0001-if00-port0";
+      };
+      mqtt = {
+        server = "mqtt://localhost:1883";
+        user = "zigbee2mqtt";
+        password = "!${config.rekey.secrets."mosquitto-pw-zigbee2mqtt.yaml".path} password";
+      };
+      frontend = {
+        port = 8072;
+      };
+    };
+  };
+}
--- a/users/common/graphical/kitty.nix
+++ b/users/common/graphical/kitty.nix
@ -3,6 +3,9 @@
  pkgs,
  ...
 }: {
+  home.sessionVariables = {
+    TERMINFO_DIRS = "${pkgs.kitty.terminfo.outPath}/share/terminfo";
+  };
  programs.kitty = {
    enable = true;
    package = pkgs.kitty.overrideAttrs (finalAttrs: prevAttrs: {
@ -14,9 +17,6 @@
      size = 10;
    };
    settings = {
-      # Use xterm-256color because copying terminfo-kitty is painful.
-      term = "xterm-256color";
-
      # Do not wait for inherited child processes.
      close_on_child_death = "yes";