diff --git a/hosts/default.nix b/hosts/default.nix index 2a417cf..bcb9238 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -168,7 +168,7 @@ in }; authentik = nixpkgs.lib.nixosSystem { - pkgs = pkgs "x86_64-linux"; + pkgs = pkgs-unstable "x86_64-linux"; modules = [ myModules proxmoxModule @@ -266,4 +266,15 @@ in # specialArgs = { }; }; + zigbee2mqtt = nixpkgs-unstable.lib.nixosSystem { + pkgs = pkgs-unstable "x86_64-linux"; + modules = [ + myModules + proxmoxModule + ./zigbee2mqtt + agenix.nixosModules.default + ]; + # specialArgs = { }; + }; + } diff --git a/hosts/deployments.nix b/hosts/deployments.nix index 86b3ab8..d0245cf 100644 --- a/hosts/deployments.nix +++ b/hosts/deployments.nix @@ -164,6 +164,15 @@ in ]; }; + zigbee2mqtt.deployment = { + targetHost = hosts.zigbee2mqtt; + tags = [ + "lxc" + "bacco" + "zigbee2mqtt" + ]; + }; + deadbeef.deployment = { allowLocalDeployment = true; targetHost = null; diff --git a/hosts/parameters.nix b/hosts/parameters.nix index af5d758..3ed50bc 100644 --- a/hosts/parameters.nix +++ b/hosts/parameters.nix @@ -20,6 +20,7 @@ firefly-iii = "firefly-iii.internal"; open-webui = "open-webui.home"; paperless = "paperless.internal"; + zigbee2mqtt = "zigbee2mqtt.home"; }; domains = { public = "pasetto.me"; diff --git a/hosts/zigbee2mqtt/default.nix b/hosts/zigbee2mqtt/default.nix new file mode 100644 index 0000000..a1f74d9 --- /dev/null +++ b/hosts/zigbee2mqtt/default.nix @@ -0,0 +1,38 @@ +{ + config, + pkgs, + lib, + ... +}: +let + p = import ../parameters.nix; +in +{ + + age.secrets = { + mqtt-password.file = ../../secrets/mqtt-password.age; + zigbee2mqtt-password.file = ../../secrets/zigbee2mqtt-password.age; + }; + + my = { + + networking = { + zigbee2mqtt = { + enable = true; + enable-metric = true; + mqtt-passwordFile = config.age.secrets.mqtt-password.path; + z2mqtt-passwordFile = config.age.secrets.zigbee2mqtt-password.path; + }; + }; + + utils = { + commons.enable = true; + commons.gc.enable = true; + lxc-standard.enable = true; + }; + + virtualisation.proxmox.enable = true; + }; + + system.stateVersion = "25.05"; +} diff --git a/modules/networking/default.nix b/modules/networking/default.nix index 4229e29..f438b4a 100644 --- a/modules/networking/default.nix +++ b/modules/networking/default.nix @@ -7,5 +7,6 @@ ./shadowsocks.nix ./tailscale.nix ./technitium-dns-server.nix + ./zigbee2mqtt.nix ]; } diff --git a/modules/networking/zigbee2mqtt.nix b/modules/networking/zigbee2mqtt.nix new file mode 100644 index 0000000..23f6876 --- /dev/null +++ b/modules/networking/zigbee2mqtt.nix @@ -0,0 +1,102 @@ +{ + lib, + config, + pkgs, + ... +}: +let + cfg = config.my.networking.zigbee2mqtt; + defaultPorts = config.services.zigbee2mqtt.firewallTCPPorts.default; +in +{ + options.my.networking.zigbee2mqtt = { + enable = lib.mkEnableOption "Enable Technitium DNS Server"; + + enable-metric = lib.mkEnableOption "Enable Zigbee2MQTT metrics export to Prometheus"; + + mqtt-port = lib.mkOption { + type = lib.types.port; + default = 1883; + description = "Port for the MQTT server."; + }; + + z2m-frontend-port = lib.mkOption { + type = lib.types.port; + default = 8080; + description = "Port for the Zigbee2MQTT frontend."; + }; + + mqtt-passwordFile = lib.mkOption { + type = lib.types.path; + default = "/run/keys/mqtt.password"; + description = "Path to the file containing the MQTT password."; + }; + + z2mqtt-passwordFile = lib.mkOption { + type = lib.types.path; + default = "/run/keys/mqtt.password"; + description = "Path to the file containing the Zigbee2mqtt password."; + }; + + }; + + config = lib.mkIf cfg.enable { + + services.mosquitto = { + enable = true; + listeners = [ + { + address = "0.0.0.0"; + port = cfg.mqtt-port; + users = { + homeassistant = { + acl = [ + "readwrite homeassistant/#" + "readwrite zigbee2mqtt/#" + ]; + passwordFile = cfg.mqtt-passwordFile; + }; + }; + } + ]; + }; + + services.zigbee2mqtt = { + enable = true; + settings = { + permit_join = false; + frontend = { + enabled = true; + port = cfg.z2m-frontend-port; + }; + homeassistant = { + enabled = true; + status_topic = "homeassistant/status"; + }; + mqtt = { + server = "mqtt://localhost:1883"; + user = "homeassistant"; + }; + + serial = { + port = "tcp://slzb-06m.home:6638"; + baudrate = 115200; + adapter = "ember"; + disable_led = false; + advanced = { + transmit_power = 20; + }; + }; + }; + }; + + systemd.services.zigbee2mqtt.serviceConfig.EnvironmentFile = cfg.z2mqtt-passwordFile; + + networking.firewall.allowedTCPPorts = [ + cfg.mqtt-port + cfg.z2m-frontend-port + ]; + + }; + +} diff --git a/secrets.nix b/secrets.nix index e1ce26b..e0a1813 100644 --- a/secrets.nix +++ b/secrets.nix @@ -32,6 +32,8 @@ let open-webui = [ machines.open-webui ]; paperless-admin = [ machines.paperless ]; paperless-oauth2-client-secret = [ machines.paperless ]; + zigbee2mqtt-password = [ machines.zigbee2mqtt ]; + mqtt-password = [ machines.zigbee2mqtt ]; }; in builtins.listToAttrs ( diff --git a/secrets/mqtt-password.age b/secrets/mqtt-password.age new file mode 100644 index 0000000..bc8d471 --- /dev/null +++ b/secrets/mqtt-password.age @@ -0,0 +1,13 @@ +age-encryption.org/v1 +-> ssh-ed25519 VfYKTQ B/p6JgXPAbDKC82eVr9lhMInsAv6KeLSruFasnOVn2M +1WbqdYYwx6uNsk7zfjaeP2aEzdylaftB3DhTl0Reklg +-> ssh-ed25519 Si3UKw GUw2plC7KulmGhq+S8NBsJ0HMJbUGVfKpM0yPAYw9VM +r8fc825PZeOn68Pr/w7+FslKkvLhYII2Z3O/oPtTcEM +-> ssh-ed25519 3UG3uw 46CMAU8HspDzhS0xOyvxhhRLSCYsvbCe1GhD37IerBo +0xupSDFzs3NoWyRluSbef/yyi12ifmQLziW+DWjeLMQ +-> ssh-ed25519 JEhtoQ aZ4lBWParQpV1sqV7EDbig2XNrMgyJc6lTygx6V7+yM +OhD79ObU+BTt1APJlz/d5gbRPiuGZn9SEs2i9rynGgk +-> ssh-ed25519 uqg2jw 66s+6wTTVuU93kZx+riuzE7/jkBaPlZ2aCcf00N/4kc +fPtovYSh0C9gMcaAuZaI5qFn1d2Qk30afvjPATTR8I4 +--- svQf5Qxn0PyuE3IvU9bpT9ZoxqazFHjZDzJ801pbDuA +wg޲ -%%;DN/.r1, \ No newline at end of file diff --git a/secrets/zigbee2mqtt-password.age b/secrets/zigbee2mqtt-password.age new file mode 100644 index 0000000..f26b7d9 --- /dev/null +++ b/secrets/zigbee2mqtt-password.age @@ -0,0 +1,13 @@ +age-encryption.org/v1 +-> ssh-ed25519 VfYKTQ o5yi/aOeYyscYEWXtVe/fntG+qBJOdfgwP9zgJYVSCM +ZjVZC9snwUu3TuI32+SMD7G4ETI9GXS3SjiGB/3b0XU +-> ssh-ed25519 Si3UKw HWNOTPILpJgQIby2yv8NG6yX+E18oId+Mf04jjXFLhE +4U5h0GhNX8ZPL7yrVFGgSBgXeGp09RKjWN2K2tQO5ZI +-> ssh-ed25519 3UG3uw 2WrmG6mVn22LzxtVgn7iDN1fA7CrKV7hzxyn5QAejB0 +vS8xKDw+mcFEK7lKtkLn5cIHAULaq67RtxcIGHCd/Zs +-> ssh-ed25519 JEhtoQ AEAym+jovZUypWqBDS3AxdSjonT1adXA3q4J3XMQUnY +M442JvlaVwDiqp/KxO8t/IV60Au3V+f+7lCsLq6XF/0 +-> ssh-ed25519 uqg2jw 8XMEe4kpOkByBko1a7ORb8gjoraHYT0U1/irVQEtPBc +mUp9aIpCcCYnawRgv6ZOCgLp/4GG8EbRkgFEWbp6Z/0 +--- I8Ng9aKuPhGOE/xi3Hrb8HhhSmRKDS5tKAkOjXp25p8 +uj4r||QGBԲ(,7m%M`~ac4e块 zDKm f RTlkl̳J C \ No newline at end of file diff --git a/ssh-keys.nix b/ssh-keys.nix index b648e43..539b661 100644 --- a/ssh-keys.nix +++ b/ssh-keys.nix @@ -23,6 +23,7 @@ rec { firefly-iii = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGYkXjRqmuTMg56EmAx8s1M/VQojM7akF/ao+jJLYgFB"; open-webui = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAOkm9z19sFGEs7aexOfnvyxEgehydSbeLjrYo0srFKV"; paperless = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILRNgDyk3TuMooG4ZCv7SOgXh0ql1/1hhhng7uSnsLeK"; + zigbee2mqtt = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINN0z+RxfAIARVMFgtF9olJrL5lt95IoC0Mtzg0MKd3g"; }; # Machines able to provision other machines