From 02bfcbb486a73136d5c896c841cc245ac8381bf6 Mon Sep 17 00:00:00 2001 From: Daniel Kempkens Date: Fri, 9 Aug 2024 20:24:24 +0200 Subject: [PATCH] mqtt: move all to argon --- agenix/hosts/argon/config.nix | 12 +++++ .../argon/mosquitto/passwordHomeAssistant.age | 8 +++ .../argon/mosquitto/passwordWeewxProxy.age | 8 +++ .../hosts/argon/weewx-proxy/environment.age | Bin 867 -> 754 bytes agenix/hosts/neon/config.nix | 6 +++ agenix/hosts/neon/deye-mqtt/config.age | Bin 860 -> 860 bytes .../neon/mosquitto/passwordHomeAssistant.age | 7 +++ container/deye/default.nix | 38 -------------- secrets.nix | 6 +++ system/hosts/argon.nix | 2 + system/hosts/neon.nix | 2 - system/nixos/rtl_433.nix | 35 +------------ system/nixos/weewx-proxy.nix | 49 ++++++++++++++++-- 13 files changed, 97 insertions(+), 76 deletions(-) create mode 100644 agenix/hosts/argon/mosquitto/passwordHomeAssistant.age create mode 100644 agenix/hosts/argon/mosquitto/passwordWeewxProxy.age create mode 100644 agenix/hosts/neon/mosquitto/passwordHomeAssistant.age diff --git a/agenix/hosts/argon/config.nix b/agenix/hosts/argon/config.nix index fced707..2766024 100644 --- a/agenix/hosts/argon/config.nix +++ b/agenix/hosts/argon/config.nix @@ -27,6 +27,18 @@ file = ./forgejo-actions/token.age; }; + mosquitto-password-weewx-proxy = { + file = ./mosquitto/passwordWeewxProxy.age; + owner = "mosquitto"; + group = "mosquitto"; + }; + + mosquitto-password-home-assistant = { + file = ./mosquitto/passwordHomeAssistant.age; + owner = "mosquitto"; + group = "mosquitto"; + }; + weewx-proxy-environment = { file = ./weewx-proxy/environment.age; }; diff --git a/agenix/hosts/argon/mosquitto/passwordHomeAssistant.age b/agenix/hosts/argon/mosquitto/passwordHomeAssistant.age new file mode 100644 index 0000000..47b0030 --- /dev/null +++ b/agenix/hosts/argon/mosquitto/passwordHomeAssistant.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 MtGp6g n5bqdakkXE07dAAGCNf9SCUU6oEXjODCAhl8Ilxe7Go +cBuxZx+yjTxkkx4P86rnRwP5ihw9w5G33AV3G+5M02k +-> ssh-ed25519 1fcLUQ AB1w+yvi9JXab7Nnl5Xh3yv2fgwJtBTFX7Z445sA/X4 +rmN4E6hedJPufYB72v9cVVuqIMKntjaevn233ymEfwk +--- AK3WGXe19PWkB4gK0hh6l53fEvByUmP15lyCqcX0h38 +%K@xLTQ}*O +P΢B-:Z-!l \ No newline at end of file diff --git a/agenix/hosts/argon/mosquitto/passwordWeewxProxy.age b/agenix/hosts/argon/mosquitto/passwordWeewxProxy.age new file mode 100644 index 0000000..ccee189 --- /dev/null +++ b/agenix/hosts/argon/mosquitto/passwordWeewxProxy.