sokai/mynixos-config
1
1
Fork 0
forked from mirrors_public/oddlama_nix-config
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: secure MQTT broker with passwords

Browse source
This commit is contained in:
oddlama 2023-03-14 02:54:54 +01:00
parent 9028295fd5
commit 47d1d73ad1
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
11 changed files with 140 additions and 33 deletions
Download patch file Download diff file Expand all files Collapse all files

5
hosts/zackbiene/README.md Normal file
View file

@ -0,0 +1,5 @@
# First Setup
- In HomeAssistant, MQTT integration needs to be added
manually, and the mqtt connection details must be entered
localhost:1883, user=home_assistant, pass=<see corresponding secret file>

4
hosts/zackbiene/default.nix
View file

@ -15,7 +15,11 @@
./fs.nix ./fs.nix
./net.nix ./net.nix
./home-assistant.nix ./home-assistant.nix
./mosquitto.nix
./zigbee2mqtt.nix
./esphome.nix
]; ];
boot.loader.grub.enable = false; boot.loader.grub.enable = false;

3
hosts/zackbiene/esphome.nix
View file

@ -41,8 +41,7 @@ in {
ReadWritePaths = dataDir; ReadWritePaths = dataDir;
RemoveIPC = true; RemoveIPC = true;
RestrictAddressFamilies = [ RestrictAddressFamilies = [
"AF_INET" "AF_UNIX"
"AF_INET6"
]; ];
RestrictNamespaces = true; RestrictNamespaces = true;
RestrictRealtime = true; RestrictRealtime = true;

12
hosts/zackbiene/home-assistant-secrets.yaml.age Normal file
View file

@ -0,0 +1,12 @@
age-encryption.org/v1
-> X25519 90GQu1DAxHxwy1GWOAE1rHYoQs77Q35YPuQCRTgcWFk
3AefIIsdsaE/exhb7acz/Vh4OBKIl15rRxFnndo6g2I
-> piv-p256 xqSe8Q A+/OdhOqSsDgiaYVOoa7Tnk/JZdSGgHJ094mtoort+V3
tBDFM3y1wDUt2UzjMLgFWprcFSPp25djnJAqXah4/+4
-> ;[OuQ^De-grease Ce@IYqTR
B85uiwRHPv4yBPoaXxIvJJb9s+UGkfF/KQ1mEIoBu9XBArYESFmj+kLcSWgLI1r5
CI26cYM
--- K9FHvO0db0Xe6pGjnbLeJRqHGI+lFFnFoo6/R5d8dZ4
>©ˆqñOhÓ¦qP
)Ć°„%®É>ÂôÔ|ÁÀÒzNjó G•<à3S´àÝR‰2¶±^?\|ßD�EÏ2œÕ'€ �±[l‡fL³*GªùQ ùUk#JEÞGàxЪ-Šù*̬Bnµƒç"šq;£©¾Â‘{Ê
ì¬{ü僦°�ì{!)ðŒ˜w ÷ÝÃU w½H„}àŒòýœüîïæDÕ„5jRWîLC�l8_Ù¢G

61
hosts/zackbiene/home-assistant.nix
View file

@ -1,4 +1,8 @@
{ {
lib,
config,
...
}: {
services.home-assistant = { services.home-assistant = {
enable = true; enable = true;
extraComponents = [ extraComponents = [
@ -13,6 +17,22 @@
]; ];
openFirewall = true; openFirewall = true;
config = { config = {
homeassistant = {
name = "!secret ha_name";
latitude = "!secret ha_latitude";
longitude = "!secret ha_longitude";
elevation = "!secret ha_elevation";
currency = "!secret ha_currency";
time_zone = "!secret ha_time_zone";
unit_system = "metric";
#external_url = "https://";
packages = {
manual = "!include manual.yaml";
};
};
#frontend = {
# themes = "!include_dir_merge_named themes";
#};
default_config = {}; default_config = {};
met = {}; met = {};
}; };
@ -24,35 +44,20 @@
]; ];
}; };
# TODO set lat long etc here not manually rekey.secrets."home-assistant-secrets.yaml" = {
file = ./home-assistant-secrets.yaml.age;
owner = "hass";
};
systemd.services.home-assistant = {
preStart = lib.mkBefore ''
ln -sf ${config.rekey.secrets."home-assistant-secrets.yaml".path} ${config.services.home-assistant.configDir}/secrets.yaml
touch -a ${config.services.home-assistant.configDir}/{automations,scenes,scripts,manual}.yaml
'';
};
# TODO HA and zigbee2mqtt behind nginx please # TODO HA and zigbee2mqtt behind nginx please
# - auth for zigbee2mqtt # - auth for zigbee2mqtt frontend
# - auth for esphome dashboard # - auth for esphome dashboard
# - only allow connections from privileged LAN to HA or from vpn range # - only allow connections from privileged LAN to HA or from vpn range
# TODO use password auth for mosquitto
services.mosquitto = {
enable = true;
persistence = true;
listeners = [
{
acl = ["pattern readwrite #"];
omitPasswordAuth = true;
settings.allow_anonymous = true;
}
];
};
networking.firewall.allowedTCPPorts = [8072];
services.zigbee2mqtt = {
enable = true;
settings = {
homeassistant = true;
permit_join = true;
serial = {
port = "/dev/serial/by-id/usb-Silicon_Labs_Sonoff_Zigbee_3.0_USB_Dongle_Plus_0001-if00-port0";
};
frontend = {
port = 8072;
};
};
};
} }

BIN
hosts/zackbiene/mosquitto-pw-home_assistant.age Normal file
View file

Binary file not shown.

