From 47d1d73ad15722a2781249e812576d456ba24dbb Mon Sep 17 00:00:00 2001 From: oddlama Date: Tue, 14 Mar 2023 02:54:54 +0100 Subject: [PATCH] feat: secure MQTT broker with passwords --- hosts/zackbiene/README.md | 5 ++ hosts/zackbiene/default.nix | 4 ++ hosts/zackbiene/esphome.nix | 3 +- .../zackbiene/home-assistant-secrets.yaml.age | 12 ++++ hosts/zackbiene/home-assistant.nix | 61 ++++++++++-------- .../zackbiene/mosquitto-pw-home_assistant.age | Bin 0 -> 356 bytes hosts/zackbiene/mosquitto-pw-zigbee2mqtt.age | 11 ++++ .../mosquitto-pw-zigbee2mqtt.yaml.age | Bin 0 -> 454 bytes hosts/zackbiene/mosquitto.nix | 39 +++++++++++ hosts/zackbiene/zigbee2mqtt.nix | 32 +++++++++ users/common/graphical/kitty.nix | 6 +- 11 files changed, 140 insertions(+), 33 deletions(-) create mode 100644 hosts/zackbiene/README.md create mode 100644 hosts/zackbiene/home-assistant-secrets.yaml.age create mode 100644 hosts/zackbiene/mosquitto-pw-home_assistant.age create mode 100644 hosts/zackbiene/mosquitto-pw-zigbee2mqtt.age create mode 100644 hosts/zackbiene/mosquitto-pw-zigbee2mqtt.yaml.age create mode 100644 hosts/zackbiene/mosquitto.nix create mode 100644 hosts/zackbiene/zigbee2mqtt.nix diff --git a/hosts/zackbiene/README.md b/hosts/zackbiene/README.md new file mode 100644 index 0000000..aea9262 --- /dev/null +++ b/hosts/zackbiene/README.md @@ -0,0 +1,5 @@ +# First Setup + +- In HomeAssistant, MQTT integration needs to be added + manually, and the mqtt connection details must be entered + localhost:1883, user=home_assistant, pass= diff --git a/hosts/zackbiene/default.nix b/hosts/zackbiene/default.nix index 1e599a6..f7bcad0 100644 --- a/hosts/zackbiene/default.nix +++ b/hosts/zackbiene/default.nix @@ -15,7 +15,11 @@ ./fs.nix ./net.nix + ./home-assistant.nix + ./mosquitto.nix + ./zigbee2mqtt.nix + ./esphome.nix ]; boot.loader.grub.enable = false; diff --git a/hosts/zackbiene/esphome.nix b/hosts/zackbiene/esphome.nix index def7edf..b8d9b3d 100644 --- a/hosts/zackbiene/esphome.nix +++ b/hosts/zackbiene/esphome.nix @@ -41,8 +41,7 @@ in { ReadWritePaths = dataDir; RemoveIPC = true; RestrictAddressFamilies = [ - "AF_INET" - "AF_INET6" + "AF_UNIX" ]; RestrictNamespaces = true; RestrictRealtime = true; diff --git a/hosts/zackbiene/home-assistant-secrets.yaml.age b/hosts/zackbiene/home-assistant-secrets.yaml.age new file mode 100644 index 0000000..b6b2d30 --- /dev/null +++ b/hosts/zackbiene/home-assistant-secrets.yaml.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> X25519 90GQu1DAxHxwy1GWOAE1rHYoQs77Q35YPuQCRTgcWFk +3AefIIsdsaE/exhb7acz/Vh4OBKIl15rRxFnndo6g2I +-> piv-p256 xqSe8Q A+/OdhOqSsDgiaYVOoa7Tnk/JZdSGgHJ094mtoort+V3 +tBDFM3y1wDUt2UzjMLgFWprcFSPp25djnJAqXah4/+4 +-> ;[OuQ^De-grease Ce@IYqTR +B85uiwRHPv4yBPoaXxIvJJb9s+UGkfF/KQ1mEIoBu9XBArYESFmj+kLcSWgLI1r5 +CI26cYM +--- K9FHvO0db0Xe6pGjnbLeJRqHGI+lFFnFoo6/R5d8dZ4 +>©ˆqñOhÓ¦qP +)Ć°„%®É>ÂôÔ|ÁÀÒzNjó G•<à3S´àÝR‰2¶±^?\|ßDEÏ2œÕ'€ ±[l‡fL³*GªùQ ùUk#JEÞGàxЪ-Šù*̬Bnµƒç"šq;£©¾Â‘{Ê +ì¬{ü僦°ì{!)