New service: Zigbee2Mqtt with Mosquitto for HA2

hosts/default.nix

@@ -168,7 +168,7 @@ in
   };
 
   authentik = nixpkgs.lib.nixosSystem {
-    pkgs = pkgs "x86_64-linux";
+    pkgs = pkgs-unstable "x86_64-linux";
     modules = [
       myModules
       proxmoxModule
@@ -266,4 +266,15 @@ in
     # specialArgs = { };
   };
 
+  zigbee2mqtt = nixpkgs-unstable.lib.nixosSystem {
+    pkgs = pkgs-unstable "x86_64-linux";
+    modules = [
+      myModules
+      proxmoxModule
+      ./zigbee2mqtt
+      agenix.nixosModules.default
+    ];
+    # specialArgs = { };
+  };
+
 }

hosts/deployments.nix

@@ -164,6 +164,15 @@ in
     ];
   };
 
+  zigbee2mqtt.deployment = {
+    targetHost = hosts.zigbee2mqtt;
+    tags = [
+      "lxc"
+      "bacco"
+      "zigbee2mqtt"
+    ];
+  };
+
   deadbeef.deployment = {
     allowLocalDeployment = true;
     targetHost = null;

hosts/parameters.nix

@@ -20,6 +20,7 @@
     firefly-iii = "firefly-iii.internal";
     open-webui = "open-webui.home";
     paperless = "paperless.internal";
+    zigbee2mqtt = "zigbee2mqtt.home";
   };
   domains = {
     public = "pasetto.me";

hosts/zigbee2mqtt/default.nix

@@ -0,0 +1,38 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  p = import ../parameters.nix;
+in
+{
+
+  age.secrets = {
+    mqtt-password.file = ../../secrets/mqtt-password.age;
+    zigbee2mqtt-password.file = ../../secrets/zigbee2mqtt-password.age;
+  };
+
+  my = {
+
+    networking = {
+      zigbee2mqtt = {
+        enable = true;
+        enable-metric = true;
+        mqtt-passwordFile = config.age.secrets.mqtt-password.path;
+        z2mqtt-passwordFile = config.age.secrets.zigbee2mqtt-password.path;
+      };
+    };
+
+    utils = {
+      commons.enable = true;
+      commons.gc.enable = true;
+      lxc-standard.enable = true;
+    };
+
+    virtualisation.proxmox.enable = true;
+  };
+
+  system.stateVersion = "25.05";
+}

modules/networking/default.nix

@@ -7,5 +7,6 @@
     ./shadowsocks.nix
     ./tailscale.nix
     ./technitium-dns-server.nix
+    ./zigbee2mqtt.nix
   ];
 }

modules/networking/zigbee2mqtt.nix

@@ -0,0 +1,102 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.my.networking.zigbee2mqtt;
+  defaultPorts = config.services.zigbee2mqtt.firewallTCPPorts.default;
+in
+{
+  options.my.networking.zigbee2mqtt = {
+    enable = lib.mkEnableOption "Enable Technitium DNS Server";
+
+    enable-metric = lib.mkEnableOption "Enable Zigbee2MQTT metrics export to Prometheus";
+
+    mqtt-port = lib.mkOption {
+      type = lib.types.port;
+      default = 1883;
+      description = "Port for the MQTT server.";
+    };
+
+    z2m-frontend-port = lib.mkOption {
+      type = lib.types.port;
+      default = 8080;
+      description = "Port for the Zigbee2MQTT frontend.";
+    };
+
+    mqtt-passwordFile = lib.mkOption {
+      type = lib.types.path;
+      default = "/run/keys/mqtt.password";
+      description = "Path to the file containing the MQTT password.";
+    };
+
+    z2mqtt-passwordFile = lib.mkOption {
+      type = lib.types.path;
+      default = "/run/keys/mqtt.password";
+      description = "Path to the file containing the Zigbee2mqtt password.";
+    };
+
+  };
+
+  config = lib.mkIf cfg.enable {
+
+    services.mosquitto = {
+      enable = true;
+      listeners = [
+        {
+          address = "0.0.0.0";
+          port = cfg.mqtt-port;
+          users = {
+            homeassistant = {
+              acl = [
+                "readwrite homeassistant/#"
+                "readwrite zigbee2mqtt/#"
+              ];
+              passwordFile = cfg.mqtt-passwordFile;
+            };
+          };
+        }
+      ];
+    };
+
+    services.zigbee2mqtt = {
+      enable = true;
+      settings = {
+        permit_join = false;
+        frontend = {
+          enabled = true;
+          port = cfg.z2m-frontend-port;
+        };
+        homeassistant = {
+          enabled = true;
+          status_topic = "homeassistant/status";
+        };
+        mqtt = {
+          server = "mqtt://localhost:1883";
+          user = "homeassistant";
+        };
+
+        serial = {
+          port = "tcp://slzb-06m.home:6638";
+          baudrate = 115200;
+          adapter = "ember";
+          disable_led = false;
+          advanced = {
+            transmit_power = 20;
+          };
+        };
+      };
+    };
+
+    systemd.services.zigbee2mqtt.serviceConfig.EnvironmentFile = cfg.z2mqtt-passwordFile;
+
+    networking.firewall.allowedTCPPorts = [
+      cfg.mqtt-port
+      cfg.z2m-frontend-port
+    ];
+
+  };
+
+}