11
hosts/zackbiene/mosquitto-pw-zigbee2mqtt.age Normal file
View file

@ -0,0 +1,11 @@
age-encryption.org/v1
-> X25519 fnG14tqQJow7aCttB48iukNYbIENNYSCOdnGmzsUR08
CUgbzHmMTVDjVvwXoJ1Li1HJuCQcexOwTA8vyI1qBy0
-> piv-p256 xqSe8Q A2lUZF0cZPhAduYPGQg/vrpLPVidJQuIXMh1KCIw2fJu
SVtOdeJXECGJtNsJkDGnrljvO1xWqmCueMS7dISppP0
-> 97L6-grease 9 Uv0 :8=|&
5sV9Y2boLn0oRELbKB1PHp/1YbofZfNprKwUjrcXHTl2qsc02mVOVGBcoghUg7qa
z99fVBeVj+nR/E6In8lDKR7mUf7ZF8oHxIDEGQcQ9hysO3jbWFA6CMH48h9ICcen
hEI
--- gP2qI8vwLWirtwKRpx3iyNc+MUi03qQ353vfzxjYA+8
RN¯±c<�’{rÏ2_Zèj|žÆAõ.�ê*=9C‘öÈÞ¸qp‰Ê•/PÓ@¬ÈO-± 

BIN
hosts/zackbiene/mosquitto-pw-zigbee2mqtt.yaml.age Normal file
View file

Binary file not shown.

39
hosts/zackbiene/mosquitto.nix Normal file
View file

@ -0,0 +1,39 @@
{
lib,
config,
...
}: {
rekey.secrets.mosquitto-pw-zigbee2mqtt = {
file = ./mosquitto-pw-zigbee2mqtt.age;
mode = "440";
owner = "zigbee2mqtt";
group = "mosquitto";
};
rekey.secrets.mosquitto-pw-home_assistant = {
file = ./mosquitto-pw-home_assistant.age;
mode = "440";
owner = "hass";
group = "mosquitto";
};
services.mosquitto = {
enable = true;
persistence = true;
listeners = [
{
acl = ["pattern readwrite #"];
users = {
zigbee2mqtt = {
passwordFile = config.rekey.secrets.mosquitto-pw-zigbee2mqtt.path;
acl = ["readwrite #"];
};
home_assistant = {
passwordFile = config.rekey.secrets.mosquitto-pw-home_assistant.path;
acl = ["readwrite #"];
};
};
settings.allow_anonymous = false;
}
];
};
}

32
hosts/zackbiene/zigbee2mqtt.nix Normal file
View file

@ -0,0 +1,32 @@
{
lib,
config,
...
}: {
rekey.secrets."mosquitto-pw-zigbee2mqtt.yaml" = {
file = ./mosquitto-pw-zigbee2mqtt.yaml.age;
mode = "440";
owner = "zigbee2mqtt";
group = "mosquitto";
};
networking.firewall.allowedTCPPorts = [8072];
services.zigbee2mqtt = {
enable = true;
settings = {
homeassistant = true;
permit_join = true;
serial = {
port = "/dev/serial/by-id/usb-Silicon_Labs_Sonoff_Zigbee_3.0_USB_Dongle_Plus_0001-if00-port0";
};
mqtt = {
server = "mqtt://localhost:1883";
user = "zigbee2mqtt";
password = "!${config.rekey.secrets."mosquitto-pw-zigbee2mqtt.yaml".path} password";
};
frontend = {
port = 8072;
};
};
};
}

6
users/common/graphical/kitty.nix
View file

@ -3,6 +3,9 @@
pkgs, pkgs,
... ...
}: { }: {
home.sessionVariables = {
TERMINFO_DIRS = "${pkgs.kitty.terminfo.outPath}/share/terminfo";
};
programs.kitty = { programs.kitty = {
enable = true; enable = true;
package = pkgs.kitty.overrideAttrs (finalAttrs: prevAttrs: { package = pkgs.kitty.overrideAttrs (finalAttrs: prevAttrs: {
@ -14,9 +17,6 @@
size = 10; size = 10;
}; };
settings = { settings = {
# Use xterm-256color because copying terminfo-kitty is painful.
term = "xterm-256color";
# Do not wait for inherited child processes. # Do not wait for inherited child processes.
close_on_child_death = "yes"; close_on_child_death = "yes";