Lock down access to mqtt

2024-10-27 16:15:23 -07:00
parent 5b666a0565
commit c7d9e84f73
4 changed files with 19 additions and 4 deletions
--- a/machines/storage/s0/home-automation.nix
+++ b/machines/storage/s0/home-automation.nix
@@ -8,9 +8,10 @@
    enable = true;
    listeners = [
      {
-        acl = [ "pattern readwrite #" ];
-        omitPasswordAuth = true;
-        settings.allow_anonymous = true;
+        users.root = {
+          acl = [ "readwrite #" ];
+          hashedPassword = "$7$101$8+QnkTzCdGizaKqq$lpU4o84n6D/1uwfA9pZDVExr1NDm1D/8tNla2tE9J9HdUqkvu192yYfiySY1MFqVNgUKgWEFu5P1bUKqRnzbUw==";
+        };
      }
    ];
  };
@@ -28,7 +29,8 @@
      };
      mqtt = {
        server = "mqtt://localhost:1883";
-        # base_topic = "zigbee2mqtt";
+        user = "root";
+        password = "'!/run/agenix/zigbee2mqtt.yaml mqtt_password'";
      };
      frontend = {
        host = "localhost";
@@ -36,6 +38,7 @@
      };
    };
  };
+  age.secrets."zigbee2mqtt.yaml".file = ../../../secrets/zigbee2mqtt.yaml.age;

  services.home-assistant = {
    enable = true;
--- a/machines/storage/s0/properties.nix
+++ b/machines/storage/s0/properties.nix
@@ -12,6 +12,7 @@
    "binary-cache"
    "gitea-actions-runner"
    "frigate"
+    "zigbee"
  ];

  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q";