gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 04:19:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

refactor(mosquitto): move to utsuho

Browse source
This commit is contained in:
arcnmx 2024-03-25 11:15:56 -07:00
parent 5658105812
commit d6b8883c24
15 changed files with 218 additions and 95 deletions
Download patch file Download diff file Expand all files Collapse all files

6
lib.nix
View file

@ -41,11 +41,13 @@
overrideOptionDefault = 1500; overrideOptionDefault = 1500;
overrideAlmostOptionDefault = 1400; overrideAlmostOptionDefault = 1400;
overrideDefault = 1000; overrideDefault = 1000;
overrideAlmostDefault = 900;
overrideNone = defaultOverridePriority; # 100 overrideNone = defaultOverridePriority; # 100
overrideAlmostForce = 75; overrideAlmostForce = 75;
overrideForce = 50; overrideForce = 50;
overrideVM = 10; overrideVM = 10;
mkAlmostOptionDefault = mkOverride overrideAlmostOptionDefault; mkAlmostOptionDefault = mkOverride overrideAlmostOptionDefault;
mkAlmostDefault = mkOverride overrideAlmostDefault;
mkAlmostForce = mkOverride overrideAlmostForce; mkAlmostForce = mkOverride overrideAlmostForce;
orderBefore = 500; orderBefore = 500;
orderNone = 1000; orderNone = 1000;
@ -78,8 +80,8 @@ in {
eui64 mkWinPath mkBaseDn eui64 mkWinPath mkBaseDn
toHexStringLower hexCharToInt toHexStringLower hexCharToInt
mapListToAttrs mapListToAttrs
mkAlmostOptionDefault mkAlmostForce mapOverride mapOptionDefaults mapAlmostOptionDefaults mapDefaults mkAlmostOptionDefault mkAlmostDefault mkAlmostForce mapOverride mapOptionDefaults mapAlmostOptionDefaults mapDefaults
overrideOptionDefault overrideAlmostOptionDefault overrideDefault overrideNone overrideAlmostForce overrideForce overrideVM overrideOptionDefault overrideAlmostOptionDefault overrideDefault overrideAlmostDefault overrideNone overrideAlmostForce overrideForce overrideVM
orderBefore orderNone orderAfter orderAlmostAfter orderBefore orderNone orderAfter orderAlmostAfter
mkAlmostAfter; mkAlmostAfter;
inherit (inputs.arcexprs.lib) unmerged json; inherit (inputs.arcexprs.lib) unmerged json;

5
modules/nixos/home-assistant.nix
View file

@ -76,7 +76,10 @@ in {
in in
mkIf cfg.enable { mkIf cfg.enable {
interfaces.local = { interfaces.local = {
allowedTCPPorts = mkIf (!cfg.homekit.openFirewall) homekitTcp; allowedTCPPorts = mkMerge [
(mkIf (!cfg.homekit.openFirewall) homekitTcp)
(mkIf (!cfg.openFirewall) [ cfg.config.http.server_port ])
];
allowedUDPPortRanges = mkIf (!cfg.cast.openFirewall) castUdpRanges; allowedUDPPortRanges = mkIf (!cfg.cast.openFirewall) castUdpRanges;
}; };
allowedTCPPorts = mkIf cfg.homekit.openFirewall homekitTcp; allowedTCPPorts = mkIf cfg.homekit.openFirewall homekitTcp;

