From b309200640206fb010322125cc1373ffd9ecd00a Mon Sep 17 00:00:00 2001
From: Alejandro Angulo <iam@alejandr0angul0.dev>
Date: Sun, 26 Nov 2023 18:41:45 -0800
Subject: [PATCH] Added mosquitto as mqtt broker

---
 .../nixos/services/homeassistant/default.nix  |   2 +
 modules/nixos/services/mosquitto/default.nix  |  45 ++++++++++++++++++
 secrets/cf_dns_kilonull.age                   |  25 +++++-----
 secrets/hass_mqtt.age                         | Bin 0 -> 520 bytes
 secrets/nextcloud_admin.age                   | Bin 402 -> 468 bytes
 secrets/secrets.nix                           |   2 +
 secrets/theengs_ble_mqtt.age                  |   9 ++++
 systems/aarch64-linux/pi4/default.nix         |   1 +
 8 files changed, 71 insertions(+), 13 deletions(-)
 create mode 100644 modules/nixos/services/mosquitto/default.nix
 create mode 100644 secrets/hass_mqtt.age
 create mode 100644 secrets/theengs_ble_mqtt.age

diff --git a/modules/nixos/services/homeassistant/default.nix b/modules/nixos/services/homeassistant/default.nix
index 5d7e7a0..a57d03b 100644
--- a/modules/nixos/services/homeassistant/default.nix
+++ b/modules/nixos/services/homeassistant/default.nix
@@ -33,6 +33,8 @@ in {
       extraComponents = [
         "hue"
         "met"
+        "mqtt"
+        "octoprint"
         "tuya"
         "vizio"
         "zeroconf"
diff --git a/modules/nixos/services/mosquitto/default.nix b/modules/nixos/services/mosquitto/default.nix
new file mode 100644
index 0000000..8ef4232
--- /dev/null
+++ b/modules/nixos/services/mosquitto/default.nix
@@ -0,0 +1,45 @@
+{
+  options,
+  config,
+  lib,
+  pkgs,
+  format,
+  ...
+}:
+with lib; let
+  cfg = config.aa.services.mosquitto;
+  mosquitto_cfg = config.services.mosquitto;
+in {
+  options.aa.services.mosquitto = with types; {
+    enable = mkEnableOption "home assistant";
+  };
+  config = mkIf cfg.enable {
+    age.secrets = {
+      hass_mqtt.file = ../../../../secrets/hass_mqtt.age;
+      theengs_ble_mqtt.file = ../../../../secrets/theengs_ble_mqtt.age;
+    };
+
+    services.mosquitto = {
+      enable = true;
+      listeners = [
+        {
+          users = {
+            hass = {
+              acl = [
+                "read home/#"
+                "readwrite homeassistant/status"
+              ];
+              passwordFile = config.age.secrets.hass_mqtt.path;
+            };
+            theengs_ble_gateway = {
+              acl = ["readwrite home/#"];
+              passwordFile = config.age.secrets.theengs_ble_mqtt.path;
+            };
+          };
+        }
+      ];
+    };
+
+    networking.firewall.allowedTCPPorts = [1883];
