diff --git a/lib.nix b/lib.nix index d91b0bc7..53a68cd2 100644 --- a/lib.nix +++ b/lib.nix @@ -41,11 +41,13 @@ overrideOptionDefault = 1500; overrideAlmostOptionDefault = 1400; overrideDefault = 1000; + overrideAlmostDefault = 900; overrideNone = defaultOverridePriority; # 100 overrideAlmostForce = 75; overrideForce = 50; overrideVM = 10; mkAlmostOptionDefault = mkOverride overrideAlmostOptionDefault; + mkAlmostDefault = mkOverride overrideAlmostDefault; mkAlmostForce = mkOverride overrideAlmostForce; orderBefore = 500; orderNone = 1000; @@ -78,8 +80,8 @@ in { eui64 mkWinPath mkBaseDn toHexStringLower hexCharToInt mapListToAttrs - mkAlmostOptionDefault mkAlmostForce mapOverride mapOptionDefaults mapAlmostOptionDefaults mapDefaults - overrideOptionDefault overrideAlmostOptionDefault overrideDefault overrideNone overrideAlmostForce overrideForce overrideVM + mkAlmostOptionDefault mkAlmostDefault mkAlmostForce mapOverride mapOptionDefaults mapAlmostOptionDefaults mapDefaults + overrideOptionDefault overrideAlmostOptionDefault overrideDefault overrideAlmostDefault overrideNone overrideAlmostForce overrideForce overrideVM orderBefore orderNone orderAfter orderAlmostAfter mkAlmostAfter; inherit (inputs.arcexprs.lib) unmerged json; diff --git a/modules/nixos/home-assistant.nix b/modules/nixos/home-assistant.nix index 36a6874f..6fdc1f3a 100644 --- a/modules/nixos/home-assistant.nix +++ b/modules/nixos/home-assistant.nix @@ -76,7 +76,10 @@ in { in mkIf cfg.enable { interfaces.local = { - allowedTCPPorts = mkIf (!cfg.homekit.openFirewall) homekitTcp; + allowedTCPPorts = mkMerge [ + (mkIf (!cfg.homekit.openFirewall) homekitTcp) + (mkIf (!cfg.openFirewall) [ cfg.config.http.server_port ]) + ]; allowedUDPPortRanges = mkIf (!cfg.cast.openFirewall) castUdpRanges; }; allowedTCPPorts = mkIf cfg.homekit.openFirewall homekitTcp; diff --git a/modules/nixos/shared.nix b/modules/nixos/shared.nix new file mode 100644 index 00000000..9f822aa6 --- /dev/null +++ b/modules/nixos/shared.nix @@ -0,0 +1,98 @@ +{ config, lib, utils, ... }: let + inherit (lib.options) mkOption; + inherit (lib.modules) mkIf mkMerge mkOptionDefault; + inherit (lib.attrsets) mapAttrsToList; + inherit (lib.lists) head; + inherit (lib.strings) splitString; + inherit (utils) escapeSystemdPath; + mountModule = { config, name, ... }: { + options = with lib.types; { + source = mkOption { + type = path; + default = "${config.rootDir}/${config.subpath}"; + }; + path = mkOption { + type = path; + }; + subpath = mkOption { + type = str; + default = name; + }; + root = mkOption { + type = path; + default = "${config.rootDir}/${head (splitString "/" config.subpath)}"; + }; + mountUnit = mkOption { + type = nullOr str; + default = "${escapeSystemdPath config.root}.mount"; + }; + rootDir = mkOption { + type = path; + internal = true; + }; + }; + }; + mkMountType' = { rootDir, specialArgs, modules ? [ ] }: let + rootDirModule = { ... }: { + config.rootDir = mkOptionDefault rootDir; + }; + in lib.types.submoduleWith { + modules = [ mountModule rootDirModule ] ++ modules; + inherit specialArgs; + }; + mkMountType = args: with lib.types; coercedTo path (path: { path = mkOptionDefault path; }) (mkMountType' args); + serviceModule = { config, nixosConfig, ... }: let + cfg = config.gensokyo-zone; + mapSharedMounts = f: mapAttrsToList (_: target: + f target + ) cfg.sharedMounts; + mapCacheMounts = f: mapAttrsToList (_: target: + f target + ) cfg.cacheMounts; + mkRequire = mount: mount.mountUnit; + mkBindPath = mount: "${mount.source}:${mount.path}"; + specialArgs = { + service = config; + inherit nixosConfig; + }; + mountUnits = mkMerge [ + (mkIf (cfg.sharedMounts != { }) (mapSharedMounts mkRequire)) + (mkIf (cfg.cacheMounts != { }) (mapCacheMounts mkRequire)) + ]; + in { + options.gensokyo-zone = with lib.types; { + sharedMounts = mkOption { + type = attrsOf (mkMountType { rootDir = "/mnt/shared"; inherit specialArgs; }); + default = { }; + }; + cacheMounts = mkOption { + type = attrsOf (mkMountType { rootDir = "/mnt/caches"; inherit specialArgs; }); + default = { }; + }; + }; + config = { + requires = mountUnits; + after = mountUnits; + serviceConfig = mkMerge [ + (mkIf (cfg.sharedMounts != { }) { + BindPaths = mapSharedMounts mkBindPath; + }) + (mkIf (cfg.cacheMounts != { }) { + BindPaths = mapCacheMounts mkBindPath; + }) + ]; + }; + }; +in { + options = with lib.types; { + systemd.services = mkOption { + type = attrsOf (submoduleWith { + modules = [ serviceModule ]; + shorthandOnlyDefinesConfig = true; + specialArgs = { + nixosConfig = config; + }; + }); + }; + }; +} diff --git a/nixos/access/mosquitto.nix b/nixos/access/mosquitto.nix index 0a2f3339..84345f34 100644 --- a/nixos/access/mosquitto.nix +++ b/nixos/access/mosquitto.nix @@ -64,7 +64,7 @@ in { }; networking.firewall = { - allowedTCPPorts = [ + interfaces.local.allowedTCPPorts = [ access.bind.port (mkIf nginx.stream.servers.mosquitto.listen.mqtts.enable access.bind.sslPort) ]; diff --git a/nixos/barcodebuddy.nix b/nixos/barcodebuddy.nix index e65ab9c5..a53b324f 100644 --- a/nixos/barcodebuddy.nix +++ b/nixos/barcodebuddy.nix @@ -37,19 +37,13 @@ in { uid = 912; }; config.systemd.services = let - BindPaths = [ - "/mnt/shared/barcodebuddy:${cfg.dataDir}" - ]; + gensokyo-zone.sharedMounts.barcodebuddy.path = mkDefault cfg.dataDir; in mkIf cfg.enable { phpfpm-barcodebuddy = { - serviceConfig = { - inherit BindPaths; - }; + inherit gensokyo-zone; }; bbuddy-websocket = mkIf cfg.screen.enable { - serviceConfig = { - inherit BindPaths; - }; + inherit gensokyo-zone; }; }; config.sops.secrets.barcodebuddy-fastcgi-params = mkIf cfg.enable { diff --git a/nixos/grocy.nix b/nixos/grocy.nix index 1f8246e9..df40d0f6 100644 --- a/nixos/grocy.nix +++ b/nixos/grocy.nix @@ -68,19 +68,13 @@ in { uid = 911; }; systemd.services = let - BindPaths = [ - "/mnt/shared/grocy:${cfg.dataDir}" - ]; + gensokyo-zone.sharedMounts.grocy.path = mkDefault cfg.dataDir; in mkIf cfg.enable { grocy-setup = { - serviceConfig = { - inherit BindPaths; - }; + inherit gensokyo-zone; }; phpfpm-grocy = { - serviceConfig = { - inherit BindPaths; - }; + inherit gensokyo-zone; }; }; }; diff --git a/nixos/mosquitto.nix b/nixos/mosquitto.nix index ef564219..6a6851d8 100644 --- a/nixos/mosquitto.nix +++ b/nixos/mosquitto.nix @@ -70,8 +70,9 @@ in { }; }; systemd.services.mosquitto = mkIf cfg.enable { - serviceConfig.BindPaths = [ - "/mnt/shared/mosquitto:${cfg.dataDir}" - ]; + gensokyo-zone.sharedMounts.mosquitto.path = mkDefault cfg.dataDir; + }; + networking.firewall = mkIf cfg.enable { + interfaces.local.allowedTCPPorts = map (listener: listener.port) cfg.listeners; }; } diff --git a/nixos/secrets/mosquitto.yaml b/nixos/secrets/mosquitto.yaml index e89eed15..a267dda3 100644 --- a/nixos/secrets/mosquitto.yaml +++ b/nixos/secrets/mosquitto.yaml @@ -12,66 +12,111 @@ sops: - recipient: age12ze362pu5mza6ef9akrptr7hfe4auaqul4rkta7kyy2tnrstqensgmujeq enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzSlhaOWxDY0E4RzExaGR4 - U3o3bFFMejNxMlYyZ1VnUjk0ZERSK2hTOWhRCkVxd0lJL2YvZXY5ZjRaL0xUUVNE - dFMzRU52Tm9LY0swbnpoaE5OUjJJeDAKLS0tIHlUVWZtTE5acXRONURiaHFPaWpV - Qzh5SUVWcmx1ejNqVGMyTVc3UGovVnMK5tfxFOpzlAbhiYpcwWI26MJ6a+esucPE - KfYUQ9fVv96Crzl7vNPWXcI3TpmrIsRl2Jf1HA3bwfJzknQzucZfTw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvMm56STg2N2N2STZXTVlY + M0IwWUhwOU16UU9heDdKM0NFVWtFVWtsV1RJClNYb2VEMnl4MWFXalZXV3U3ODRy + Ukp1ZXhvZ25OT0tDWVlWdndlTFlWNTAKLS0tIEkzWlQ2cHlaY0hibUxiNmpMQUI4 + LzB2WHQ0cFA2azMya3UrUlJrQnNROEUK/JZJi5crzpCEQ/fF2vpz5tnmdVSIiidk + zi1UuuNTW3QHfjZb6dSc7vDVa5UC9Zp2XUWSL1D7RrBwN9S+qPlPbg== + -----END AGE ENCRYPTED FILE----- + - recipient: age176uyyyk7veqnzmm8xzwfhf0u23m6hm02cldlfkldunqe6std0gcq6lg057 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTcnRDcXpSOTdZeGg4V3dq + Y1JkR0M3WEZuQzZsdzdwNjBxS3p2eXRJTFJvClZ2V29QTFFZVVVIVWRLYWgzbFd3 + NmpNZFNsK1Rxc1BkaWMrMUZXakpUVUkKLS0tIEkyQzRUcG9nRkpGVXZyQ2V5czFQ + clVHU0FZMXBvNmFROEN4ODZDb3Znbk0KXDHc6gZTlVnMOqK3CSrk5aLNDfIUvKbw + 7EKB1kwx1OWihGce42JBVfGCPJmjW7IPfNeeXxZ10hmJPKpwKw7jkQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age15hmlkd9p5rladsjzpmvrh6u34xvggu9mzdsdxdj3ms43tltxeuhq4g7g9k + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmdFN1NFo4ZXpBOGxja0xE + YjhYTVUrUDZ0c0RWamlJekVMeUEyeGJhVzBBCk0ySmhHQ3B5MXFnMjNPOXgzdWda + bTd0NkhDMDhaMmd6MUZZdWpKZVd6bUkKLS0tIDBKRktQeUgxb2RIV1NLWnFlYzIw + dW9GUXdSdnlGZE9DR2l0ckliOXR6YlEK5Gu1NnZQWlyJbha6M2tiJ5BEOf5Jt6Cb + uxY8u/jMwyMlziSkEMW+1JqNJf5xbnaKxmlvTyb2REOo2TQExBcrTQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age10t6kc5069cyky929vvxk8aznqyxpkx3k5h5rmlyz83xtjmr22ahqe8mzes + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxQjZGLzNqTWovR29WVFRm + NSttQ2RodkhmNyt5cGY0OG5nd2FtSndhTFFNCmpBSXBQeTJBZW5FUnJCb1U5NmtR + cWRGbFpBSmczMTdYRGJBVktBRTFZRGMKLS0tIHN1NEVzVFIxN2x1SFRHcVpzMzlw + MEg0bUN3a2hTTEIvS1R4QXpDc2VYOGMKsZ4nR0xr3BDQOOUAEpz34ti5hGykBGWQ + ghXLTIKcbvjVgPzgFIycbC3Q91EuYI4NN6nv4sZIPc3VUeNqUXLhAw== -----END AGE ENCRYPTED FILE----- - recipient: age1a2quf2ekkj94ygu7wgvhrvh44fwn32c0l2cwvgvjh23wst90s54szdsvgr enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwaTRCc1BidjlYRURrbFR3 - WDF1c2puK1pLZ0JVQkNKNUlVTUFtWnZkZUF3CndEcEg3UlgycDlXdWliVXM2dmJQ - SkFPRTJCWTFpVlNRTWZRVzFMYmJzTzgKLS0tIGJJcmFEZklRYkJUN25McnAyWVNm - L0VoSDZzTjVIWFN6aFVhQXE1bXlMdDQK2hAlcgBcb4jvVTRwXk0AQPI0P5Gt0Ooy - SO90HyKwpck32jr6X6faA+bAyBVSh/Vf/9zSgIIsv7M4Pw9qPrBBDA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3SWlYN3dYV1JrYVFWd0lD + bmxQUFpIZDJPTmhwaVBGbUVBcHVEcWQ0bFdVCjNmOFBQOVlkei9nSGJ0RThHRlRU + ck5nMmVHU1BWcFdlajBocDJWanhVOE0KLS0tIGVqcWtDeWNCa25hRU42amdITm5P + RGlTUjIyQ2Nrbk1IUEJyRXJFMHVFQ1UKYxxgEsc2wsRazllgLlXolsT8xXVuNc9a + nd3o2Y34thuA0CJJR6UXQv1gdyP5BiykXp5pw00b8R3/OwOsN3b1IA== -----END AGE ENCRYPTED FILE----- - recipient: age16klpkaut5759dut8mdm3jn0rnp8w6kxyvs9n6ntqrdsayjtd7upqlvw489 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZUGtrK0Z2M0hyTVdGdVNZ - KzdzaEhpTDYvRFR5WTFmOWZFNVZMWmQ2Z0hFCjkwTlhrM2hIdEt5dXFnNldXWHp0 - eEMwL3Y2a1B2RDQ3dTBndmpxSGR5QTgKLS0tIDlpdFNRNEtQN0FGTFlzQkFxb0I3 - VE0vNVZzZHk4WFhmV2gzMjJ0UkR6MDAKQk2nlRz9+vQpmZX+qG/IUOeHkRJ0ogAP - UQ5+lcUQ6XVIx2/qoFb4GJ5Rb2CLnaeY9Xltb/PoXuluS39Kwx5/YQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnMjhXU3NhOXlnR3UwemZD + YStBaWlwVWFheEFXMUVUbkJvanVBeCtmZ2ljCk16N0tLeTh5N3ROS2ZteUFESHEr + bkFxcFgydDVUcVJJRWRhdGxPVXU5YVEKLS0tIGNSWFNEaFFoUGRZbk5KaVZ0N2po + Vll1N2U1SHQ5azdoNlVwK3JOSE5zUzQKEaWYLLdT3BBFicohYogJHBjBYfFaS+99 + x0bq7GcS7wBK/LiIl4W/Yie5z9cwJ3KRtQI4Un/mjTdoSJqg/6LQ4A== + -----END AGE ENCRYPTED FILE----- + - recipient: age13qgddr326g5je0fpq2r3k940vsr3fh9nlvl9xtcxk3xg2x0k3vsq7pvzaj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiMEtDbHYrWUZoTHQwNldi + UCszOFVQbHVuNXExRVJsR2V3VVNpZkRwWGdnCk52dlFRMmVINTc0eENya3ZDQXNK + VnBReTNFMU9FWDBxbVJLNmFCMWhLencKLS0tIGtGS05IaG8xcXNhTFp5cEF2MlZn + TkNCYzVTYjc2TlNjQ2lWWVo3SGlFU3MK5btRhdZSjyQn8ge9Ea4+FTNApNVemMNE + NZmSpgTTYJM5ah4T+4YpfZt0GZdCVJ7S5MjufMwB1RoVShbWztgsdg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ktmx2szedfnpe5xumnzs8vkk0ffqgga6ved3drtksg9pye6ndsnsnqq488 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuRkhrTW5NY0dKNUNGQ2Vo + UzQrVWNKd1ptMnZOWi9NRlJCMjFlSGJzK0JNCm9STy9OeEZseHFyR01pQVJkU25R + OHNsT0pTR2l1ZG96aDRrcmVMRVQ3dEkKLS0tIEJBWGxUNlllSEY5UjdqSXBYNlV2 + SGdXQkRkMTlhbEwxRjQwdGR0SVhNOHMK+YrQd2cTOq4uW3fIxLFzW1GJIynhr7Tf + Y7SRe+5NO/3LL6ruLDjsHH4nv2fNVN8INsRc+LZJ4TH5XqKDM6WDnw== -----END AGE ENCRYPTED FILE----- lastmodified: "2024-01-16T19:11:37Z" mac: ENC[AES256_GCM,data:aZl7545lk6KMNGanuyw4tcn5KsJNt2hrsEVn3VHTJdhtoLo6324Mnei2WCcJm6TfqYN5wKowzg9dnivtRvTD8r/ZM8J3dtTwl9091d9TKcEhVf30a3EwKrSYsDpQUL4vagg7rgFUjbZMUSKZTEgA6o46VbR4glnOiVZMpMMtGWw=,iv:OsbhloYhHRzgUKoUjwiRspHrZFxAf2XL0+JIwwEpmeg=,tag:v4pE9dfnySmrRwlZK7Fyyw==,type:str] pgp: - - created_at: "2024-01-19T19:08:55Z" + - created_at: "2024-03-25T18:15:38Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMA82M54yws73UARAAwEU07Rt8Ab+2nopNDiDHSBgU6e22i7N3W0yuXslqVkX/ - P/gQDG7aNe6KWFGgjMFB38VLhR/Y7KpunL1JGJZuss7qbYmruhbKIzR3q0OJqJ0Y - 81rp4goDnRqtoD6Tmh0X59zDYZr8e6hSMNEdBiGjzyeMAH6nctBt0B0eO6QLkcYa - N+mNcKQ+r40paI6Eg4iLFRXYiKTkYnt6mb2Yik9EyWZGI3dOYOe4S6w+90BH5i6B - ZvK0WGj+mkvGTvbse5C8E0ruyiDTU/opscjIn5I7JUIM2KTkQxskt3Cxl7VzSqz7 - mlUcaJ0DhwfoFj7PBUEUwQyoAkKh64UEnkpH74U2dYe0Z72aQCFpq5kbIbbQDbkI - hnfo4YpsC2GClg4u0KjXTXW5Xgi1UxxIb95HhhPwfO1OF9uEJSRlHmkPJGfkHzM8 - YZU9ZOZjklBAquh+zBnxPnZAsHlCRJwn/vNFryX9fec174rdiMqlcSJ+4hAO8l0M - XnctDPB033lHL1+nbXsKUQbq1iAi/ijY8hPaYDgdHTXZS1OdS74CE+xGsnVp2J1k - niqI2rBTDJ4DPeZm51QATmeoyOtbDVzieX5x6KK9tKdviHcm98p9KqY3dXFC5qi1 - L26G3jPTkoYaPlEzra8RKyU/XulLhf5q7JfyTGys8jczmgbld1/sPf2hHxoFKcfS - XgGfFziQ+uwiLMs4U/949dVJ3HsQdvMGilbbbLkK/HCM+sxHaHw7axBu4TH1Q6N5 - CWP6x2+Z9YS59cXwHiuav60TzzQ/wwGyJDdN3+cBjeOjNCw5WF74xoLR1JJcb6o= - =KB2c + hQIMA82M54yws73UARAAgJH6DsIl1/bwjX6EYxDtX0QDl8PTVc+8rV3nv3b2VrXA + ETAzKV864m7Q5tWfXwVzqt+T+WS1tRk1VLrWNDzTHtyGGN41TYGqq27emn+ppqTj + caEiCh8B74ljPmHzDMG68satffp06TaxSKi5zJZe9I/Qn9a+TDtWc789W3856urT + ImfwLDbuOjjmKd/X8GUjmAeESbztvBDvxSZKLE6pNbgonDK5qAmBaXD0b/bCQz3a + 1xXcriMI5b6OYCpXhwcpS6qjmj1WnsaLrkhW5uK36/QbTI4NP10QhrXz7VFU8ShF + gHzldB0uBtqV3HbuSKYgkoGYcxTvaA5vGHhjO7fNGPTHVo9XxQ08PgH7l+7RpSx9 + gDlb+N2UxXjwmNsExkSljTGQzakoBaoEJVGvEBz13Ubq+0dJETHIddjE+kKiGy+B + zLtN/W0bK06hHN5BBKqlHLJ9CzR0EWcVLUCiOTevONcxUgJ9Ng0w3LKTvbm7OTEO + 8lTvGc44oh3IXxfh4qK70azzPO2fLtEqVNRn7w3OmS1rr9lA5eC5YACgS4B8Nqpt + fo9zBqkWiJx+Ye6lVf1JmapVKfwMeWLID26YFh6sssoZ780iIH1cF41CHhpA++JQ + KyfdTckKiceSUGcvMfuxhWUrLBX6ivbIWw7+NnZp9aRgsVltiM+YCU/M8aGfJ83S + XgFAom0ZegLeLOjwmghaSM4fohqFdNoB0NTCP1NCvmoiCyz6JVB06E/HdOAnHKiv + 3+T+wZaz+7blpMeDNtBjiCaFlXMgTxrtMRFtbwCkEZQjSSe05ux4gcfs+13Ax4M= + =kVWV -----END PGP MESSAGE----- fp: CD8CE78CB0B3BDD4 - - created_at: "2024-01-19T19:08:55Z" + - created_at: "2024-03-25T18:15:38Z" enc: |- -----BEGIN PGP MESSAGE----- - hQEMA2W9MER3HLb7AQgAxTKY2cLyZI2Geztn09LIWYelHoc3H1YpWnpchQ9zclBP - 5xFFYIfuWby1chHAoOHlAz+0FEr7oIQFHrBRtX5FWHdfTU5M3t49L7mX2FiX79/q - z9J90fQSHl2m1rvCI6SoYkh1m9PdGT5pHEM+ebCYggQnDNxbhW545yDDzsd4rNEY - jkIFNwHGIJ+BY+NaBCHwGhXli68+OcAJJDBjmIew+xggg/SWQZvvAj2EGqpCFyHx - c5NRqhg3MTUa2D+BuvLRNzN+KDsGFNn6Rj+W/6Ud+5Ohw+Xbj0l33Zj/i+9Ferap - 4pKrkqf943CSIAkINvxXCZpqnxhUe8Xh0tWSMm2XldJeAWXo5BUf0mpymT+VdACe - Swks8aSFxl4a9fHirTqovD9CwkCzLHfgEDnpxUjRJR8TF21lGoXD3OelMqxqGqVI - xHeyIKZBO3VETzDF3VWPgacKvRb+xV3JM4eW2LPqrw== - =razo + hQEMA2W9MER3HLb7AQf+I2sqlf5hbHw6z8jh6D6RcrU/U7WVGSWVVKezrRT+KE1k + e76UgsQKYcTvFcRAeUOwsCFJ61v3MCzfenCDpH+kY0KW0nR9LlJSA+ctPYetTVlz + 