98
modules/nixos/shared.nix Normal file
View file

@ -0,0 +1,98 @@
{ config, lib, utils, ... }: let
inherit (lib.options) mkOption;
inherit (lib.modules) mkIf mkMerge mkOptionDefault;
inherit (lib.attrsets) mapAttrsToList;
inherit (lib.lists) head;
inherit (lib.strings) splitString;
inherit (utils) escapeSystemdPath;
mountModule = { config, name, ... }: {
options = with lib.types; {
source = mkOption {
type = path;
default = "${config.rootDir}/${config.subpath}";
};
path = mkOption {
type = path;
};
subpath = mkOption {
type = str;
default = name;
};
root = mkOption {
type = path;
default = "${config.rootDir}/${head (splitString "/" config.subpath)}";
};
mountUnit = mkOption {
type = nullOr str;
default = "${escapeSystemdPath config.root}.mount";
};
rootDir = mkOption {
type = path;
internal = true;
};
};
};
mkMountType' = { rootDir, specialArgs, modules ? [ ] }: let
rootDirModule = { ... }: {
config.rootDir = mkOptionDefault rootDir;
};
in lib.types.submoduleWith {
modules = [ mountModule rootDirModule ] ++ modules;
inherit specialArgs;
};
mkMountType = args: with lib.types; coercedTo path (path: { path = mkOptionDefault path; }) (mkMountType' args);
serviceModule = { config, nixosConfig, ... }: let
cfg = config.gensokyo-zone;
mapSharedMounts = f: mapAttrsToList (_: target:
f target
) cfg.sharedMounts;
mapCacheMounts = f: mapAttrsToList (_: target:
f target
) cfg.cacheMounts;
mkRequire = mount: mount.mountUnit;
mkBindPath = mount: "${mount.source}:${mount.path}";
specialArgs = {
service = config;
inherit nixosConfig;
};
mountUnits = mkMerge [
(mkIf (cfg.sharedMounts != { }) (mapSharedMounts mkRequire))
(mkIf (cfg.cacheMounts != { }) (mapCacheMounts mkRequire))
];
in {
options.gensokyo-zone = with lib.types; {
sharedMounts = mkOption {
type = attrsOf (mkMountType { rootDir = "/mnt/shared"; inherit specialArgs; });
default = { };
};
cacheMounts = mkOption {
type = attrsOf (mkMountType { rootDir = "/mnt/caches"; inherit specialArgs; });
default = { };
};
};
config = {
requires = mountUnits;
after = mountUnits;
serviceConfig = mkMerge [
(mkIf (cfg.sharedMounts != { }) {
BindPaths = mapSharedMounts mkBindPath;
})
(mkIf (cfg.cacheMounts != { }) {
BindPaths = mapCacheMounts mkBindPath;
})
];
};
};
in {
options = with lib.types; {
systemd.services = mkOption {
type = attrsOf (submoduleWith {
modules = [ serviceModule ];
shorthandOnlyDefinesConfig = true;
specialArgs = {
nixosConfig = config;
};
});
};
};
}

2
nixos/access/mosquitto.nix
View file

@ -64,7 +64,7 @@ in {
}; };
networking.firewall = { networking.firewall = {
allowedTCPPorts = [ interfaces.local.allowedTCPPorts = [
access.bind.port access.bind.port
(mkIf nginx.stream.servers.mosquitto.listen.mqtts.enable access.bind.sslPort) (mkIf nginx.stream.servers.mosquitto.listen.mqtts.enable access.bind.sslPort)
]; ];

12
nixos/barcodebuddy.nix
View file

@ -37,19 +37,13 @@ in {
uid = 912; uid = 912;
}; };
config.systemd.services = let config.systemd.services = let
BindPaths = [ gensokyo-zone.sharedMounts.barcodebuddy.path = mkDefault cfg.dataDir;
"/mnt/shared/barcodebuddy:${cfg.dataDir}"
];
in mkIf cfg.enable { in mkIf cfg.enable {
phpfpm-barcodebuddy = { phpfpm-barcodebuddy = {
serviceConfig = { inherit gensokyo-zone;
inherit BindPaths;
};
}; };
bbuddy-websocket = mkIf cfg.screen.enable { bbuddy-websocket = mkIf cfg.screen.enable {
serviceConfig = { inherit gensokyo-zone;
inherit BindPaths;
};
}; };
}; };
config.sops.secrets.barcodebuddy-fastcgi-params = mkIf cfg.enable { config.sops.secrets.barcodebuddy-fastcgi-params = mkIf cfg.enable {

12
nixos/grocy.nix
View file

@ -68,19 +68,13 @@ in {
uid = 911; uid = 911;
}; };
systemd.services = let systemd.services = let
BindPaths = [ gensokyo-zone.sharedMounts.grocy.path = mkDefault cfg.dataDir;
"/mnt/shared/grocy:${cfg.dataDir}"
];
in mkIf cfg.enable { in mkIf cfg.enable {
grocy-setup = { grocy-setup = {
serviceConfig = { inherit gensokyo-zone;
inherit BindPaths;
};
}; };
phpfpm-grocy = { phpfpm-grocy = {
serviceConfig = { inherit gensokyo-zone;
inherit BindPaths;
};
}; };
}; };
}; };

7
nixos/mosquitto.nix
View file

@ -70,8 +70,9 @@ in {
}; };
}; };
systemd.services.mosquitto = mkIf cfg.enable { systemd.services.mosquitto = mkIf cfg.enable {
serviceConfig.BindPaths = [ gensokyo-zone.sharedMounts.mosquitto.path = mkDefault cfg.dataDir;
"/mnt/shared/mosquitto:${cfg.dataDir}" };
]; networking.firewall = mkIf cfg.enable {
interfaces.local.allowedTCPPorts = map (listener: listener.port) cfg.listeners;
}; };
} }

