diff --git a/agenix/hosts/argon/config.nix b/agenix/hosts/argon/config.nix index fced707..2766024 100644 --- a/agenix/hosts/argon/config.nix +++ b/agenix/hosts/argon/config.nix @@ -27,6 +27,18 @@ file = ./forgejo-actions/token.age; }; + mosquitto-password-weewx-proxy = { + file = ./mosquitto/passwordWeewxProxy.age; + owner = "mosquitto"; + group = "mosquitto"; + }; + + mosquitto-password-home-assistant = { + file = ./mosquitto/passwordHomeAssistant.age; + owner = "mosquitto"; + group = "mosquitto"; + }; + weewx-proxy-environment = { file = ./weewx-proxy/environment.age; }; diff --git a/agenix/hosts/argon/mosquitto/passwordHomeAssistant.age b/agenix/hosts/argon/mosquitto/passwordHomeAssistant.age new file mode 100644 index 0000000..47b0030 --- /dev/null +++ b/agenix/hosts/argon/mosquitto/passwordHomeAssistant.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 MtGp6g n5bqdakkXE07dAAGCNf9SCUU6oEXjODCAhl8Ilxe7Go +cBuxZx+yjTxkkx4P86rnRwP5ihw9w5G33AV3G+5M02k +-> ssh-ed25519 1fcLUQ AB1w+yvi9JXab7Nnl5Xh3yv2fgwJtBTFX7Z445sA/X4 +rmN4E6hedJPufYB72v9cVVuqIMKntjaevn233ymEfwk +--- AK3WGXe19PWkB4gK0hh6l53fEvByUmP15lyCqcX0h38 +%K@xLTQ}*O +P΢B-:Z-!l \ No newline at end of file diff --git a/agenix/hosts/argon/mosquitto/passwordWeewxProxy.age b/agenix/hosts/argon/mosquitto/passwordWeewxProxy.age new file mode 100644 index 0000000..ccee189 --- /dev/null +++ b/agenix/hosts/argon/mosquitto/passwordWeewxProxy.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 MtGp6g if/5ukGpKTOqo4bqj3ae+da8B5F9lFv8qFeo+BRjawg +/ilXexPX4D4iKdC7miuHAmOzBFhJMdT0p+ILwu8czBI +-> ssh-ed25519 1fcLUQ 7swNCq5irWimLZrEXsgmrrWAX4wjgnvQzewM9s/fNHg +J5nWkadlu6I2jgEFlfsV30d6s7Ms2vnUibs8rZlz6FE +--- h/zCblLmDxDF5RXvW4EHsVtC7DzyEkF9K7ylyPR2KW0 +te +jG ۨK[t4l&(+H5GĴl/Ue8lIk2 [EҒƋ*_YCu2.ƌƳR$T!9$]!IWP (Hf?rwGN\8; \ No newline at end of file diff --git a/agenix/hosts/argon/weewx-proxy/environment.age b/agenix/hosts/argon/weewx-proxy/environment.age index d966a74..130e2b6 100644 Binary files a/agenix/hosts/argon/weewx-proxy/environment.age and b/agenix/hosts/argon/weewx-proxy/environment.age differ diff --git a/agenix/hosts/neon/config.nix b/agenix/hosts/neon/config.nix index 3de8578..ef15201 100644 --- a/agenix/hosts/neon/config.nix +++ b/agenix/hosts/neon/config.nix @@ -23,6 +23,12 @@ group = "mosquitto"; }; + mosquitto-password-home-assistant = { + file = ./mosquitto/passwordHomeAssistant.age; + owner = "mosquitto"; + group = "mosquitto"; + }; + deye-mqtt-config = { file = ./deye-mqtt/config.age; }; diff --git a/agenix/hosts/neon/deye-mqtt/config.age b/agenix/hosts/neon/deye-mqtt/config.age index 6c9578e..4fcfdcc 100644 Binary files a/agenix/hosts/neon/deye-mqtt/config.age and b/agenix/hosts/neon/deye-mqtt/config.age differ diff --git a/agenix/hosts/neon/mosquitto/passwordHomeAssistant.age b/agenix/hosts/neon/mosquitto/passwordHomeAssistant.age new file mode 100644 index 0000000..3ece2e1 --- /dev/null +++ b/agenix/hosts/neon/mosquitto/passwordHomeAssistant.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 MtGp6g A7lLy/9e4eGyQpmBTZ6Fw5t2jP1B5aJQ5iGUVlZZrQ4 +VfSOwKA+SYBfnCyuQDwXtN8z9owwdKlteXJxmIXjl1k +-> ssh-ed25519 60lgJw Dxs9EekvqHrLWB/M89aV0B1HxLBpbLYE8pxWx1Cf2X4 +zb7Up1DfSBYIRXom4o53KWzC56bzLLKcscvKvtZGz5s +--- y1G11ujCFt9yyOWtN5FjFGZf6QeKpZbzt8U/XZC+PME +3N^{(YjPρrLgvH}|cA \ No newline at end of file diff --git a/container/deye/default.nix b/container/deye/default.nix index 32f5f84..1c7237a 100644 --- a/container/deye/default.nix +++ b/container/deye/default.nix @@ -9,42 +9,4 @@ systemd.services.podman-deye-mqtt.restartTriggers = [ "${config.age.secrets.deye-mqtt-config.file}" ]; - - services.mosquitto.listeners = [ - { - address = "0.0.0.0"; - port = 1884; - - settings = { - protocol = "mqtt"; - }; - - users = { - deye = { - password = "didYouFindThis"; - acl = [ "write deye/#" ]; - }; - - bitshake = { - password = "didYouFindThis"; - acl = [ "write bitshake/#" ]; - }; - - weewx-proxy = { - hashedPasswordFile = config.age.secrets.mosquitto-password-weewx-proxy.path; - acl = [ "read deye/#" "read bitshake/#" ]; - }; - }; - } - ]; - - networking.firewall.interfaces = - let - mosquittoPorts = [ 1884 ]; - in - { - "end0".allowedTCPPorts = mosquittoPorts; - "vlan51".allowedTCPPorts = mosquittoPorts; - "podman+".allowedTCPPorts = mosquittoPorts; - }; } diff --git a/secrets.nix b/secrets.nix index a8976c6..d0bf45d 100644 --- a/secrets.nix +++ b/secrets.nix @@ -100,6 +100,10 @@ in "agenix/hosts/argon/forgejo-actions/token.age".publicKeys = argon; + "agenix/hosts/argon/mosquitto/passwordWeewxProxy.age".publicKeys = argon; + + "agenix/hosts/argon/mosquitto/passwordHomeAssistant.age".publicKeys = argon; + "agenix/hosts/argon/tailscale/authkey.age".publicKeys = argon; "agenix/hosts/argon/adguardhome-sync/environment.age".publicKeys = argon; @@ -117,6 +121,8 @@ in "agenix/hosts/neon/mosquitto/passwordWeewxProxy.age".publicKeys = neon; + "agenix/hosts/neon/mosquitto/passwordHomeAssistant.age".publicKeys = neon; + "agenix/hosts/neon/deye-mqtt/config.age".publicKeys = neon; # Styx diff --git a/system/hosts/argon.nix b/system/hosts/argon.nix index bcddabb..64a0922 100644 --- a/system/hosts/argon.nix +++ b/system/hosts/argon.nix @@ -27,6 +27,8 @@ in (import ../nixos/forgejo-runner.nix (args // { inherit secret; name = "argon"; tag = "ubuntu-latest-arm64"; nixTag = "arm64"; })) + ../nixos/mosquitto.nix + ../nixos/tailscale-router.nix ../nixos/tailscale-nodns.nix diff --git a/system/hosts/neon.nix b/system/hosts/neon.nix index e1703e5..bddaca9 100644 --- a/system/hosts/neon.nix +++ b/system/hosts/neon.nix @@ -23,8 +23,6 @@ in (import ../nixos/forgejo-runner.nix (args // { inherit secret; name = "neon"; tag = "ubuntu-latest-arm64"; nixTag = "arm64"; })) - ../nixos/mosquitto.nix - ../nixos/rtl_433.nix ../nixos/tailscale-router.nix diff --git a/system/nixos/rtl_433.nix b/system/nixos/rtl_433.nix index c2f3896..5ba94f9 100644 --- a/system/nixos/rtl_433.nix +++ b/system/nixos/rtl_433.nix @@ -1,4 +1,4 @@ -{ pkgs, config, ... }: +{ pkgs, ... }: { hardware.rtl-sdr.enable = true; @@ -10,38 +10,7 @@ serviceConfig = { Type = "exec"; - ExecStart = "${pkgs.rtl_433}/bin/rtl_433 -f868.3M -Yclassic -Mtime:utc -R78 -Fmqtt://127.0.0.1:1883,user=rtl,pass=didYouFindThis,retain=0,events=rtl433"; + ExecStart = "${pkgs.rtl_433}/bin/rtl_433 -f868.3M -Yclassic -Mtime:utc -R78 -Fmqtt://10.0.0.5:1883,user=rtl,pass=didYouFindThis,retain=0,events=rtl433"; }; }; - - services.mosquitto.listeners = [ - { - address = "0.0.0.0"; - port = 1883; - - settings = { - protocol = "mqtt"; - }; - - users = { - rtl = { - password = "didYouFindThis"; - acl = [ "write rtl433" ]; - }; - - weewx-proxy = { - hashedPasswordFile = config.age.secrets.mosquitto-password-weewx-proxy.path; - acl = [ "read rtl433" ]; - }; - }; - } - ]; - - networking.firewall.interfaces = - let - mosquittoPorts = [ 1883 ]; - in - { - "end0".allowedTCPPorts = mosquittoPorts; - }; } diff --git a/system/nixos/weewx-proxy.nix b/system/nixos/weewx-proxy.nix index 6aaa6c9..bf15513 100644 --- a/system/nixos/weewx-proxy.nix +++ b/system/nixos/weewx-proxy.nix @@ -17,7 +17,50 @@ }; }; - networking.firewall.interfaces."vlan51" = { - allowedTCPPorts = [ 4040 ]; - }; + services.mosquitto.listeners = [ + { + address = "0.0.0.0"; + port = 1883; + + settings = { + protocol = "mqtt"; + }; + + users = { + rtl = { + password = "didYouFindThis"; + acl = [ "write rtl433" ]; + }; + + deye = { + password = "didYouFindThis"; + acl = [ "write deye/#" ]; + }; + + bitshake = { + password = "didYouFindThis"; + acl = [ "write bitshake/#" ]; + }; + + weewx-proxy = { + hashedPasswordFile = config.age.secrets.mosquitto-password-weewx-proxy.path; + acl = [ "read rtl433" "read deye/#" "read bitshake/#" ]; + }; + + home-assistant = { + passwordFile = config.age.secrets.mosquitto-password-home-assistant.path; + acl = [ "readwrite #" ]; + }; + }; + } + ]; + + networking.firewall.interfaces = + let + mosquittoPorts = [ 1883 ]; + in + { + "end0".allowedTCPPorts = mosquittoPorts; + "vlan51".allowedTCPPorts = [ 4040 ] ++ mosquittoPorts; + }; }