From 0858206619bd54c142abc0cb50292514eeb0b4cf Mon Sep 17 00:00:00 2001 From: Jake Hillion Date: Sun, 23 Jul 2023 18:27:54 +0100 Subject: [PATCH] zigbee2mqtt: move from microserver to router --- .../default.nix | 60 ------------ .../router.home.ts.hillion.co.uk/default.nix | 12 +-- modules/default.nix | 1 + modules/impermanence.nix | 3 +- modules/services/zigbee2mqtt.nix | 91 ++++++++++++++++++ secrets/mqtt/homeassistant.age | 20 ++++ secrets/mqtt/zigbee2mqtt.age | Bin 1034 -> 1016 bytes secrets/restic/1.6T.age | 38 ++++---- secrets/secrets.nix | 5 +- 9 files changed, 143 insertions(+), 87 deletions(-) create mode 100644 modules/services/zigbee2mqtt.nix create mode 100644 secrets/mqtt/homeassistant.age diff --git a/hosts/microserver.home.ts.hillion.co.uk/default.nix b/hosts/microserver.home.ts.hillion.co.uk/default.nix index 80c0729..eadd54e 100644 --- a/hosts/microserver.home.ts.hillion.co.uk/default.nix +++ b/hosts/microserver.home.ts.hillion.co.uk/default.nix @@ -36,72 +36,12 @@ "net.ipv4.ip_forward" = true; }; - ## Set up simpleproxy to Zigbee bridge - systemd.services.zigbee-simpleproxy = { - description = "Simple TCP Proxy for Zigbee Bridge"; - - wantedBy = [ "multi-user.target" ]; - after = [ "tailscaled.service" ]; - - serviceConfig = { - DynamicUser = true; - ExecStart = with pkgs; "${simpleproxy}/bin/simpleproxy -L 100.105.131.47:8888 -R 10.239.19.40:8888 -v"; - Restart = "always"; - RestartSec = 10; - }; - }; - ## Run a persistent iperf3 server services.iperf3.enable = true; services.iperf3.openFirewall = true; - ## Home automation - age.secrets."mqtt/zigbee2mqtt.yaml" = { - file = ../../secrets/mqtt/zigbee2mqtt.age; - owner = "zigbee2mqtt"; - }; - - services.mosquitto = { - enable = true; - listeners = [ - { - users = { - zigbee2mqtt = { - acl = [ "readwrite #" ]; - hashedPassword = "$7$101$ZrD6C+b7Xo/fUoGw$Cf/6Xm52Syv2G+5+BqpUWRs+zrTrTvBL9EFzks9q/Q6ZggXVcp+Bi3ZpmQT5Du9+42G30Y7G3hWpYbA8j1ooWg=="; - }; - homeassistant = { - acl = [ "readwrite #" ]; - hashedPassword = "$7$101$Uah+//t9m3pt6PXx$q1F410A+k38tp+ICQjRQy2fB/Gb15sodqYHgC7NUCVChMQo4Ib9eq3zpstdMbu1j//h8/zRl/ZegxDH6kjT6Dw=="; - }; - }; - } - ]; - }; - services.zigbee2mqtt = { - enable = true; - settings = { - permit_join = false; - mqtt = { - server = "mqtt://microserver.home.ts.hillion.co.uk:1883"; - user = "zigbee2mqtt"; - password = "!