125
nixos/secrets/mosquitto.yaml
View file

@ -12,66 +12,111 @@ sops:
- recipient: age12ze362pu5mza6ef9akrptr7hfe4auaqul4rkta7kyy2tnrstqensgmujeq - recipient: age12ze362pu5mza6ef9akrptr7hfe4auaqul4rkta7kyy2tnrstqensgmujeq
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzSlhaOWxDY0E4RzExaGR4 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvMm56STg2N2N2STZXTVlY
U3o3bFFMejNxMlYyZ1VnUjk0ZERSK2hTOWhRCkVxd0lJL2YvZXY5ZjRaL0xUUVNE M0IwWUhwOU16UU9heDdKM0NFVWtFVWtsV1RJClNYb2VEMnl4MWFXalZXV3U3ODRy
dFMzRU52Tm9LY0swbnpoaE5OUjJJeDAKLS0tIHlUVWZtTE5acXRONURiaHFPaWpV Ukp1ZXhvZ25OT0tDWVlWdndlTFlWNTAKLS0tIEkzWlQ2cHlaY0hibUxiNmpMQUI4
Qzh5SUVWcmx1ejNqVGMyTVc3UGovVnMK5tfxFOpzlAbhiYpcwWI26MJ6a+esucPE LzB2WHQ0cFA2azMya3UrUlJrQnNROEUK/JZJi5crzpCEQ/fF2vpz5tnmdVSIiidk
KfYUQ9fVv96Crzl7vNPWXcI3TpmrIsRl2Jf1HA3bwfJzknQzucZfTw== zi1UuuNTW3QHfjZb6dSc7vDVa5UC9Zp2XUWSL1D7RrBwN9S+qPlPbg==
-----END AGE ENCRYPTED FILE-----
- recipient: age176uyyyk7veqnzmm8xzwfhf0u23m6hm02cldlfkldunqe6std0gcq6lg057
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTcnRDcXpSOTdZeGg4V3dq
Y1JkR0M3WEZuQzZsdzdwNjBxS3p2eXRJTFJvClZ2V29QTFFZVVVIVWRLYWgzbFd3
NmpNZFNsK1Rxc1BkaWMrMUZXakpUVUkKLS0tIEkyQzRUcG9nRkpGVXZyQ2V5czFQ
clVHU0FZMXBvNmFROEN4ODZDb3Znbk0KXDHc6gZTlVnMOqK3CSrk5aLNDfIUvKbw
7EKB1kwx1OWihGce42JBVfGCPJmjW7IPfNeeXxZ10hmJPKpwKw7jkQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age15hmlkd9p5rladsjzpmvrh6u34xvggu9mzdsdxdj3ms43tltxeuhq4g7g9k
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmdFN1NFo4ZXpBOGxja0xE
YjhYTVUrUDZ0c0RWamlJekVMeUEyeGJhVzBBCk0ySmhHQ3B5MXFnMjNPOXgzdWda
bTd0NkhDMDhaMmd6MUZZdWpKZVd6bUkKLS0tIDBKRktQeUgxb2RIV1NLWnFlYzIw
dW9GUXdSdnlGZE9DR2l0ckliOXR6YlEK5Gu1NnZQWlyJbha6M2tiJ5BEOf5Jt6Cb
uxY8u/jMwyMlziSkEMW+1JqNJf5xbnaKxmlvTyb2REOo2TQExBcrTQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age10t6kc5069cyky929vvxk8aznqyxpkx3k5h5rmlyz83xtjmr22ahqe8mzes
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxQjZGLzNqTWovR29WVFRm
NSttQ2RodkhmNyt5cGY0OG5nd2FtSndhTFFNCmpBSXBQeTJBZW5FUnJCb1U5NmtR
cWRGbFpBSmczMTdYRGJBVktBRTFZRGMKLS0tIHN1NEVzVFIxN2x1SFRHcVpzMzlw
MEg0bUN3a2hTTEIvS1R4QXpDc2VYOGMKsZ4nR0xr3BDQOOUAEpz34ti5hGykBGWQ
ghXLTIKcbvjVgPzgFIycbC3Q91EuYI4NN6nv4sZIPc3VUeNqUXLhAw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1a2quf2ekkj94ygu7wgvhrvh44fwn32c0l2cwvgvjh23wst90s54szdsvgr - recipient: age1a2quf2ekkj94ygu7wgvhrvh44fwn32c0l2cwvgvjh23wst90s54szdsvgr
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwaTRCc1BidjlYRURrbFR3 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3SWlYN3dYV1JrYVFWd0lD
