feat: tasmota with hme assistant

config/services/homeassistant.nix

@@ -36,8 +36,17 @@
     ];
   };
   networking.nftables.firewall.zones.devices.interfaces = [ "mv-devices" ];
+  networking.nftables.firewall.zones.iot.interfaces = [ "mv-iot" ];
   networking.nftables.firewall = {
     rules = {
+      mqtt = {
+        from = [
+          "devices"
+          "iot"
+        ];
+        to = [ "local" ];
+        allowedTCPPorts = [ 1883 ];
+      };
       homematic = {
         from = [
           "devices"
@@ -45,8 +54,38 @@
         to = [ "local" ];
         allowedTCPPorts = [ 45053 ];
       };
+      mdns = {
+        from = [
+          "devices"
+          "iot"
+        ];
+        to = [ "local" ];
+        allowedUDPPorts = [ 5353 ];
+      };
     };
   };
+  age.secrets.mosquitto-pw-home_assistant = {
+    mode = "440";
+    owner = "hass";
+    group = "mosquitto";
+    generator.script = "alnum";
+  };
+  services.mosquitto = {
+    enable = true;
+    persistence = true;
+    listeners = [
+      {
+        acl = [ "pattern readwrite #" ];
+        users = {
+          home_assistant = {
+            passwordFile = config.age.secrets.mosquitto-pw-home_assistant.path;
+            acl = [ "readwrite #" ];
+          };
+        };
+        settings.allow_anonymous = false;
+      }
+    ];
+  };
 
   services.home-assistant = {
     enable = true;
@@ -392,6 +431,7 @@
         stringcase
         hahomematic
         pymodbus
+        hatasmota
       ];
   };
   networking.hosts = {

hosts/nucnix/hostapd.nix

@@ -15,9 +15,6 @@
     homeWlan = {
       generator.script = "alnum";
     };
-    guestWlan = {
-      generator.script = "alnum";
-    };
     iotWlan = {
       generator.script = "alnum";
     };
@@ -66,35 +63,23 @@
         inherit (globals.hostapd) ssid;
         apIsolate = true;
         # not supporte by laptop :(
-        # settings.ieee80211w = 0;
+        #settings.ieee80211w = 0;
         logLevel = 0;
         settings = {
-          vlan_file = "${pkgs.writeText "hostaps.vlans" ''
-            10 wifi-home br-home
-            40 wifi-iot br-iot
-            50 wifi-guests br-guests
-          ''}";
-          dynamic_vlan = 1;
+          bridge = "br-iot";
         };
         authentication = {
-          saePasswords = [
-            {
-              passwordFile = config.age.secrets.homeWlan.path;
-              vlanid = 10;
-            }
-            {
-              passwordFile = config.age.secrets.iotWlan.path;
-              vlanid = 40;
-            }
-            {
-              passwordFile = config.age.secrets.guestWlan.path;
-              vlanid = 50;
-            }
-          ];
+          mode = "wpa2-sha1";
+          wpaPasswordFile = config.age.secrets.iotWlan.path;
+          # saePasswords = [
+          #   {
+          #     passwordFile = config.age.secrets.iotWlan.path;
+          #   }
+          # ];
           pairwiseCiphers = [
             "CCMP"
-            "GCMP"
-            "GCMP-256"
+            # "GCMP"
+            # "GCMP-256"
           ];
           #enableRecommendedPairwiseCiphers = true;
         };

hosts/nucnix/secrets/generated/guestWlan.age

@@ -1,15 +0,0 @@
-age-encryption.org/v1
--> X25519 DnkfavonwcikVjuIH3aQTxh9+U+Vr6se2PPdjCL68iw
-qcfI8Rz+8fLqePoqk4XEY0vQyH2+eZtE3c/lrei9OWo
--> piv-p256 ZFgiIw AzKnjNFccsLZSS6EipE+gqoMzjj5Q//OMpAxrPFVHzPW
-VphyHLTFEc7nsPfETAi/4VLg+mXb6B2qgTikgn1SyJI
--> piv-p256 XTQkUA A6mFKlj6AYBxwe+p3Yn57Re5e4Ihk42qNCbwFXDVLsV2
-YogIWza1sZGXOOeZVVD2fcShAG00QQosLlHntBK+UeI
--> piv-p256 ZFgiIw A2dlENHarOIr4e3ZikrRYeWZI1N4NKwzWuIB4+Vuq96a
-55zk9XyUEGwwnxxGFyfia8YVF9Sjj7KFut03YrH6+Zc
--> piv-p256 5vmPtQ Aq81XRMh1/reZhBMQIGd7C+sOEG1pKSTJbdEAmkPoP17
-WCzUWz3HDZIIrqMuypxkZMqzoggCmaSPrXNdmNMntHY
--> &1koE-grease
-dqDfmnpD0sarnFxWDlpn5p3AMIWMPz58V0pJ5Lu2mXAIjEqPimCW/Q
---- UA2bf9I/vCa+Zn6zRM6V7OeHS69Drwes8V0UexK+SBU
-‰5ÃPg÷µKD¸Š &éÁòö£ûïß@­ÖuZ<75>¢ú?J$fÄšºëšZC¤ÑÉ‹9ùL
R£òã„”Ìxb¹'ù…cMC:ÆJ’²–GÎ~!M(÷