secrets.nix

@@ -32,6 +32,8 @@ let
     open-webui = [ machines.open-webui ];
     paperless-admin = [ machines.paperless ];
     paperless-oauth2-client-secret = [ machines.paperless ];
+    zigbee2mqtt-password = [ machines.zigbee2mqtt ];
+    mqtt-password = [ machines.zigbee2mqtt ];
   };
 in
 builtins.listToAttrs (

secrets/mqtt-password.age

@@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 VfYKTQ B/p6JgXPAbDKC82eVr9lhMInsAv6KeLSruFasnOVn2M
+1WbqdYYwx6uNsk7zfjaeP2aEzdylaftB3DhTl0Reklg
+-> ssh-ed25519 Si3UKw GUw2plC7KulmGhq+S8NBsJ0HMJbUGVfKpM0yPAYw9VM
+r8fc825PZeOn68Pr/w7+FslKkvLhYII2Z3O/oPtTcEM
+-> ssh-ed25519 3UG3uw 46CMAU8HspDzhS0xOyvxhhRLSCYsvbCe1GhD37IerBo
+0xupSDFzs3NoWyRluSbef/yyi12ifmQLziW+DWjeLMQ
+-> ssh-ed25519 JEhtoQ aZ4lBWParQpV1sqV7EDbig2XNrMgyJc6lTygx6V7+yM
+OhD79ObU+BTt1APJlz/d5gbRPiuGZn9SEs2i9rynGgk
+-> ssh-ed25519 uqg2jw 66s+6wTTVuU93kZx+riuzE7/jkBaPlZ2aCcf00N/4kc
+fPtovYSh0C9gMcaAuZaI5qFn1d2Qk30afvjPATTR8I4
+--- svQf5Qxn0PyuE3IvU9bpT9ZoxqazFHjZDzJ801pbDuA
+w¿…gÞ²	ø­¸¿ß-š„—Ê%¾Æ%;˜ŽD—±N/§Œ.ü·r1¦,<2C>éÀ

secrets/zigbee2mqtt-password.age

@@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 VfYKTQ o5yi/aOeYyscYEWXtVe/fntG+qBJOdfgwP9zgJYVSCM
+ZjVZC9snwUu3TuI32+SMD7G4ETI9GXS3SjiGB/3b0XU
+-> ssh-ed25519 Si3UKw HWNOTPILpJgQIby2yv8NG6yX+E18oId+Mf04jjXFLhE
+4U5h0GhNX8ZPL7yrVFGgSBgXeGp09RKjWN2K2tQO5ZI
+-> ssh-ed25519 3UG3uw 2WrmG6mVn22LzxtVgn7iDN1fA7CrKV7hzxyn5QAejB0
+vS8xKDw+mcFEK7lKtkLn5cIHAULaq67RtxcIGHCd/Zs
+-> ssh-ed25519 JEhtoQ AEAym+jovZUypWqBDS3AxdSjonT1adXA3q4J3XMQUnY
+M442JvlaVwDiqp/KxO8t/IV60Au3V+f+7lCsLq6XF/0
+-> ssh-ed25519 uqg2jw 8XMEe4kpOkByBko1a7ORb8gjoraHYT0U1/irVQEtPBc
+mUp9aIpCcCYnawRgv6ZOCgLp/4GG8EbRkgFEWbp6Z/0
+--- I8Ng9aKuPhGOE/xi3Hrb8HhhSmRKDS5tKAkOjXp25p8
+uj4r||ªQGB¹Ô²å(,…7m%M`~­ac4eÄå<C384>—<EFBFBD>	 zDÌK<C38C>çäm	f
ŽRðTlÿ<>kŽlã̳§”»JÚçCªø

ssh-keys.nix

@@ -23,6 +23,7 @@ rec {
     firefly-iii = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGYkXjRqmuTMg56EmAx8s1M/VQojM7akF/ao+jJLYgFB";
     open-webui = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAOkm9z19sFGEs7aexOfnvyxEgehydSbeLjrYo0srFKV";
     paperless = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILRNgDyk3TuMooG4ZCv7SOgXh0ql1/1hhhng7uSnsLeK";
+    zigbee2mqtt = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINN0z+RxfAIARVMFgtF9olJrL5lt95IoC0Mtzg0MKd3g";
   };
 
   # Machines able to provision other machines