ðŒ˜w ÷ÝÃU w½H„}àŒòýœüîïæDÕ„5jRWîLCl8_Ù¢G \ No newline at end of file diff --git a/hosts/zackbiene/home-assistant.nix b/hosts/zackbiene/home-assistant.nix index 3d88dde..c9db282 100644 --- a/hosts/zackbiene/home-assistant.nix +++ b/hosts/zackbiene/home-assistant.nix @@ -1,4 +1,8 @@ { + lib, + config, + ... +}: { services.home-assistant = { enable = true; extraComponents = [ @@ -13,6 +17,22 @@ ]; openFirewall = true; config = { + homeassistant = { + name = "!secret ha_name"; + latitude = "!secret ha_latitude"; + longitude = "!secret ha_longitude"; + elevation = "!secret ha_elevation"; + currency = "!secret ha_currency"; + time_zone = "!secret ha_time_zone"; + unit_system = "metric"; + #external_url = "https://"; + packages = { + manual = "!include manual.yaml"; + }; + }; + #frontend = { + # themes = "!include_dir_merge_named themes"; + #}; default_config = {}; met = {}; }; @@ -24,35 +44,20 @@ ]; }; - # TODO set lat long etc here not manually + rekey.secrets."home-assistant-secrets.yaml" = { + file = ./home-assistant-secrets.yaml.age; + owner = "hass"; + }; + + systemd.services.home-assistant = { + preStart = lib.mkBefore '' + ln -sf ${config.rekey.secrets."home-assistant-secrets.yaml".path} ${config.services.home-assistant.configDir}/secrets.yaml + touch -a ${config.services.home-assistant.configDir}/{automations,scenes,scripts,manual}.yaml + ''; + }; + # TODO HA and zigbee2mqtt behind nginx please - # - auth for zigbee2mqtt + # - auth for zigbee2mqtt frontend # - auth for esphome dashboard # - only allow connections from privileged LAN to HA or from vpn range - # TODO use password auth for mosquitto - services.mosquitto = { - enable = true; - persistence = true; - listeners = [ - { - acl = ["pattern readwrite #"]; - omitPasswordAuth = true; - settings.allow_anonymous = true; - } - ]; - }; - networking.firewall.allowedTCPPorts = [8072]; - services.zigbee2mqtt = { - enable = true; - settings = { - homeassistant = true; - permit_join = true; - serial = { - port = "/dev/serial/by-id/usb-Silicon_Labs_Sonoff_Zigbee_3.0_USB_Dongle_Plus_0001-if00-port0"; - }; - frontend = { - port = 8072; - }; - }; - }; } diff --git a/hosts/zackbiene/mosquitto-pw-home_assistant.age b/hosts/zackbiene/mosquitto-pw-home_assistant.age new file mode 100644 index 0000000000000000000000000000000000000000..c4626c82ac8105e4026eca347764ef9642fce246 GIT binary patch literal 356 zcmWm8J4}O606gHs!NC|~JKy2lo&`zh8DWCPj_+;xp+!w;jLhR2lg-i`UaiS=tV>$A zol?dI1)Pb@IlkR;y@5;FiCIqRKx;P_mBnI4A%aFUw)|?RL`-%Yj{_O9051@#qH!}eL(y!`9>x-q)c`qD~ zUXN%KD{`}3t4=5-t+VHg!^E6`nd-?%N+AywhDFJ&H`9%RZba77@^?AX3Sn;qafje1 z5!P8OkR(2pVmlD}t+d1Ofe`!MuEM8!Ockk#4I|K3-G;pf`HEPJu=&dI>uBfdTD-Z# v!2Rvn!P@1a%RReZ*?s!r{@zZ0FCM<Q literal 0 HcmV?d00001 diff --git a/hosts/zackbiene/mosquitto-pw-zigbee2mqtt.age b/hosts/zackbiene/mosquitto-pw-zigbee2mqtt.age new file mode 100644 index 0000000..5d4df35 --- /dev/null +++ b/hosts/zackbiene/mosquitto-pw-zigbee2mqtt.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> X25519 fnG14tqQJow7aCttB48iukNYbIENNYSCOdnGmzsUR08 +CUgbzHmMTVDjVvwXoJ1Li1HJuCQcexOwTA8vyI1qBy0 +-> piv-p256 xqSe8Q A2lUZF0cZPhAduYPGQg/vrpLPVidJQuIXMh1KCIw2fJu +SVtOdeJXECGJtNsJkDGnrljvO1xWqmCueMS7dISppP0 +-> 97L6-grease 9 Uv0 :8=|& +5sV9Y2boLn0oRELbKB1PHp/1YbofZfNprKwUjrcXHTl2qsc02mVOVGBcoghUg7qa +z99fVBeVj+nR/E6In8lDKR7mUf7ZF8oHxIDEGQcQ9hysO3jbWFA6CMH48h9ICcen +hEI +--- gP2qI8vwLWirtwKRpx3iyNc+MUi03qQ353vfzxjYA+8 +RN¯±c<’{rÏ2_Zèj|žÆAõ.