diff --git a/config/services/homeassistant.nix b/config/services/homeassistant.nix index 2a8458d..6d8a071 100644 --- a/config/services/homeassistant.nix +++ b/config/services/homeassistant.nix @@ -36,8 +36,17 @@ ]; }; networking.nftables.firewall.zones.devices.interfaces = [ "mv-devices" ]; + networking.nftables.firewall.zones.iot.interfaces = [ "mv-iot" ]; networking.nftables.firewall = { rules = { + mqtt = { + from = [ + "devices" + "iot" + ]; + to = [ "local" ]; + allowedTCPPorts = [ 1883 ]; + }; homematic = { from = [ "devices" @@ -45,8 +54,38 @@ to = [ "local" ]; allowedTCPPorts = [ 45053 ]; }; + mdns = { + from = [ + "devices" + "iot" + ]; + to = [ "local" ]; + allowedUDPPorts = [ 5353 ]; + }; }; }; + age.secrets.mosquitto-pw-home_assistant = { + mode = "440"; + owner = "hass"; + group = "mosquitto"; + generator.script = "alnum"; + }; + services.mosquitto = { + enable = true; + persistence = true; + listeners = [ + { + acl = [ "pattern readwrite #" ]; + users = { + home_assistant = { + passwordFile = config.age.secrets.mosquitto-pw-home_assistant.path; + acl = [ "readwrite #" ]; + }; + }; + settings.allow_anonymous = false; + } + ]; + }; services.home-assistant = { enable = true; @@ -392,6 +431,7 @@ stringcase hahomematic pymodbus + hatasmota ]; }; networking.hosts = { diff --git a/hosts/elisabeth/secrets/homeassistant/generated/mosquitto-pw-home_assistant.age b/hosts/elisabeth/secrets/homeassistant/generated/mosquitto-pw-home_assistant.age new file mode 100644 index 0000000..c9d728f Binary files /dev/null and b/hosts/elisabeth/secrets/homeassistant/generated/mosquitto-pw-home_assistant.age differ diff --git a/hosts/nucnix/hostapd.nix b/hosts/nucnix/hostapd.nix index 0e7cfd8..d73ec39 100644 --- a/hosts/nucnix/hostapd.nix +++ b/hosts/nucnix/hostapd.nix @@ -15,9 +15,6 @@ homeWlan = { generator.script = "alnum"; }; - guestWlan = { - generator.script = "alnum"; - }; iotWlan = { generator.script = "alnum"; }; @@ -66,35 +63,23 @@ inherit (globals.hostapd) ssid; apIsolate = true; # not supporte by laptop :( - # settings.ieee80211w = 0; + #settings.ieee80211w = 0; logLevel = 0; settings = { - vlan_file = "${pkgs.writeText "hostaps.vlans" '' - 10 wifi-home br-home - 40 wifi-iot br-iot - 50 wifi-guests br-guests - ''}"; - dynamic_vlan = 1; + bridge = "br-iot"; }; authentication = { - saePasswords = [ - { - passwordFile = config.age.secrets.homeWlan.path; - vlanid = 10; - } - { - passwordFile = config.age.secrets.iotWlan.path; - vlanid = 40; - } - { - passwordFile = config.age.secrets.guestWlan.path; - vlanid = 50; - } - ]; + mode = "wpa2-sha1"; + wpaPasswordFile = config.age.secrets.iotWlan.path; + # saePasswords = [ + # { + # passwordFile = config.age.secrets.iotWlan.path; + # } + # ]; pairwiseCiphers = [ "CCMP" - "GCMP" - "GCMP-256" + # "GCMP" + # "GCMP-256" ]; #enableRecommendedPairwiseCiphers = true; }; diff --git a/hosts/nucnix/secrets/generated/guestWlan.age b/hosts/nucnix/secrets/generated/guestWlan.age deleted file mode 100644 index 863ec3e..0000000 --- a/hosts/nucnix/secrets/generated/guestWlan.age +++ /dev/null @@ -1,15 +0,0 @@ -age-encryption.org/v1 --> X25519 DnkfavonwcikVjuIH3aQTxh9+U+Vr6se2PPdjCL68iw -qcfI8Rz+8fLqePoqk4XEY0vQyH2+eZtE3c/lrei9OWo --> piv-p256 ZFgiIw AzKnjNFccsLZSS6EipE+gqoMzjj5Q//OMpAxrPFVHzPW -VphyHLTFEc7nsPfETAi/4VLg+mXb6B2qgTikgn1SyJI --> piv-p256 XTQkUA A6mFKlj6AYBxwe+p3Yn57Re5e4Ihk42qNCbwFXDVLsV2 -YogIWza1sZGXOOeZVVD2fcShAG00QQosLlHntBK+UeI --> piv-p256 ZFgiIw A2dlENHarOIr4e3ZikrRYeWZI1N4NKwzWuIB4+Vuq96a -55zk9XyUEGwwnxxGFyfia8YVF9Sjj7KFut03YrH6+Zc --> piv-p256 5vmPtQ Aq81XRMh1/reZhBMQIGd7C+sOEG1pKSTJbdEAmkPoP17 -WCzUWz3HDZIIrqMuypxkZMqzoggCmaSPrXNdmNMntHY --> &1koE-grease -dqDfmnpD0sarnFxWDlpn5p3AMIWMPz58V0pJ5Lu2mXAIjEqPimCW/Q ---- UA2bf9I/vCa+Zn6zRM6V7OeHS69Drwes8V0UexK+SBU -5PgKD&@uZ?J$fĚZCɋ9L Rxb'cMC:JG~!M( \ No newline at end of file