+  };
+}
diff --git a/secrets/cf_dns_kilonull.age b/secrets/cf_dns_kilonull.age
index d9d3255..2b90162 100644
--- a/secrets/cf_dns_kilonull.age
+++ b/secrets/cf_dns_kilonull.age
@@ -1,14 +1,13 @@
 age-encryption.org/v1
--> ssh-ed25519 Yk7ehg NwKwWQiMTehA+gluPXpVyL4zyhGRheQ1hCyyjPyWNlM
-ZTD2ssehxzayPhnW+OVqXzr/fqQ7Hdm711RgZT5R4Pw
--> ssh-ed25519 SYNSNQ oEc4p7cz7u+gEYIJVW7hl+VXwXzPSpRXCL33Ij2ZIkc
-avgbK9ss20KmL1XB9Sg45bwv6BItDcMJj8/e2fXxZOE
--> ssh-ed25519 t5XIGA huqEOk8X1Z4g4pcjAc6griyt3x+hU5NWMfCUL8WoUkI
-yqJxaxWF04PzcmyFN8hq+u9DaQmbI4W3PSDC2+Rxr5I
--> piv-p256 UIEGzg AzYN661WI0nUCA4MHnSqOT0A23jbBl9Dnv5CmmJkvuSk
-BXxeYW5RdiYNwtMG+PHF5b7x2Pu129SNOeqItwfcWTs
--> X{\S-grease <0c[|Bb
-tXXujcfm/3s/TMaX5tM9TamHAEHSUCArwJCDEJ2SFKcL8FSV1N3srp4wNogtF7pO
-PjLeXFHo
---- 1VR3EGzzVvK+pbDlvomJ6cJ9wOrP2LoPsUqmh0c6bVE
-°¸>¦/Éÿ,+ðì®bÇLþjgŽfÏ<9m¿K‰ÙõT¢‚±N3òà¦wÄÍÂ¹1¸(¿&É´D¦Á	7ø2 #­.^"KWì$BªKUknDX¨î­kÂÝ7GRÚ¡d§Ìèœ^9`Ðã©Ñ”yóM-µˆçKvõO#çÑ#¤þ8_—<Êù©âu:;Ø\•A0â¬X5ø³)²Þ
\ No newline at end of file
+-> ssh-ed25519 Yk7ehg YW+VO4Mb5SxfM9mxXRvYKC2kJVZeULkllzvUbo0VShM
+yOts+jZvdreDDC13fT/4BdF7d/B03RaGlDzSwBGa6Q8
+-> ssh-ed25519 SYNSNQ tdbAwQABaA+r2Kkm7d9UIsVC7J/LtmlI1rnbQOlkYQU
+sJfnI9RdEoYaI7+rlrG+N4cTxdWRX2XDDzjuql5CYhI
+-> ssh-ed25519 t5XIGA 61XjTYo7NAeORxGErzRef/qluiux1GiOKbTUoetarzE
+JZYJQRs6jDPubIVAxbvDK3wGUcydLs8mbj+s/gYannk
+-> piv-p256 UIEGzg A+RKB16kMJniwsfCfG5apfAXcoYFyo+7NAIp0PRcEyeZ
+aWL7CzAm9iEFyoeaK7fWSiV8zVYv9FZr0JV5sgD1r/k
+-> X-:^I-grease )G"sj("
+jVX1VFRb4ltX1a+uPuXUtXycWEMUY0RRqC9IRJ7KDMQk39Rt
+--- gT6dA9SwnjRXm0xmHuVZcjmPyk4Awg7EOJGEsiVRbjQ
+ÚPˆTŸ¬é›pô¡E«[T`˜Ã­›ê|³¯<èGCû‹ï#´šŸH‡9ª‹^ÀÞ›¡#3!åÕ'Ú£Æ&è¦›hó”pZøŽcKÀ3À4S0‡”€g@,æZúÌ†òyÇï¨i ©8I"{€&áèö‡TÞÇÐ‰l#PKœoyÔh8Ù]êi²Ø	äøÛ7¼~Ú|Ògz¤Â‘~6
\ No newline at end of file
diff --git a/secrets/hass_mqtt.age b/secrets/hass_mqtt.age
new file mode 100644
index 0000000000000000000000000000000000000000..77772888d8adda98f6629baf5df8a5a46b053eb1
GIT binary patch
literal 520
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSHF^%wacT~vsb`3Vm
z^m8e4DJpf%H}G&yN;WGF4@xh}^l=R}jdHTIFbec`H46<ga^)(_c2AFV56mnNb}e%D
z^Qp9S4+(cq^T;d+2r2Y8sw}Mv3e0mijxtWxFGja5GTS^gBV8dQIK`sEtvD|^J*&_!
z)UTwhFw(=a*u}IcBG|&u*Td4qz$Z=L%fr<*JCds)H_SUcDX-8t-_^~?C(I+D&?nTb
ztUM_%*~vNCu{bz6-@_#&FEYigzyf4jL1vk5fsv`1La3*!dsVuEqoKY*uy0OSZcbrh
zR%ujtxudaTc(PeWVYXRGfunJGVMtg=VMJ0za+!7%SCpA{RfJ1$PGVSjNuYsIX^6j(
zNt&NYu1i>YS!9)$f0~hRQfaD(PmmwjXHIE_*}87ky6Hu!iN&c31y-SICf>@W3gP;}
z3Qi_DX%?xewhC%orTM;wVY$Xm#lA%$`hi@!y1EJ$<t4u9jzOLt7J0cvmfE=iW;q$g
z`i1^}K1m)G`ev!xrAZONj+Ig6RR&zqQ!Z6)u)MtYPr}R2hq`}Xxcy8J$$J;SaynPi
sRqmhnvM!$3#Zu0Y|K9%n<d{-3^*LhqTntM83yW?D)-YYnxM<2w0RCaIxc~qF