ê*=9C‘öÈÞ¸qp‰Ê•/PÓ@¬ÈO-±  \ No newline at end of file diff --git a/hosts/zackbiene/mosquitto-pw-zigbee2mqtt.yaml.age b/hosts/zackbiene/mosquitto-pw-zigbee2mqtt.yaml.age new file mode 100644 index 0000000000000000000000000000000000000000..10aa99485a7d2ffde371d54f61033d2f2a4e3a6a GIT binary patch literal 454 zcmWm7KaZ18003~^3=YP`^>R3zOXc{}2bP$4p-@VX_S#3m(u>hROCSFpP+m)EbBl>F zadB|COE*_Pg}Uh{aB_0+L!41_zc29fP{0J)tlSo>D9?`b60sFeG0$jM5Jg_5r)#`r z18eAa1}itM$E19o5Bg^jaHd%A4gq!)2N+LsX_8Q|<2Xw@6f78}OI0v~0VlL@(yQWp z#P%Dz)5)0M)hw@tt(&2UDy9%biLRI9pap3~Ud}c)S#12+p4Xk&%5t(v1%R7(L$1_BH>Y->GCQnL7;&IH5IHCeyng~ zTY^+C>@`4lD1gySV+~7<bWt% zdAhSO0o41SKRolU^zQ!QpQHAo{CIQ+Jve!D_384uygdFp`u*YC{@&+DGJJL0d$>P1 a(6d{I(71m4^2_Mz#h(84_1|~+`1OB#pP8xv literal 0 HcmV?d00001 diff --git a/hosts/zackbiene/mosquitto.nix b/hosts/zackbiene/mosquitto.nix new file mode 100644 index 0000000..5f3366f --- /dev/null +++ b/hosts/zackbiene/mosquitto.nix @@ -0,0 +1,39 @@ +{ + lib, + config, + ... +}: { + rekey.secrets.mosquitto-pw-zigbee2mqtt = { + file = ./mosquitto-pw-zigbee2mqtt.age; + mode = "440"; + owner = "zigbee2mqtt"; + group = "mosquitto"; + }; + rekey.secrets.mosquitto-pw-home_assistant = { + file = ./mosquitto-pw-home_assistant.age; + mode = "440"; + owner = "hass"; + group = "mosquitto"; + }; + + services.mosquitto = { + enable = true; + persistence = true; + listeners = [ + { + acl = ["pattern readwrite #"]; + users = { + zigbee2mqtt = { + passwordFile = config.rekey.secrets.mosquitto-pw-zigbee2mqtt.path; + acl = ["readwrite #"]; + }; + home_assistant = { + passwordFile = config.rekey.secrets.mosquitto-pw-home_assistant.path; + acl = ["readwrite #"]; + }; + }; + settings.allow_anonymous = false; + } + ]; + }; +} diff --git a/hosts/zackbiene/zigbee2mqtt.nix b/hosts/zackbiene/zigbee2mqtt.nix new file mode 100644 index 0000000..a3db3f0 --- /dev/null +++ b/hosts/zackbiene/zigbee2mqtt.nix @@ -0,0 +1,32 @@ +{ + lib, + config, + ... +}: { + rekey.secrets."mosquitto-pw-zigbee2mqtt.yaml" = { + file = ./mosquitto-pw-zigbee2mqtt.yaml.age; + mode = "440"; + owner = "zigbee2mqtt"; + group = "mosquitto"; + }; + + networking.firewall.allowedTCPPorts = [8072]; + services.zigbee2mqtt = { + enable = true; + settings = { + homeassistant = true; + permit_join = true; + serial = { + port = "/dev/serial/by-id/usb-Silicon_Labs_Sonoff_Zigbee_3.0_USB_Dongle_Plus_0001-if00-port0"; + }; + mqtt = { + server = "mqtt://localhost:1883"; + user = "zigbee2mqtt"; + password = "!${config.rekey.secrets."mosquitto-pw-zigbee2mqtt.yaml".path} password"; + }; + frontend = { + port = 8072; + }; + }; + }; +} diff --git a/users/common/graphical/kitty.nix b/users/common/graphical/kitty.nix index af81b5e..345570e 100644 --- a/users/common/graphical/kitty.nix +++ b/users/common/graphical/kitty.nix @@ -3,6 +3,9 @@ pkgs, ... }: { + home.sessionVariables = { + TERMINFO_DIRS = "${pkgs.kitty.terminfo.outPath}/share/terminfo"; + }; programs.kitty = { enable = true; package = pkgs.kitty.overrideAttrs (finalAttrs: prevAttrs: { @@ -14,9 +17,6 @@ size = 10; }; settings = { - # Use xterm-256color because copying terminfo-kitty is painful. - term = "xterm-256color"; - # Do not wait for inherited child processes. close_on_child_death = "yes";