{ config, lib, pkgs, ... }: with lib; let hostname = "wormhole0"; primary-ip = "10.0.0.3"; state-dir = "/state"; zigbee2mqtt-statedir = "${state-dir}/services/zigbee2mqtt"; mosquitto-statedir = "${state-dir}/services/mosquitto"; home-assistant-port = 8123; zigbee2mqtt-user = config.systemd.services.zigbee2mqtt.serviceConfig.User; mosquitto-user = config.systemd.services.mosquitto.serviceConfig.User; zigbee2mqtt-passwd-file = pkgs.lib.passwd.stablerandom-passwd-file "zigbee2mqtt-passwd" config.instance.build-seed; host-secrets = config.fudo.secrets.host-secrets.${hostname}; host-passwds = config.fudo.secrets.files.service-passwords.${hostname}; in { boot.kernel.sysctl = { "net.ipv4.ip_forward" = true; }; networking = { hostName = hostname; firewall = { enable = false; }; defaultGateway = { address = "10.0.0.1"; interface = "intif0"; }; nameservers = [ "10.0.0.1" ]; interfaces = { intif0 = { useDHCP = false; ipv4 = { addresses = [{ address = primary-ip; prefixLength = 16; }]; }; }; wormif0.useDHCP = true; wlp2s0.useDHCP = false; }; dhcpcd.extraConfig = concatStringsSep "\n" [ "nogateway" ]; }; fudo.secrets.host-secrets.${hostname} = { mosquitto-zigbee2mqtt-passwd = { source-file = zigbee2mqtt-passwd-file; target-file = "/run/mosquitto-secrets/zigbee2mqtt.passwd"; user = mosquitto-user; }; mosquitto-home-assistant-passwd = { source-file = host-passwds.mosquitto-home-assistant; target-file = "/run/mosquitto-secrets/home-assistant.passwd"; user = mosquitto-user; }; mosquitto-niten-passwd = { source-file = host-passwds.mosquitto-niten; target-file = "/run/mosquitto-secrets/niten.passwd"; user = mosquitto-user; }; mosquitto-xiaoxuan-passwd = { source-file = host-passwds.mosquitto-xiaoxuan; target-file = "/run/mosquitto-secrets/xiaoxuan.passwd"; user = mosquitto-user; }; mosquitto-wallfly-passwd = { source-file = host-passwds.mosquitto-wallfly; target-file = "/run/mosquitto-secrets/wallfly.passwd"; user = mosquitto-user; }; }; systemd = { services = { wormhole-route = { wantedBy = [ "multi-user.target" ]; after = [ "network-online.target" ]; serviceConfig = { ExecStart = "${pkgs.iproute2}/bin/ip route add 192.168.86.0/24 dev wormif0"; ExecStop = "${pkgs.iproute2}/bin/ip route del 192.168.86.0/24 dev wormif0"; RemainAfterExit = true; }; }; zigbee2mqtt = { after = [ config.fudo.secrets.secret-target "mosquitto.service" ]; restartIfChanged = true; }; mosquitto = { after = [ config.fudo.secrets.secret-target ]; restartIfChanged = true; }; }; tmpfiles.rules = [ "L /root/.gnupg - - - - ${state-dir}/user/root/gnupg" "L /root/.ssh/id_rsa - - - - ${state-dir}/user/root/ssh/id_rsa" "L /root/.ssh/id_rsa.pub - - - - ${state-dir}/user/root/ssh/id_rsa.pub" "L /root/.ssh/known_hosts - - - - ${state-dir}/user/root/ssh/known_hosts" "L /etc/adjtime - - - - ${state-dir}/etc/adjtime" "d /state/services 0711 root root - -" "d ${zigbee2mqtt-statedir} 0700 ${zigbee2mqtt-user} - - -" "d ${mosquitto-statedir} 0700 ${mosquitto-user} - - -" ]; }; users.groups = let zigbee2mqtt-user = config.systemd.services.zigbee2mqtt.serviceConfig.User; in { dialout.members = [ zigbee2mqtt-user ]; }; services = { openssh.hostKeys = [ { path = "${state-dir}/ssh/ssh_host_rsa_key"; type = "rsa"; bits = 4096; } { path = "${state-dir}/ssh/ssh_host_ed25519_key"; type = "ed25519"; } ]; nginx = { enable = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedGzipSettings = true; virtualHosts."home-assist.sea.fudo.org" = { locations."/" = { proxyPass = "http://localhost:${toString home-assistant-port}"; proxyWebsockets = true; }; }; }; mosquitto = { enable = true; dataDir = mosquitto-statedir; listeners = [{ settings.allow_anonymous = false; port = 1883; address = "0.0.0.0"; users = { zigbee2mqtt = { passwordFile = host-secrets.mosquitto-zigbee2mqtt-passwd.target-file; acl = [ "readwrite #" ]; }; home-assistant = { passwordFile = host-secrets.mosquitto-home-assistant-passwd.target-file; acl = [ "readwrite #" ]; }; # niten = { # passwordFile = host-secrets.mosquitto-niten-passwd.target-file; # acl = [ "readwrite #" ]; # }; # xiaoxuan = { # passwordFile = host-secrets.mosquitto-xiaoxuan-passwd.target-file; # acl = [ "readwrite #" ]; # }; # wallfly = { # passwordFile = host-secrets.mosquitto-wallfly-passwd.target-file; # acl = [ "readwrite homeassistant/binary_sensor/#" ]; # }; }; }]; }; zigbee2mqtt = { enable = true; dataDir = zigbee2mqtt-statedir; package = pkgs.pkgsUnstable.zigbee2mqtt; settings = { homeassistant = true; permit_join = true; serial.port = "/dev/ttyUSB0"; mqtt = { server = "mqtt://127.0.0.1:1883"; user = "zigbee2mqtt"; password = readFile zigbee2mqtt-passwd-file; # TODO: could make a yaml file containing password # described https://www.zigbee2mqtt.io/guide/configuration/mqtt.html#server-connection # Weird, though. }; advanced.log_level = "debug"; }; }; avahi = { enable = true; reflector = true; interfaces = [ "intif0" "worm0" ]; }; }; virtualisation = { docker = { enable = true; enableOnBoot = true; autoPrune.enable = true; }; oci-containers = { backend = "docker"; containers = { home-assistant = { image = "homeassistant/home-assistant:stable"; autoStart = true; environment.TZ = config.time.timeZone; #ports = [ "${toString home-assistant-port}:8123" ]; volumes = [ "/state/services/home-assistant:/config" ]; extraOptions = [ "--network=host" ]; }; }; }; }; security.sudo.extraConfig = '' # Due to rollback, sudo will lecture after every reboot Defaults lecture = never ''; }