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 MtGp6g if/5ukGpKTOqo4bqj3ae+da8B5F9lFv8qFeo+BRjawg +/ilXexPX4D4iKdC7miuHAmOzBFhJMdT0p+ILwu8czBI +-> ssh-ed25519 1fcLUQ 7swNCq5irWimLZrEXsgmrrWAX4wjgnvQzewM9s/fNHg +J5nWkadlu6I2jgEFlfsV30d6s7Ms2vnUibs8rZlz6FE +--- h/zCblLmDxDF5RXvW4EHsVtC7DzyEkF9K7ylyPR2KW0 +te +jG ۨK[t4l&(+H5GĴl/Ue8lIk2 [EҒƋ*_YCu2.ƌƳR$T!9$]!IWP (Hf?rwGN\8; \ No newline at end of file diff --git a/agenix/hosts/argon/weewx-proxy/environment.age b/agenix/hosts/argon/weewx-proxy/environment.age index d966a7478f5423b0332ef90a160cf65281b654f7..130e2b63b1ff96652b43c71fb64bd8d44f0362aa 100644 GIT binary patch delta 722 zcmV;@0xkXH2J!`vEPpaKQ&}=^R8DV4LsdvkdSys3bZd5TYG^lBXmWOHVKsSBOI1fj zW^hU|X9{OXVQ4W-ICVEuZfQAoa&TBhbVg%LaB+H5QAt90XKqqKQ87j}Z((S3Zwf6w zAaiqQEoEdfH8n9gATefROjS`JF?3loXmCb%OHDUMXe(1?Pk&}JFGy!Nb5lcNL{xe- zZZ=nWcXVf3XE-o#3Q2EPOjc-bX=_1LN@hb;NNjORSV&GeSub)>dPr3{S#MG>Z)a*x zbyr$d3N0-yAaX%xLP%mnaB*2#FDq;}P)ba4Oj2}uadR?qVQ4W-Xjw^7FltaTZbvm| z3bJ&kFo>>VAb%3dvW4wIr*dEl-HFd`^t>`mWw$_fjHRW-?R9k#Wz`|9fThq^9A_43 zNlCYKbu!KJKfhY;YK{T2-tN-q{Jp{aOeBd}>KcENc6Z4v2VX)_#jFZcF>{2udGi|1 zg*#HEci!9jWwg8$^70ScB(_oB57E)y+ddmrU*O&Z1x6J4%X7%DTtTcA$@j?a?sr` zn?^SV;?c4w@uwp4UWncrf05@nP_3s8n%(Ji_!-Sa+BkMsf%OG#lSjI90goaXflp*P zf=g(AAAh&h^rU|Q%_B@lACUAdk&Fqo)cAS|HD7s`Lqy${7iv%7rA=6^gd&)0{x|PK z+n%L-vEsv)MgfSOUgKGD?lnWj8QS8t;IQ|53cv;AsY|SGcKJ2cu0WGH1sp`fSPgdyfp28+b-%Ta)$b2 E!b;jhRsaA1 delta 836 zcmV-K1H1h41>**gEPqBYCMVrNEfP-bvNVlYW%bxT%gS~qG%MMh?HZFe{?MnOtX zZcP2*MKo?^c2i+FT7PAEK}bz+Lq=~eI8bh4 zW>;8iQ)gu}H)}&<3U5tXQet^EZ%cMcO;}DZHd<^*b9O^TQg1S5SxRtNLryqxGDu`M zFlR(#3N0-yATTv#aCk^{L2Fu8aBe|vaZ77wctkKWXE|n4Hg7ghLODlnYfCRnPIxv| z3K`Xa-kUrGW`9YcEPVUsxN_`E*cMip8QXNc3MjYp0vs4!IzpO_?fMaC+aN$TDMECK z7WLVyIvY{FwNW1p4@k>`-+B9zy2B6*ota~GdgA^$KA4FoiAc}wM<3H5d&M_YjHW}C zb@Am)x39q&?Nxd+)WZU~{+~aWx8VGjQH}*m?7c_DJ%3Ka4{Of7X6j{Q7Gag+Cq{$| zX=40Qdv`~a5un!dr&81OlM)df>@c1z&ODaa`c0(FoQ-~5g(fCd)Y*W2=Q@orbXZUW znl2mYkmEc}Qy#y!$}}E_#fH6MuG1iZlQ|e%k5VhZIrYZ{b~Zm}+Zj$M7MS>0p{pqQ;j%%y z<3R3&$aPhC(*6GiO{?