${config.age.secrets."mqtt/zigbee2mqtt.yaml".path} password"; - }; - serial = { - port = "/dev/ttyUSB0"; - }; - frontend = true; - homeassistant = true; - advanced = { - channel = 15; - }; - }; - }; - networking.firewall.interfaces."tailscale0".allowedTCPPorts = [ 1883 # MQTT server - 8080 # Zigbee2MQTT frontend - 8888 # Zigbee bridge simple proxy ]; }; } diff --git a/hosts/router.home.ts.hillion.co.uk/default.nix b/hosts/router.home.ts.hillion.co.uk/default.nix index 12b2da8..acf7ddb 100644 --- a/hosts/router.home.ts.hillion.co.uk/default.nix +++ b/hosts/router.home.ts.hillion.co.uk/default.nix @@ -70,6 +70,7 @@ # Allow trusted networks to access the router iifname { + "lo", "eth1", "eth2", "tailscale0", @@ -164,12 +165,6 @@ } ''; machines = [ - { - # Zigbee Bridge - ethernetAddress = "48:3f:da:2a:86:7a"; - ipAddress = "10.239.19.40"; - hostName = "tasmota-2A867A-1658"; - } { # tywin.storage.ts.hillion.co.uk ethernetAddress = "c8:7f:54:6d:e1:03"; @@ -191,6 +186,8 @@ custom.tailscale = { enable = true; preAuthKeyFile = config.age.secrets."tailscale/router.home.ts.hillion.co.uk".path; + ipv4Addr = "100.105.71.48"; + ipv6Addr = "fd7a:115c:a1e0:ab12:4843:cd96:6269:4730"; }; ## Enable btrfs compression @@ -199,5 +196,8 @@ ## Run a persistent iperf3 server services.iperf3.enable = true; + + ## Zigbee2Mqtt + custom.services.zigbee2mqtt.enable = true; }; } diff --git a/modules/default.nix b/modules/default.nix index a6f0e13..4a3c84e 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -13,6 +13,7 @@ ./services/mastodon/default.nix ./services/matrix.nix ./services/version_tracker.nix + ./services/zigbee2mqtt.nix ./storj.nix ./tailscale.nix ./users.nix diff --git a/modules/impermanence.nix b/modules/impermanence.nix index 6e92acc..28a5874 100644 --- a/modules/impermanence.nix +++ b/modules/impermanence.nix @@ -32,7 +32,8 @@ in directories = [ "/etc/nixos" - ] ++ (listIf config.custom.tailscale.enable [ "/var/lib/tailscale" ]); + ] ++ (listIf config.custom.tailscale.enable [ "/var/lib/tailscale" ]) ++ + (listIf config.services.zigbee2mqtt.enable [ config.services.zigbee2mqtt.dataDir ]); }; home-manager.users = diff --git a/modules/services/zigbee2mqtt.nix b/modules/services/zigbee2mqtt.nix new file mode 100644 index 0000000..32e07b5 --- /dev/null +++ b/modules/services/zigbee2mqtt.nix @@ -0,0 +1,91 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.custom.services.zigbee2mqtt; +in +{ + options.custom.services.zigbee2mqtt = { + enable = lib.mkEnableOption "zigbee2mqtt"; + + backup = lib.mkOption { + type = lib.types.bool; + default = true; + }; + }; + + config = lib.mkIf cfg.enable { + age.secrets."mqtt/zigbee2mqtt.yaml" = { + file = ../../secrets/mqtt/zigbee2mqtt.age; + owner = "zigbee2mqtt"; + }; + + services.caddy = { + enable = true; + + virtualHosts."http://zigbee2mqtt.home.ts.hillion.co.uk" = { + listenAddresses = [ config.custom.tailscale.ipv4Addr config.custom.tailscale.ipv6Addr ]; + extraConfig = "reverse_proxy http://127.0.0.1:15606"; + }; + }; + + services.zigbee2mqtt = { + enable = true; + settings = { + permit_join = false; + mqtt = { + server = "mqtt://router.home.ts.hillion.co.uk:1883"; + user = "zigbee2mqtt"; + password = "!