75fucquTukhMQpMpe4FmimDY4sw1qbLlzf89wl230ppOkXESEFKliJE4AAUkRfPj + NEp0BGNrI8JjHeOUKrKnIILswu1hCDdh/8b30pLerhv9ecaA3mE0SoxO1srHEDEM + 8UTsNa91h08xHN2DdyAsMy82Znuvmvr5fYNYbrj1ZEXyph5uin36jSZw8FieaAaV + 7mlI8+9ooUPo+fS1oGTCyeNhYNxqfBBbtW4Eqt1cDdJeAcvAe/QkriZsmcYwV4ti + KfEnCaWeHPq9v99wuPvevqt3k/6A9gt5n1oDdKoSyYTxUp7NWf/P/6+UFrkItjl1 + V9FfUj+jZ0AjLQOIBS8L9RFRpy4IbsFFeQh/UtT8Tw== + =ogEp -----END PGP MESSAGE----- fp: 65BD3044771CB6FB unencrypted_suffix: _unencrypted diff --git a/nixos/unifi.nix b/nixos/unifi.nix index d88a669c..7a6c1934 100644 --- a/nixos/unifi.nix +++ b/nixos/unifi.nix @@ -37,8 +37,6 @@ in { groups.unifi.gid = 990; }; systemd.services.unifi = mkIf cfg.enable { - serviceConfig.BindPaths = [ - "/mnt/shared/unifi:/var/lib/unifi" - ]; + gensokyo-zone.sharedMounts.unifi.path = mkDefault "/var/lib/unifi"; }; } diff --git a/nixos/zigbee2mqtt.nix b/nixos/zigbee2mqtt.nix index 69978951..a05e3d47 100644 --- a/nixos/zigbee2mqtt.nix +++ b/nixos/zigbee2mqtt.nix @@ -1,10 +1,13 @@ { config, lib, + gensokyo-zone, + access, ... }: let + inherit (gensokyo-zone.lib) mkAlmostDefault; + inherit (lib.modules) mkIf mkDefault; cfg = config.services.zigbee2mqtt; - inherit (lib) mkIf mkDefault; in { sops.secrets.z2m-secret = { sopsFile = mkDefault ./secrets/zigbee2mqtt.yaml; @@ -23,8 +26,11 @@ in { mqtt = { user = "z2m"; password = "!secret z2m_pass"; - server = mkIf (!config.services.mosquitto.enable) ( - mkDefault "mqtt://mqtt.local.${config.networking.domain}:1883" + server = let + utsuho = access.nixosFor "utsuho"; + mqttHost = access.getHostnameFor "utsuho" "lan"; + in mkIf (!config.services.mosquitto.enable) ( + assert utsuho.services.mosquitto.enable; mkAlmostDefault "mqtt://${mqttHost}:1883" ); }; homeassistant = true; diff --git a/systems/hakurei/nixos.nix b/systems/hakurei/nixos.nix index e5fdd278..92902858 100644 --- a/systems/hakurei/nixos.nix +++ b/systems/hakurei/nixos.nix @@ -11,8 +11,8 @@ tei = access.nixosFor "tei"; utsuho = access.nixosFor "utsuho"; inherit (mediabox.services) plex; - inherit (tei.services) home-assistant zigbee2mqtt mosquitto; - inherit (utsuho.services) unifi; + inherit (tei.services) home-assistant zigbee2mqtt; + inherit (utsuho.services) unifi mosquitto; inherit (config.services) nginx; inherit (nginx) virtualHosts; in { @@ -225,7 +225,7 @@ in { in { vouch.enableLocal = false; access.mosquitto = assert mosquitto.enable; { - host = getHostnameFor "tei" "lan"; + host = getHostnameFor "utsuho" "lan"; }; access.plex = assert plex.enable; { url = "http://${getHostnameFor "mediabox" "lan"}:${toString plex.port}"; diff --git a/systems/tei/lxc.json b/systems/tei/lxc.json index 05d3f8b6..8276ae55 100644 --- a/systems/tei/lxc.json +++ b/systems/tei/lxc.json @@ -3,7 +3,6 @@ "lxc.mount.entry": [ "/rpool/caches/zigbee2mqtt mnt/caches/zigbee2mqtt none bind,optional,create=dir", "/rpool/shared/zigbee2mqtt mnt/shared/zigbee2mqtt none bind,optional,create=dir", - "/rpool/shared/mosquitto mnt/shared/mosquitto none bind,optional,create=dir", "/rpool/shared/hass mnt/shared/hass none bind,optional,create=dir", "/rpool/shared/grocy mnt/shared/grocy none bind,optional,create=dir", "/rpool/shared/barcodebuddy mnt/shared/barcodebuddy none bind,optional,create=dir", diff --git a/systems/tei/nixos.nix b/systems/tei/nixos.nix index 2ed197a3..0035b240 100644 --- a/systems/tei/nixos.nix +++ b/systems/tei/nixos.nix @@ -1,12 +1,8 @@ { config, - lib, meta, ... -}: let - inherit (lib.modules) mkIf mkMerge; - inherit (config.services) mosquitto home-assistant; -in { +}: { imports = let inherit (meta) nixos; in [ @@ -19,7 +15,6 @@ in { nixos.access.zigbee2mqtt nixos.access.grocy nixos.access.barcodebuddy - nixos.mosquitto nixos.home-assistant nixos.zigbee2mqtt nixos.syncplay @@ -38,18 +33,5 @@ in { sops.defaultSopsFile = ./secrets.yaml; - networking.firewall = { - interfaces.local.allowedTCPPorts = mkMerge [ - (mkIf home-assistant.enable [ - home-assistant.config.http.server_port - ]) - (mkIf mosquitto.enable (map ( - listener: - listener.port - ) - mosquitto.listeners)) - ]; - }; - system.stateVersion = "23.11"; } diff --git a/systems/utsuho/nixos.nix b/systems/utsuho/nixos.nix index 504a1ed3..640f4cd8 100644 --- a/systems/utsuho/nixos.nix +++ b/systems/utsuho/nixos.nix @@ -14,6 +14,7 @@ in { nixos.access.unifi nixos.unifi nixos.dnsmasq + nixos.mosquitto ]; services.cloudflared = let diff --git a/tf/cloudflare_records.tf b/tf/cloudflare_records.tf index 790412a2..ab8d7b65 100644 --- a/tf/cloudflare_records.tf +++ b/tf/cloudflare_records.tf @@ -20,6 +20,7 @@ module "hakurei_system_records" { "unifi", "pbx", "smb", + "mqtt", "kitchen", "home", "z2m", @@ -80,7 +81,6 @@ module "tewi_system_records" { zone_zone = cloudflare_zone.gensokyo-zone_zone.zone net_data = local.systems.tei.network local_subdomains = [ - "mqtt", "postgresql", ] }