From 1b983b62d125fd8be11807ea348fa74fc0370b0d Mon Sep 17 00:00:00 2001
From: Patrick <patrick@failmail.dev>
Date: Mon, 13 Jan 2025 21:28:06 +0100
Subject: [PATCH] feat: tasmota with hme assistant

---
 config/services/homeassistant.nix             |  40 ++++++++++++++++++
 .../generated/mosquitto-pw-home_assistant.age | Bin 0 -> 842 bytes
 hosts/nucnix/hostapd.nix                      |  37 +++++-----------
 hosts/nucnix/secrets/generated/guestWlan.age  |  15 -------
 4 files changed, 51 insertions(+), 41 deletions(-)
 create mode 100644 hosts/elisabeth/secrets/homeassistant/generated/mosquitto-pw-home_assistant.age
 delete mode 100644 hosts/nucnix/secrets/generated/guestWlan.age

diff --git a/config/services/homeassistant.nix b/config/services/homeassistant.nix
index 2a8458d..6d8a071 100644
--- a/config/services/homeassistant.nix
+++ b/config/services/homeassistant.nix
@@ -36,8 +36,17 @@
     ];
   };
   networking.nftables.firewall.zones.devices.interfaces = [ "mv-devices" ];
+  networking.nftables.firewall.zones.iot.interfaces = [ "mv-iot" ];
   networking.nftables.firewall = {
     rules = {
+      mqtt = {
+        from = [
+          "devices"
+          "iot"
+        ];
+        to = [ "local" ];
+        allowedTCPPorts = [ 1883 ];
+      };
       homematic = {
         from = [
           "devices"
@@ -45,8 +54,38 @@
         to = [ "local" ];
         allowedTCPPorts = [ 45053 ];
       };
+      mdns = {
+        from = [
+          "devices"
+          "iot"
+        ];
+        to = [ "local" ];
+        allowedUDPPorts = [ 5353 ];
+      };
     };
   };
+  age.secrets.mosquitto-pw-home_assistant = {
+    mode = "440";
+    owner = "hass";
+    group = "mosquitto";
+    generator.script = "alnum";
+  };
+  services.mosquitto = {
+    enable = true;
+    persistence = true;
+    listeners = [
+      {
+        acl = [ "pattern readwrite #" ];
+        users = {
+          home_assistant = {
+            passwordFile = config.age.secrets.mosquitto-pw-home_assistant.path;
+            acl = [ "readwrite #" ];
+          };
+        };
+        settings.allow_anonymous = false;
+      }
+    ];
+  };
 
   services.home-assistant = {
     enable = true;
@@ -392,6 +431,7 @@
         stringcase
         hahomematic
         pymodbus
+        hatasmota
       ];
   };
   networking.hosts = {
diff --git a/hosts/elisabeth/secrets/homeassistant/generated/mosquitto-pw-home_assistant.age b/hosts/elisabeth/secrets/homeassistant/generated/mosquitto-pw-home_assistant.age
new file mode 100644
index 0000000000000000000000000000000000000000..c9d728f9a8ecbab25f4db8b02a0b61100f4c8623
GIT binary patch
literal 842
zcmY+=z3by-0Kjq4Ez=<`PDasF$o2BpB#of>Bz?(Clcs5tv<2asw<j;nOPi#5L2wok
z1Q$U?ag&=Ibx_XXKs{WX+#Gcf2Nw|sxxwN07kv1Bk1!Yoxp(QyIxh0N#RcM55*fXY
z?kI*Kd33q2%k4NY)urY`4seZDdq-6T3ALyBm>`w}cdiJn35hXc_LuT3YAV*By{k1W
zS~4W}mTqU)yr{`)wUje$ISi0($B%_FzK%+YVbQ}J#&U~-TnJjz<_klXOjtxXCwW!4
zfY7JI>m;GhXA4_^o;gIy5?Sbg8KeR4^n=U_0(4Apq&ko)T}FGd5@gmQs`Q|Wfp){%
zZP%#<P=K$jz=ti*rE8OyT|+SYx!a{gx0+#P5;HtT`MjhObfzFmShrGsUdYATX^kil
z)1xuR_6i>FlwDlsTs5hbp_a8Zal`t*YwUqgX6dvCT$1*7Vkq=g*|<O~GyGywp5gY`
zVLXpz5kttSO>B?d?Cc1!6imfzlRLIw61gD>X{i^wYmvru+xx}Mhs-rI>NN_IA;$3Y
ztV#@u(@1in`naQ+JKPIT?O{_0aYP0cYmRF=MaXoq4O+ra50TqAb{!_6JLuO7#SN=d
zIY0piCo&?NAqJ1TW-q+5arLSh!Ao$g0`%S*ebqgU5O_!@94yswkaUooQZAHBM#&o$
z(1seTZCi1Y)yw##ac7K3Fl-(IgB0VWwB{$N6%e2nL%<&!9`Y-3AJwMm&#f`X;QJkE
z!(!;ojtUKx*<?9GWGwAU`<}5_(<@W0qu3U~E*3HxjnJ0&OozN~nUHBs-HdWEb!1gi
z1-SEVV`8nHiJLb(6L1>xWb^BtkKTOu+kZZm+1KuU{@w%p>s!A+eE;QVzyJFg?$$3q
z*Dt;C=^tOd_}BCH2R}U6-~H^l+kgHv{qegmKH<_wUp=vU=i$@8-4Uw~|9#ti>i+%P
IkKX#`KMYkHEC2ui