literal 0
HcmV?d00001

diff --git a/secrets/nextcloud_admin.age b/secrets/nextcloud_admin.age
index d1ee0dbd5e36f79f6cc4087f9a1b6efd4eadb16b..c4180505c1a4c0c4e1f7e3bc4fe02532c3a6c045 100644
GIT binary patch
delta 434
zcmbQle1&;}PJNYMNnuh+M54cIzJG*4iDgoWSxHD~RgQ0oaY{vDm0?JMmtm^6p>uFv
zBv(d2rDvAAaZ;(TQ;~sjl4F*iTcBf3V7O_pMNyV<dP#9mVrp(qN=107E0?aFLP2Jk
zZh?`hnL?<it9w<tf@7(ng<HCbYglDsL~xO%MX-5+S$%G5a8{+ZhoMPONosLnp>bw*
zWn`wCTOe0ziJ?zwxnHH3xwCP;d$3Wmd%kN)Sy@PMXsL;DaFJPnrJq@DrAw$|Q6$JR
zKev(s-Snc=#Nt%0bQ5i-yr4pZJc}HkqCA75K>q^M+!CW)Ka&8j<cut{axX7OzjQ-q
z!wl_uZHwGIH&@G$qVjOhBERf>e@oNK0IsaGEc0al+$u}QGOy4KGmCsP=Wu72%%Y4$
zuX4X6!*H*1E?r$+g~W0r!@R8W0vFH76t75q*R<el6T>pYz>3PC(9nP^Pp^;=1Gh}?
zP~#jEt~P7VbxWT-dNg~L`Tg1UHWG@ij~?dmX!E~dW+<`$DJE>U^Q-3GI%d_36Ia@6
bnIENIF@1FIQHa@%gGc3KJs5kv&ME@{Ntc%W

delta 367
zcmcb@Jc)UNPJNbpNRm%VguZ1#T9IL{Z$MO_Z(3<dMV42Eg;9ofT9QwYxnpUbd6KcA
zBUeF*zHgdgWRRbmWq_}#M|f$Kaf-8%Nr0uBS)QS#fnTn9RhWl<P?d>AD3`9CLP2Jk
zZh?`hnL?<it9w<tf}?g(eqd#3fS-SmK}3Xhk$;|LaeaD;pLtfIS(a&rd6_{~L||fB
zS(c??qz9K#X-1Y;c~P=&R%S|wsc%rCqmN~pPf4(QikY@|u8FsWn}1ngX?A5sa3ILC
zeBJb-)WqUcg*vtH00qquZ3`|>qo|UA#N?=Kf1|Kew~VR)*X*(=my`&%bS_<8U4;^N
z@4TvvO8>k(@9dO7@8rM=SEmXC|D2M5%8a}e50{F(vQ$4;19OkikaRBYRozGDoIJfl
z>ucZg^$SF8e%_3kw<SiH&&%M$#qh*gP7(&CG0TsZEM&X!_@0!&hORBS{kIEBu6p*`
M{`TXUd%U0v01j+|L;wH)

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 79edeb1..70bbea6 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -10,4 +10,6 @@ let
 in {
   "cf_dns_kilonull.age".publicKeys = [users.me machines.node machines.gospel machines.pi4];
   "nextcloud_admin.age".publicKeys = [users.me machines.node];
+  "theengs_ble_mqtt.age".publicKeys = [users.me machines.pi4];
+  "hass_mqtt.age".publicKeys = [users.me machines.pi4 machines.node];
 }
diff --git a/secrets/theengs_ble_mqtt.age b/secrets/theengs_ble_mqtt.age
new file mode 100644
index 0000000..0f59fc6
--- /dev/null
+++ b/secrets/theengs_ble_mqtt.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 t5XIGA VI8M2lKHFTlmy8SztjfCE5sGTZEtk11OvYKOHVsYbFM
+BKBGSSpbl0D64mtyfKBkapjyn3G4U7DLPDu0Xb7T0sM
+-> piv-p256 UIEGzg A4nB8kjBm06K2nVBkHANTzBZcflssYIyA4fKgxtNmnMF
+8dFmHQjiJ9bDDC7zcVjoiDtv8aHLZUdYZwp/YCL6Lmo
+-> "DI?cD^G-grease sK5f 3_ <Zq
+lPu7GtAC0D0wNw0lBLB9MTpMFnU
+--- a3oVDb9D/2tKnYpZ0HIrTPdOJsHKudZEOkmSqD5l05E
+|ï½îsˆÈ%7‘RWÇêÉ9ÊÈgY:ä/R9Ü¤ÁMƒT· £Z‚Ú5.TîkËßçèüË“¨E:
\ No newline at end of file
diff --git a/systems/aarch64-linux/pi4/default.nix b/systems/aarch64-linux/pi4/default.nix
index 77f1330..d0f0e3d 100644
--- a/systems/aarch64-linux/pi4/default.nix
+++ b/systems/aarch64-linux/pi4/default.nix
@@ -43,6 +43,7 @@
     };
     services.prometheus.enable = true;
     services.promtail.enable = true;
+    services.mosquitto.enable = true;
 
     security.acme = {
       enable = true;