From 79f03b3318078721493029a26b56f647502da2b5 Mon Sep 17 00:00:00 2001 From: Felix Tenley Date: Thu, 22 Oct 2020 19:15:55 +0200 Subject: [PATCH] feat(rpi4): expose mosquitto via nginx --- services/home-assistant.nix | 37 ++++++++++++++++++++++++++++--------- 1 file changed, 28 insertions(+), 9 deletions(-) diff --git a/services/home-assistant.nix b/services/home-assistant.nix index 1fd5443..20016ad 100644 --- a/services/home-assistant.nix +++ b/services/home-assistant.nix @@ -2,6 +2,9 @@ with pkgs; +let + mqttDomain = "mqtt.${config.networking.domain}"; +in { environment.systemPackages = with pkgs; [ deconz ]; @@ -12,22 +15,30 @@ with pkgs; openFirewall = true; }; - users.users.mosquitto.extraGroups = [ "acme" ]; + services.nginx = { + virtualHosts = { + ${ mqttDomain } = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://localhost:${toString config.services.mosquitto.port}"; + proxyWebsockets = true; + }; + }; + }; + }; networking.firewall.allowedTCPPorts = [ - config.services.mosquitto.ssl.port + config.services.mosquitto.port ]; services.mosquitto = { enable = true; host = "0.0.0.0"; checkPasswords = true; - ssl = { - enable = true; - cafile = "/var/lib/acme/${config.networking.domain}/chain.pem"; - certfile = "/var/lib/acme/${config.networking.domain}/cert.pem"; - keyfile = "/var/lib/acme/${config.networking.domain}/key.pem"; - }; + extraConf = '' + protocol websockets + ''; users = { "hass" = { acl = [ @@ -37,6 +48,12 @@ with pkgs; ]; hashedPasswordFile = "/etc/nixos/secrets/mqtt/hass"; }; + #"tasmota" = { + # acl = [ + # "topic readwrite tasmota/#" + # ]; + # hashedPasswordFile = "/etc/nixos/secrets/mqtt/tasmota"; + #}; "owntracks" = { acl = [ "topic readwrite owntracks/#" @@ -49,7 +66,9 @@ with pkgs; services.home-assistant = { enable = true; package = home-assistant.override { - extraPackages = ps: with ps; [ (callPackage pydeconz { }) ]; + extraPackages = ps: with ps; [ + (callPackage pydeconz { }) + ]; }; openFirewall = true; config = {