From ad3299faa25e4c79ea39f8344a0497d26e836e0c Mon Sep 17 00:00:00 2001 From: Felix Tenley Date: Wed, 21 Oct 2020 20:54:55 +0200 Subject: [PATCH] feat(rpi4): set up mosquitto --- flake.lock | 17 ++++++++++++ flake.nix | 15 +++++++++-- rpi4.nix | 2 +- services/home-assistant.nix | 53 +++++++++++++++++++++++++++++++++---- 4 files changed, 79 insertions(+), 8 deletions(-) diff --git a/flake.lock b/flake.lock index f87591f..f319a92 100644 --- a/flake.lock +++ b/flake.lock @@ -17,6 +17,22 @@ "type": "github" } }, + "felschr-nixpkgs": { + "locked": { + "lastModified": 1603300533, + "narHash": "sha256-WQpKeqOAFkXv1NSq+VCpU7B6WJ6jdopvlUO0TkMq+mU=", + "owner": "felschr", + "repo": "nixpkgs", + "rev": "30b1d77f15634bb7574edf33087cd80f4e85a245", + "type": "github" + }, + "original": { + "owner": "felschr", + "ref": "feat/mosquitto-password-file", + "repo": "nixpkgs", + "type": "github" + } + }, "flake-compat": { "flake": false, "locked": { @@ -178,6 +194,7 @@ }, "root": { "inputs": { + "felschr-nixpkgs": "felschr-nixpkgs", "flake-utils": "flake-utils", "home-manager": "home-manager", "nixpkgs": "nixpkgs", diff --git a/flake.nix b/flake.nix index 42246b9..31d8be9 100644 --- a/flake.nix +++ b/flake.nix @@ -1,6 +1,13 @@ { inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + inputs.felschr-nixpkgs = { + type = "github"; + owner = "felschr"; + repo = "nixpkgs"; + ref = "feat/mosquitto-password-file"; + }; + inputs.flake-utils.url = "github:numtide/flake-utils"; inputs.home-manager = { @@ -17,7 +24,7 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = { self, nixpkgs, flake-utils, home-manager, nur, pre-commit-hooks }: + outputs = { self, nixpkgs, felschr-nixpkgs, flake-utils, home-manager, nur, pre-commit-hooks }: let overlays = { deconz = self: super: { @@ -80,7 +87,11 @@ system = "aarch64-linux"; modules = [ nixpkgs.nixosModules.notDetected - { home-manager.users.felschr.imports = [ homeManagerModules.git ]; } + { + disabledModules = [ "services/networking/mosquitto.nix" ]; + imports = [ "${felschr-nixpkgs}/nixos/modules/services/networking/mosquitto.nix" ]; + } + { home-manager.users.felschr.imports = [ homeManagerModules.git ]; } nixosModules.deconz (systemModule { hostName = "felix-rpi4"; diff --git a/rpi4.nix b/rpi4.nix index 798cc25..c880daf 100644 --- a/rpi4.nix +++ b/rpi4.nix @@ -48,7 +48,7 @@ with builtins; { recommendedProxySettings = true; virtualHosts = { - "home.felschr.com" = { + ${ config.networking.domain } = { enableACME = true; forceSSL = true; locations."/" = { diff --git a/services/home-assistant.nix b/services/home-assistant.nix index 84ec913..1fd5443 100644 --- a/services/home-assistant.nix +++ b/services/home-assistant.nix @@ -1,6 +1,8 @@ { config, pkgs, ... }: -with pkgs; { +with pkgs; + +{ environment.systemPackages = with pkgs; [ deconz ]; local.services.deconz = { @@ -10,6 +12,40 @@ with pkgs; { openFirewall = true; }; + users.users.mosquitto.extraGroups = [ "acme" ]; + + networking.firewall.allowedTCPPorts = [ + config.services.mosquitto.ssl.port + ]; + + services.mosquitto = { + enable = true; + host = "0.0.0.0"; + checkPasswords = true; + ssl = { + enable = true; + cafile = "/var/lib/acme/${config.networking.domain}/chain.pem"; + certfile = "/var/lib/acme/${config.networking.domain}/cert.pem"; + keyfile = "/var/lib/acme/${config.networking.domain}/key.pem"; + }; + users = { + "hass" = { + acl = [ + "topic readwrite homeassistant/#" + "topic readwrite tasmota/#" + "topic readwrite owntracks/#" + ]; + hashedPasswordFile = "/etc/nixos/secrets/mqtt/hass"; + }; + "owntracks" = { + acl = [ + "topic readwrite owntracks/#" + ]; + hashedPasswordFile = "/etc/nixos/secrets/mqtt/owntracks"; + }; + }; + }; + services.home-assistant = { enable = true; package = home-assistant.override { @@ -35,15 +71,22 @@ with pkgs; { zeroconf = { }; ssdp = { }; shopping_list = { }; - owntracks = { - mqtt_topic = "owntracks/#"; - secret = "!secret owntracks_secret"; - }; deconz = { host = "localhost"; port = 8080; api_key = "!secret deconz_apikey"; }; + mqtt = { + broker = "localhost"; + port = "8883"; + username = "hass"; + password = "!secret mqtt_password"; + discovery = true; + discovery_prefix = "homeassistant"; + }; + owntracks = { + mqtt_topic = "owntracks/#"; + }; }; # configWritable = true; # doesn't work atm };