literal 0
HcmV?d00001

diff --git a/hosts/nucnix/hostapd.nix b/hosts/nucnix/hostapd.nix
index 0e7cfd8..d73ec39 100644
--- a/hosts/nucnix/hostapd.nix
+++ b/hosts/nucnix/hostapd.nix
@@ -15,9 +15,6 @@
     homeWlan = {
       generator.script = "alnum";
     };
-    guestWlan = {
-      generator.script = "alnum";
-    };
     iotWlan = {
       generator.script = "alnum";
     };
@@ -66,35 +63,23 @@
         inherit (globals.hostapd) ssid;
         apIsolate = true;
         # not supporte by laptop :(
-        # settings.ieee80211w = 0;
+        #settings.ieee80211w = 0;
         logLevel = 0;
         settings = {
-          vlan_file = "${pkgs.writeText "hostaps.vlans" ''
-            10 wifi-home br-home
-            40 wifi-iot br-iot
-            50 wifi-guests br-guests
-          ''}";
-          dynamic_vlan = 1;
+          bridge = "br-iot";
         };
         authentication = {
-          saePasswords = [
-            {
-              passwordFile = config.age.secrets.homeWlan.path;
-              vlanid = 10;
-            }
-            {
-              passwordFile = config.age.secrets.iotWlan.path;
-              vlanid = 40;
-            }
-            {
-              passwordFile = config.age.secrets.guestWlan.path;
-              vlanid = 50;
-            }
-          ];
+          mode = "wpa2-sha1";
+          wpaPasswordFile = config.age.secrets.iotWlan.path;
+          # saePasswords = [
+          #   {
+          #     passwordFile = config.age.secrets.iotWlan.path;
+          #   }
+          # ];
           pairwiseCiphers = [
             "CCMP"
-            "GCMP"
-            "GCMP-256"
+            # "GCMP"
+            # "GCMP-256"
           ];
           #enableRecommendedPairwiseCiphers = true;
         };
diff --git a/hosts/nucnix/secrets/generated/guestWlan.age b/hosts/nucnix/secrets/generated/guestWlan.age
deleted file mode 100644
index 863ec3e..0000000
--- a/hosts/nucnix/secrets/generated/guestWlan.age
+++ /dev/null
@@ -1,15 +0,0 @@
-age-encryption.org/v1
--> X25519 DnkfavonwcikVjuIH3aQTxh9+U+Vr6se2PPdjCL68iw
-qcfI8Rz+8fLqePoqk4XEY0vQyH2+eZtE3c/lrei9OWo
--> piv-p256 ZFgiIw AzKnjNFccsLZSS6EipE+gqoMzjj5Q//OMpAxrPFVHzPW
-VphyHLTFEc7nsPfETAi/4VLg+mXb6B2qgTikgn1SyJI
--> piv-p256 XTQkUA A6mFKlj6AYBxwe+p3Yn57Re5e4Ihk42qNCbwFXDVLsV2
-YogIWza1sZGXOOeZVVD2fcShAG00QQosLlHntBK+UeI
--> piv-p256 ZFgiIw A2dlENHarOIr4e3ZikrRYeWZI1N4NKwzWuIB4+Vuq96a
-55zk9XyUEGwwnxxGFyfia8YVF9Sjj7KFut03YrH6+Zc
--> piv-p256 5vmPtQ Aq81XRMh1/reZhBMQIGd7C+sOEG1pKSTJbdEAmkPoP17
-WCzUWz3HDZIIrqMuypxkZMqzoggCmaSPrXNdmNMntHY
--> &1koE-grease
-dqDfmnpD0sarnFxWDlpn5p3AMIWMPz58V0pJ5Lu2mXAIjEqPimCW/Q
---- UA2bf9I/vCa+Zn6zRM6V7OeHS69Drwes8V0UexK+SBU
-‰5ÃPg÷µKD¸Š &éÁòö£ûïß@­ÖuZ¢ú?J$fÄšºëšZC¤ÑÉ‹9ùLR£òã„”Ìxb¹'ù…cMC:ÆJ’²–GÎ~!M(÷
\ No newline at end of file