From c7d9e84f73f8916784092e12f5639455ad6bbca7 Mon Sep 17 00:00:00 2001
From: Zuckerberg <zuckerberg@neet.dev>
Date: Sun, 27 Oct 2024 16:15:23 -0700
Subject: [PATCH] Lock down access to mqtt

---
 machines/storage/s0/home-automation.nix | 11 +++++++----
 machines/storage/s0/properties.nix      |  1 +
 secrets/secrets.nix                     |  3 +++
 secrets/zigbee2mqtt.yaml.age            |  8 ++++++++
 4 files changed, 19 insertions(+), 4 deletions(-)
 create mode 100644 secrets/zigbee2mqtt.yaml.age

diff --git a/machines/storage/s0/home-automation.nix b/machines/storage/s0/home-automation.nix
index 92c85df..1256013 100644
--- a/machines/storage/s0/home-automation.nix
+++ b/machines/storage/s0/home-automation.nix
@@ -8,9 +8,10 @@
     enable = true;
     listeners = [
       {
-        acl = [ "pattern readwrite #" ];
-        omitPasswordAuth = true;
-        settings.allow_anonymous = true;
+        users.root = {
+          acl = [ "readwrite #" ];
+          hashedPassword = "$7$101$8+QnkTzCdGizaKqq$lpU4o84n6D/1uwfA9pZDVExr1NDm1D/8tNla2tE9J9HdUqkvu192yYfiySY1MFqVNgUKgWEFu5P1bUKqRnzbUw==";
+        };
       }
     ];
   };
@@ -28,7 +29,8 @@
       };
       mqtt = {
         server = "mqtt://localhost:1883";
-        # base_topic = "zigbee2mqtt";
+        user = "root";
+        password = "'!/run/agenix/zigbee2mqtt.yaml mqtt_password'";
       };
       frontend = {
         host = "localhost";
@@ -36,6 +38,7 @@
       };
     };
   };
+  age.secrets."zigbee2mqtt.yaml".file = ../../../secrets/zigbee2mqtt.yaml.age;
 
   services.home-assistant = {
     enable = true;
diff --git a/machines/storage/s0/properties.nix b/machines/storage/s0/properties.nix
index 97ad622..cfbda82 100644
--- a/machines/storage/s0/properties.nix
+++ b/machines/storage/s0/properties.nix
@@ -12,6 +12,7 @@
     "binary-cache"
     "gitea-actions-runner"
     "frigate"
+    "zigbee"
   ];
 
   hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q";
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index ec994cb..e4de178 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -57,4 +57,7 @@ with roles;
 
   # Frigate (DVR)
   "frigate-credentials.age".publicKeys = frigate;
+
+  # zigbee2mqtt secrets
+  "zigbee2mqtt.yaml.age".publicKeys = zigbee;
 }
diff --git a/secrets/zigbee2mqtt.yaml.age b/secrets/zigbee2mqtt.yaml.age
new file mode 100644
index 0000000..a65d53d
--- /dev/null
+++ b/secrets/zigbee2mqtt.yaml.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 hPp1nw TSDuPaFp/Qcz4r819X4QmU/4J2TGpoX7jCCJCdFDog0
+SwQUqEp45xMOeTkvBG6uX28kB8YWG66laYqakSgl9w4
+-> ssh-ed25519 w3nu8g tLZDNE0iBgOpUB3djpNu3CgimsRc0zcds+AgctzxyQ4
+Oyz6XORsApM4vFxWyaD3bR/ApIUFPY3q4yGvtbosUIY
+--- vuXlQmuOFbJhBTACN5ciH2GlOCbRCMPZdlogG2O+KOk
+Áëÿ!}UIì	p0@Xž|°þ#æ™†0HÙõò#BÇRRÙ
+òùø5¾Iÿ?vX?pÝ—fqÍ[lž¸˜xÏ­G7ü;UäÀOUä¶
\ No newline at end of file