(zNyHJ2W^;Ve4GM{eDt{JIr`+@=O^DP?p+AeZ)2$0kZ}5|H zq<7V%+kb=+-Sr5);iLuLM_98?5U5(kjhiE{YvswfOCd78hsy>%?Wk{IvOPE>;c|x0CwTlF0<)ntxYa6G OuKVIf|0184Z~W;bMRNuK diff --git a/agenix/hosts/neon/config.nix b/agenix/hosts/neon/config.nix index 3de8578..ef15201 100644 --- a/agenix/hosts/neon/config.nix +++ b/agenix/hosts/neon/config.nix @@ -23,6 +23,12 @@ group = "mosquitto"; }; + mosquitto-password-home-assistant = { + file = ./mosquitto/passwordHomeAssistant.age; + owner = "mosquitto"; + group = "mosquitto"; + }; + deye-mqtt-config = { file = ./deye-mqtt/config.age; }; diff --git a/agenix/hosts/neon/deye-mqtt/config.age b/agenix/hosts/neon/deye-mqtt/config.age index 6c9578e32991e444c26880cb797cdde1a8a8486b..4fcfdcce1073e00b3f2e7a02ad60971791edf037 100644 GIT binary patch delta 829 zcmV-D1H$~=2HXaaEPq95cUWUDMo>m!Re57GXL(6cMPXxUVL>ZRMLBXZG-)tXY*B4m zayN8SGzwHiN^(+HHcmxPcWzljb4*lBL1uJpPH{C-ayeIXFhyiTFll9FNN;+0a|$g! zAaiqQEoEdfH8n9gAT}^;XG(VSX#WNLVK3V3X0cV$g$SV41HMrcAcZ*ot0SZ+;AMM7CbFH387P-Ja$NisM! zYDF_+3N0-yATVM~GGa_ML3K`HSZZ%`d3sc9c~)#_LQiN_H#0d{NNQ?XIWIGCS$S_! z3Wk7!sop1#G=FTSaxvNWOY>wCrp?$3E9CYKh#bfJv=qoZ%Nnv^8*9`5$zjmdp*k^) zNwDO@@z~>)3Na{WItHa-gp=~`Fi>w^n*re#-mTn=&*;rpR54In=j+kyXhyu0=1W0|7(ajw0%#qwsdU^!aD1nQuA_1I=Z=f_j6g zS%IH?VV~TlTbLQ5D2yk|+ColY8^Q-6Q~ns(5@Sn zP(W5=(Q+YBoEi1_#vLxm9@fN;P79FNfJBxNenN=x9u?FGrK~!@^Aa{8PcC!1?1^7E zHrak&zA;Z@zT9oZ6zeut#R6tAR>ARn3qdP5N49W^U-CrC>6nXUr2(NQQYs9*7& zSs_P*=IWiuZC-sO_JU;t=RG<4TEM?c)Km-)&!21Zs zl{Vx}(r80j(cW^GJpY%niEMl~yC zL}_(rFbYpZVr@l8cT6@xIYMVnW@AovNj64dL}OSobx${NdUsD}PBLzGQg>r|Q3@?S zAaiqQEoEdfH8n9gAT}^;XG(Vk!EUcGO9!t7x2sLMzngF+Gk#WnOePnp zP=fbR(%y6D-%;VhW$p4mfw%$)U$y-3y(Fs1_#2y{4E%iz#@)nm!BD)o&0QtZ@q?3C znoAgz>3h=%=t?Mu`e}XWyIGox%q=3?T&9Es%DFF73xA}YjfJ^IS@ItWJN(=2=l*;2 zV(P4LQ!Y>1WciadyxqwWWkfmdx(#C@V~7g%>cFM~1T>lvJU71}kCW9Yd~&)i^)QQ} z@1z$@B%iIbq4h(vddHeiRjSss$`p(Q`g>xHC5qfC)VK1oxAPOAP6O;PeQt&@&kUu6)u%f|0Yw+x5p}X3G%c7PtKd)XoT-4P=!o@X zU~fT0c`%XdwYK-@D<~})8+$R&IqEAh)*VUf*qS<6(2kYvZhF^Y69I0!KVI+BI5#>R z6g+_N+zygdc|6XcwIWJ~(o$gi_rY<0EdL`X9e)kP0plI-^K;=NlN7nQ;+?wcHuaW^ z8=(+0R{Bj4&apeEEheaxUWE~yeWkKB)ivht2qE$(lTaKUHU^llKSYLWdBFhaIN*&M z%N+Zn1jctrUO)S(C@K)7#!8ftp_Ty%O`j&1Ws!=?AAKaCRrLN(;Ozj{aQOh2yFvKr z>o)%dX&;LCw`h}AN?Ps6!sqmmjEdOdVI9UO ssh-ed25519 MtGp6g A7lLy/9e4eGyQpmBTZ6Fw5t2jP1B5aJQ5iGUVlZZrQ4 +VfSOwKA+SYBfnCyuQDwXtN8z9owwdKlteXJxmIXjl1k +-> ssh-ed25519 60lgJw Dxs9EekvqHrLWB/M89aV0B1HxLBpbLYE8pxWx1Cf2X4 +zb7Up1DfSBYIRXom4o53KWzC56bzLLKcscvKvtZGz5s +--- y1G11ujCFt9yyOWtN5FjFGZf6QeKpZbzt8U/XZC+PME +3N^{(YjPρrLgvH}|cA \ No newline at end of file diff --git a/container/deye/default.nix