${config.age.secrets."mqtt/zigbee2mqtt.yaml".path} password"; + }; + serial = { + port = "/dev/ttyUSB0"; + }; + frontend = { + port = 15606; + url = "http://zigbee2mqtt.home.ts.hillion.co.uk"; + }; + homeassistant = true; + advanced = { + channel = 15; + }; + }; + }; + + services.mosquitto = { + enable = true; + listeners = [ + { + users = { + zigbee2mqtt = { + acl = [ "readwrite #" ]; + hashedPassword = "$7$101$ZrD6C+b7Xo/fUoGw$Cf/6Xm52Syv2G+5+BqpUWRs+zrTrTvBL9EFzks9q/Q6ZggXVcp+Bi3ZpmQT5Du9+42G30Y7G3hWpYbA8j1ooWg=="; + }; + homeassistant = { + acl = [ "readwrite #" ]; + hashedPassword = "$7$101$wGQZPdVdeW7iQFmH$bK/VOR6LXCLJKbb6M4PNeVptocjBAWXCLMtEU5fQNBr0Y5UAWlhVg8UAu4IkIXgnViI51NnhXKykdlWF63VkVQ=="; + }; + }; + } + ]; + }; + + age.secrets."resilio/zigbee2mqtt/1.6T.key" = lib.mkIf cfg.backup { + file = ../../secrets/restic/1.6T.age; + owner = "zigbee2mqtt"; + }; + + services.restic.backups."zigbee2mqtt" = lib.mkIf cfg.backup { + repository = "rest:http://restic.tywin.storage.ts.hillion.co.uk/1.6T"; + user = "zigbee2mqtt"; + passwordFile = config.age.secrets."resilio/zigbee2mqtt/1.6T.key".path; + + timerConfig = { + OnBootSec = "15m"; + OnUnitInactiveSec = "1d"; + RandomizedDelaySec = "1h"; + }; + + paths = [ config.services.zigbee2mqtt.dataDir ]; + }; + }; +} diff --git a/secrets/mqtt/homeassistant.age b/secrets/mqtt/homeassistant.age new file mode 100644 index 0000000..3435fcb --- /dev/null +++ b/secrets/mqtt/homeassistant.age @@ -0,0 +1,20 @@ +age-encryption.org/v1 +-> ssh-rsa GxPFJQ +JQwr1aW+PpoDYZu2ByiZtjNoGe+D90flIc6+gXF+EgpMFwOUIW+g4+1tJ2GYhIPP +BhUDY3GJUmaTXKin0E88CwQnvImtpHRIGl4Kv2QAjK53BBMgBMcOR44c7bCo48k5 +lTmv3N5LfLiIm5mIATK1Q72fVhAmg7T/U8IkS3eu2u2mGm5iatFj9cPxHGiN5w24 +y/t5Lu6XewjpbilXaIP+Ya6YDpOaQ0zgYO8kRNTvUoPRz/H4SVFCcJeu+6CJcl+/ +KxSIS9MvUouGXBsMDPBLNj8G8NgIAncXTwR7swW44b5twM8vJqF4BEr2OZ05CSbJ +XJjm8xbXftRp6AnFMbGheQ +-> ssh-rsa K9mW1w +I5AkWeryU6t6HbtpzFWLwTaWjDNJoVwNJ0ifV9i23QdSn8FO7Op4bk7IqSdI//lF +5DjMeTbxdMR9LOtZXNcAMKX4I3Sy0o8uagh9BdBN1+0ugRVaoGXSvJC7dG7RY2cM +RsV43MTOPSdcR6ANWsNqGlM31H06kWwtPz4R8Wyt4/l+L6gWPjiO6zhg0au6D32H +6d6YqnrE2iM7iTvQeLx5WtPDp+GLAwVsfgGTfOw6jZm5XpuABV9kQwtZ46S4Caoz +rp30b7/ZtPS/IhWj5O+yZZKvhZngr3gYBKUViMA1nJ7+8Rnde5/k2uz38/c6oUWh +MstT1bHNnHt/G9Nvcd9w2w +-> Kn5-grease Rkg" f={5zY_0 ;uV)i~ +J/j9JgII2KOWVRO1iN9j1HER+gwnWOg7TWgm/ITeXIF7hsl7K8V+vOgX8fq3WElZ +7c/seypQca/viPS9yu2Z206IMPXnIs4IXWdz0v63QP/YBAKZfngqwA +--- WBm5COr2VejaZiQ12H1fUeUxm1SJraLyu8Q6p7yUaJE +n̚F,oRfͫv3)Z  ʵ,ʬ*Bq7 \ No newline at end of file diff --git a/secrets/mqtt/zigbee2mqtt.age b/secrets/mqtt/zigbee2mqtt.age index 1cf6c068cccdb3324415bb7252ddaf8f28683082..0aba4c6966c5315048d855a712a7b62f171d4e33 100644 GIT binary patch literal 1016 zcmYk&yUXij0Dy7ltl}UppPLYBlDD~{C`ps%*0i~`X}jgp-0zpB$#5neKH-2mil9dn zadbX|v&ca~LEOaUEJxf#!9g7a|AL3-=SG*srS#jW?vtu~wQ3{eib0Dv?z%2sw4Hk= z-t@I%Kzkd>U3T3}X;a$#PIKphU#Cht@IK)QGqpm3ACw z2{A^fF~+F_4JMwoTprDm53qA1*CpS^COu6yLDLGe_OeRsS)k{(%KAD|PYN&tMuyx; z@9SPCE3cr(^{H?;W-k=*DQ1SU^GnzWz#c1v+lZKJA`rEnr{P^Q>o}+0O#TEQGSaXk zOEq{T8pA%~^yd?Vm0FFK*)sO3RjE=+ZqdTFY}*`3Bn}m@ow}@?RjBIXPDe=~ zFkQ`^EsyOfNoluu1W7Rr`}8Qv!*MjvO?T7!vD=PEcH4^$AhCg|sTvG{>?g;Jlc%DQ z(OimFnCirW3Is@miIAj&aDv4nW0x0NL-3VtX4W!uu^=G^PPKwmBoicZGt2=fW@B4? zZ*|g+LGg72T@eRAN0Ffg<3O<^yB~a+ob{`;p|_^m;)F^dp_GV5=o6}zC09Ye6<$B` zZDlEEaD#mBD-_bCUTuYdO%N8n4szZfa4iE)sP&=OP)n7gM#mRLqu!wZ z*0@E~Ufk{irNSm)t&Tis68+C811%PdyLhvmqn^W<%)L_h030(46xs(YDq9Fo9W9#I zM3TO?6AlHhzkUB9^YerE8ua^L+E0?-zP?|4_vgpbi=V#s^sUwNFZ}TBgAd+(^7JwO r#j{uL|9a=)lh3~T=I-|&+mBw}J@+~D>*Gf+{q*qB`_I1o&+*yuA*#e)fq;pj z3pc<3)vtC#LSpLhqi(PA@pZ{?$u-2#zp?Hs6({Fk=f%((?qkn zIZWiikQ5U+k-ksSt#B2Foc9TQKaDpU5G674&sbY|q$Gm@wYtP~Sh&)*iBFDIF=W7& zhnk{tM8(ySsL}OYMU{$;i=dsagCyLQXB{i;g~JC4#OSVQYy!WGaTG*5I+AV1m&{Xv z)*NyG!^vfvp@mD*+=c^?uU0^H3%SXPn+jTXpsmo8ye-ve&UXj7u6E2g?aDP9Lus7? z#G{(w1TSv9+DLF8Z_b{`NBv;2V|wLio2w{aT~%ht*s-3K_!&)zO+?X|#*9WuLx9A% zEHv{JN7;&YT>8k7de`PGW+)NGlxdQxR;}kt)*AxLRp@?&51Ke?u|GA^%DE)SrJi#K zcsh7EafTN|Th^^Eg#Xu8nasg^#GLzE*V+KZzzKoLcF^Jd3%}61t#YM6O{gZgsmWEx zP92KS%B!j6?rvDDlMbB6MU)~I)VB?76+LFPiYse(x$);&PuCh6?S8KQF z?P61jUhi#<^b(*&WO7Fdfuv;~fJhX*Yp?v`+66YHF#;ux48(YIaG6s;kh(&Fg}UxA zCCcI(>^Ss5j$L-8q)0ewJ}R}x<$>7k={%9sdQZ5Cn1+R*@oenT;<2OgrLCAT6z!U4 zgA;cI`cboI5W`ztGet2>p42XGqO{3BEz*r z%(DZxTJ8z3l=kD$8&_?=D4LNl3uK?Tl2ki1Pw#Cx;RvebWg(JSoRSN%jA|9V)=~;( zoPht<9<+}hOZ_aY{X^qVXz+nDi6{Q#5mFvca~8Y2S@TFBfMdlXv)OC{r&~z}H*Y*Q z#gN*da%neMg0Qb`%+VQML$Thx1Ucz!kdK~!gYpkv-GBP+bK&)mU;Oah%U?fv|Nh6% zp4_|r{_f`MpMS~!xclj?cmMqC#pk#0z54LpvoANhzn;QR@BT)RC$C?=^ZQr3-}>7Z ILi@J$4`)GJ@c;k- diff --git a/secrets/restic/1.6T.age b/secrets/restic/1.6T.age index 8be9b97..34d778c 100644 --- a/secrets/restic/1.6T.age +++ b/secrets/restic/1.6T.age @@ -1,21 +1,23 @@ age-encryption.org/v1 -> ssh-rsa GxPFJQ -r/uFxmFhyAqk0NAFNsK5Pcl3Qwoa3g7lGjpy8qIEijJnRgM5Sp59z1+S1ORdJAWX -lYs3R5RB5J//ewpCubFngjoT04xuCHrQPp22NjaY7j+vCV791D3t0hrwv/oOK4nT -SV7Dxq+wHJb6Ba39+tsFGSnt79FnVYNPBuyljkeuG0wZGTbHajT0GVIi6jNuHN6U -/D7hAS5ZztMRxWgsxqLnX6IO7QSN0CY6e/JkShnA7ITYbcs0NCkKMjvJsjZTtuOW -3ks9BjflTj0lmIxC+I9fOWT0H3rokdkjUqexPJff8XnwWQRnvMz+TFfW1exts2pp -GRGxHulQBHeNCaoSxyzogw +P0UyPb1Gpnf/WQpDzyfS8QLJxFGdpIcLWTn4MDT9aI2rVTrTLKfSCX11xySLUawU +SPUI22tvE6I6/Q5S4CTGgY36fPBsfgU7mmhlLYFqmO6EUUkqNJ01+Fp+tWrXb1U3 +j/cSgOTcvQLhYmEf/2DNTa1Mjoyi+2pnfEy8GpcG+zNvpEuls9CGPsUAt6n+quPe +NPxIFl0McAJ+myRsTy5CSjBERjKb+1Q60GHBw8/xbhiVcq5KkLJkblQSv2ghvSB2 +BudwRWqeZYUiXP7xVdXbOryLS81mZvdlnEgdTxqX7OycOXEMExMnQfLjj8gaBpMG +DX0R2ssY1zMT+4D410pNQw -> ssh-rsa K9mW1w -ouKP/bdJHpsdqgGzCngHEiCcwp/iu79BDfPOnlVakr7Wc2zJCEYfFkxH1ytjhF2R -RPdtU/reY3/8Vi3RsSJ7VbOFtj29Qi59DZvFDb/W30vMixogiQoKWNngHDCs/qhQ -r8UubFRJJDkGxqYpw1NOhs03XWvRx4kbJoNnVv1N68ftit7lWp0HhL+TyX0jBNWo -xl4OdjkyHclKyOwOV0GlR/Znf+Q+hgQbcU0VWDSzEurZHIC5/2zvK7boFwiuiNeZ -ybIh5TgF2LrlOuMLlWPbyeXSgxu8tx4MaHUZ0kM+RIOOppizyeA/ZDRythPa391Z -RMf7UJWJecN5bBUWbgiNIA --> ssh-ed25519 nWv9MA R/SpgfolcQRgt78ZWcm0WCMNjBsAf9bNpr771ADYXnU -EKcbEG8uhK2NOXnwINU3j4l0liRM+MPa/gHg4Yor1+A --> 5Of6-grease m5 @Vd}HP CRP'( -gK3pW6/TOo2NPw ---- pM3+d/SPME2u9Xy64Ev4TsBXSEkeJFoC1UmudUafeyI -[_ M@OW bO@ڊÈEʽ yvlɵC0~rL#wM` \ No newline at end of file +wRqrvO+JNvslYAfY5XXJCaOjBiO7ZkJZ5bXIvw0hNiJY5gXUwy9wUKazQjh0JirM +tRsVMbLUT5tk72iW0x8tIM64B+4pXK6p/l2zw/WHyIzKwuZjNgUzM8/ngVM6Ta1Z +hdNiHbB5MvFrZkOScB3n5cb05TLYOaUb+TZQgSJXPtzuKZ+Wi5ePd/5qtkvlvKFe +E+1rQ4cuDJrUpAxPIiM/URIjUJfFWq2A26lpqltk9lGZ2ZWtIVLu9sgeLmfUvPdq +kMcG7rl3b7yiWmN9ranSMpJ8TJZh1PygD3bVlnfu47bXofr2xd4VEI/HcjQ6VSRV +32GnVIhIqo6D1MrcASisUg +-> ssh-ed25519 nWv9MA A8/OJQYaxm0TbJuhxwBrJ7wge1q+UofTnERbwHYEbxU ++LGv1ydrN0d3xddOtShD1W+gs4Wsjehlb4jUws3kyMk +-> ssh-ed25519 8+Ls0w 4wcGH2icTxRoRG0VKJWYFpS7QqXGzUmeRNQS8lMV4GI +pT86WqRCOn1fGcYN0crkh1m7P/dnc6cDWx9gr4aAg4w +-> v70-g!{J-grease ">Groa: +eFWzN3OQi5mRRuX7tBlcnMwzi9FUOMOuAOfEYPp1viI +--- H+KWCPxjjcoagmOoNR2l6kSPBGrL6islS15TQUI7UU8 +JqyuIho_aZ~ǭ. $W ;u O/Ta[pQ \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 075dfcb..ac7e06f 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -61,7 +61,7 @@ in # Backups Secrets "restic/128G.age".publicKeys = jake_users ++ [ ts.storage.tywin ts.strangervm.vm ]; - "restic/1.6T.age".publicKeys = jake_users ++ [ ts.storage.tywin ]; + "restic/1.6T.age".publicKeys = jake_users ++ [ ts.storage.tywin ts.home.router ]; "git/git_backups_ecdsa.age".publicKeys = jake_users ++ [ ts.storage.tywin ]; "git/git_backups_remotes.age".publicKeys = jake_users ++ [ ts.storage.tywin ]; @@ -89,7 +89,8 @@ in "version_tracker/ssh.key.age".publicKeys = jake_users ++ [ ts.strangervm.vm ]; # Home Automation secrets - "mqtt/zigbee2mqtt.age".publicKeys = jake_users ++ [ ts.home.microserver ]; + "mqtt/zigbee2mqtt.age".publicKeys = jake_users ++ [ ts.home.router ]; + "mqtt/homeassistant.age".publicKeys = jake_users ++ [ ]; # Wireguard Secrets "wireguard/downloads.age".publicKeys = jake_users ++ [ ts.storage.tywin ];