b/container/deye/default.nix index 32f5f84..1c7237a 100644 --- a/container/deye/default.nix +++ b/container/deye/default.nix @@ -9,42 +9,4 @@ systemd.services.podman-deye-mqtt.restartTriggers = [ "${config.age.secrets.deye-mqtt-config.file}" ]; - - services.mosquitto.listeners = [ - { - address = "0.0.0.0"; - port = 1884; - - settings = { - protocol = "mqtt"; - }; - - users = { - deye = { - password = "didYouFindThis"; - acl = [ "write deye/#" ]; - }; - - bitshake = { - password = "didYouFindThis"; - acl = [ "write bitshake/#" ]; - }; - - weewx-proxy = { - hashedPasswordFile = config.age.secrets.mosquitto-password-weewx-proxy.path; - acl = [ "read deye/#" "read bitshake/#" ]; - }; - }; - } - ]; - - networking.firewall.interfaces = - let - mosquittoPorts = [ 1884 ]; - in - { - "end0".allowedTCPPorts = mosquittoPorts; - "vlan51".allowedTCPPorts = mosquittoPorts; - "podman+".allowedTCPPorts = mosquittoPorts; - }; } diff --git a/secrets.nix b/secrets.nix index a8976c6..d0bf45d 100644 --- a/secrets.nix +++ b/secrets.nix @@ -100,6 +100,10 @@ in "agenix/hosts/argon/forgejo-actions/token.age".publicKeys = argon; + "agenix/hosts/argon/mosquitto/passwordWeewxProxy.age".publicKeys = argon; + + "agenix/hosts/argon/mosquitto/passwordHomeAssistant.age".publicKeys = argon; + "agenix/hosts/argon/tailscale/authkey.age".publicKeys = argon; "agenix/hosts/argon/adguardhome-sync/environment.age".publicKeys = argon; @@ -117,6 +121,8 @@ in "agenix/hosts/neon/mosquitto/passwordWeewxProxy.age".publicKeys = neon; + "agenix/hosts/neon/mosquitto/passwordHomeAssistant.age".publicKeys = neon; + "agenix/hosts/neon/deye-mqtt/config.age".publicKeys = neon; # Styx diff --git a/system/hosts/argon.nix b/system/hosts/argon.nix index bcddabb..64a0922 100644 --- a/system/hosts/argon.nix +++ b/system/hosts/argon.nix @@ -27,6 +27,8 @@ in (import ../nixos/forgejo-runner.nix (args // { inherit secret; name = "argon"; tag = "ubuntu-latest-arm64"; nixTag = "arm64"; })) + ../nixos/mosquitto.nix + ../nixos/tailscale-router.nix ../nixos/tailscale-nodns.nix diff --git a/system/hosts/neon.nix b/system/hosts/neon.nix index e1703e5..bddaca9 100644 --- a/system/hosts/neon.nix +++ b/system/hosts/neon.nix @@ -23,8 +23,6 @@ in (import ../nixos/forgejo-runner.nix (args // { inherit secret; name = "neon"; tag = "ubuntu-latest-arm64"; nixTag = "arm64"; })) - ../nixos/mosquitto.nix - ../nixos/rtl_433.nix ../nixos/tailscale-router.nix diff --git a/system/nixos/rtl_433.nix b/system/nixos/rtl_433.nix index c2f3896..5ba94f9 100644 --- a/system/nixos/rtl_433.nix +++ b/system/nixos/rtl_433.nix @@ -1,4 +1,4 @@ -{ pkgs, config, ... }: +{ pkgs, ... }: { hardware.rtl-sdr.enable = true; @@ -10,38 +10,7 @@ serviceConfig = { Type = "exec"; - ExecStart = "${pkgs.rtl_433}/bin/rtl_433 -f868.3M -Yclassic -Mtime:utc -R78 -Fmqtt://127.0.0.1:1883,user=rtl,pass=didYouFindThis,retain=0,events=rtl433"; + ExecStart = "${pkgs.rtl_433}/bin/rtl_433 -f868.3M -Yclassic -Mtime:utc -R78 -Fmqtt://10.0.0.5:1883,user=rtl,pass=didYouFindThis,retain=0,events=rtl433"; }; }; - - services.mosquitto.listeners = [ - { - address = "0.0.0.0"; - port = 1883; - - settings = { - protocol = "mqtt"; - }; - - users = { - rtl = { - password = "didYouFindThis"; - acl = [ "write rtl433" ]; - }; - - weewx-proxy = { - hashedPasswordFile = config.age.secrets.mosquitto-password-weewx-proxy.path; - acl = [ "read rtl433" ]; - }; - }; - } - ]; - - networking.firewall.interfaces = - let - mosquittoPorts = [ 1883 ]; - in - { - "end0".allowedTCPPorts = mosquittoPorts; - }; } diff --git a/system/nixos/weewx-proxy.nix b/system/nixos/weewx-proxy.nix index 6aaa6c9..bf15513 100644 --- a/system/nixos/weewx-proxy.nix +++ b/system/nixos/weewx-proxy.nix @@ -17,7 +17,50 @@ }; }; - networking.firewall.interfaces."vlan51" = { - allowedTCPPorts = [ 4040 ]; - }; + services.mosquitto.listeners = [ + { + address = "0.0.0.0"; + port = 1883; + + settings = { + protocol = "mqtt"; + }; + + users = { + rtl = { + password = "didYouFindThis"; + acl = [ "write rtl433" ]; + }; + + deye = { + password = "didYouFindThis"; + acl = [ "write deye/#" ]; + }; + + bitshake = { + password = "didYouFindThis"; + acl = [ "write bitshake/#" ]; + }; + + weewx-proxy = { + hashedPasswordFile = config.age.secrets.mosquitto-password-weewx-proxy.path; + acl = [ "read rtl433" "read deye/#" "read bitshake/#" ]; + }; + + home-assistant = { + passwordFile = config.age.secrets.mosquitto-password-home-assistant.path; + acl = [ "readwrite #" ]; + }; + }; + } + ]; + + networking.firewall.interfaces = + let + mosquittoPorts = [ 1883 ]; + in + { + "end0".allowedTCPPorts = mosquittoPorts; + "vlan51".allowedTCPPorts = [ 4040 ] ++ mosquittoPorts; + }; }