WDF1c2puK1pLZ0JVQkNKNUlVTUFtWnZkZUF3CndEcEg3UlgycDlXdWliVXM2dmJQ bmxQUFpIZDJPTmhwaVBGbUVBcHVEcWQ0bFdVCjNmOFBQOVlkei9nSGJ0RThHRlRU
SkFPRTJCWTFpVlNRTWZRVzFMYmJzTzgKLS0tIGJJcmFEZklRYkJUN25McnAyWVNm ck5nMmVHU1BWcFdlajBocDJWanhVOE0KLS0tIGVqcWtDeWNCa25hRU42amdITm5P
L0VoSDZzTjVIWFN6aFVhQXE1bXlMdDQK2hAlcgBcb4jvVTRwXk0AQPI0P5Gt0Ooy RGlTUjIyQ2Nrbk1IUEJyRXJFMHVFQ1UKYxxgEsc2wsRazllgLlXolsT8xXVuNc9a
SO90HyKwpck32jr6X6faA+bAyBVSh/Vf/9zSgIIsv7M4Pw9qPrBBDA== nd3o2Y34thuA0CJJR6UXQv1gdyP5BiykXp5pw00b8R3/OwOsN3b1IA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age16klpkaut5759dut8mdm3jn0rnp8w6kxyvs9n6ntqrdsayjtd7upqlvw489 - recipient: age16klpkaut5759dut8mdm3jn0rnp8w6kxyvs9n6ntqrdsayjtd7upqlvw489
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZUGtrK0Z2M0hyTVdGdVNZ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnMjhXU3NhOXlnR3UwemZD
KzdzaEhpTDYvRFR5WTFmOWZFNVZMWmQ2Z0hFCjkwTlhrM2hIdEt5dXFnNldXWHp0 YStBaWlwVWFheEFXMUVUbkJvanVBeCtmZ2ljCk16N0tLeTh5N3ROS2ZteUFESHEr
eEMwL3Y2a1B2RDQ3dTBndmpxSGR5QTgKLS0tIDlpdFNRNEtQN0FGTFlzQkFxb0I3 bkFxcFgydDVUcVJJRWRhdGxPVXU5YVEKLS0tIGNSWFNEaFFoUGRZbk5KaVZ0N2po
VE0vNVZzZHk4WFhmV2gzMjJ0UkR6MDAKQk2nlRz9+vQpmZX+qG/IUOeHkRJ0ogAP Vll1N2U1SHQ5azdoNlVwK3JOSE5zUzQKEaWYLLdT3BBFicohYogJHBjBYfFaS+99
UQ5+lcUQ6XVIx2/qoFb4GJ5Rb2CLnaeY9Xltb/PoXuluS39Kwx5/YQ== x0bq7GcS7wBK/LiIl4W/Yie5z9cwJ3KRtQI4Un/mjTdoSJqg/6LQ4A==
-----END AGE ENCRYPTED FILE-----
- recipient: age13qgddr326g5je0fpq2r3k940vsr3fh9nlvl9xtcxk3xg2x0k3vsq7pvzaj
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiMEtDbHYrWUZoTHQwNldi
UCszOFVQbHVuNXExRVJsR2V3VVNpZkRwWGdnCk52dlFRMmVINTc0eENya3ZDQXNK
VnBReTNFMU9FWDBxbVJLNmFCMWhLencKLS0tIGtGS05IaG8xcXNhTFp5cEF2MlZn
TkNCYzVTYjc2TlNjQ2lWWVo3SGlFU3MK5btRhdZSjyQn8ge9Ea4+FTNApNVemMNE
NZmSpgTTYJM5ah4T+4YpfZt0GZdCVJ7S5MjufMwB1RoVShbWztgsdg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ktmx2szedfnpe5xumnzs8vkk0ffqgga6ved3drtksg9pye6ndsnsnqq488
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuRkhrTW5NY0dKNUNGQ2Vo
UzQrVWNKd1ptMnZOWi9NRlJCMjFlSGJzK0JNCm9STy9OeEZseHFyR01pQVJkU25R
OHNsT0pTR2l1ZG96aDRrcmVMRVQ3dEkKLS0tIEJBWGxUNlllSEY5UjdqSXBYNlV2
SGdXQkRkMTlhbEwxRjQwdGR0SVhNOHMK+YrQd2cTOq4uW3fIxLFzW1GJIynhr7Tf
Y7SRe+5NO/3LL6ruLDjsHH4nv2fNVN8INsRc+LZJ4TH5XqKDM6WDnw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-01-16T19:11:37Z" lastmodified: "2024-01-16T19:11:37Z"
mac: ENC[AES256_GCM,data:aZl7545lk6KMNGanuyw4tcn5KsJNt2hrsEVn3VHTJdhtoLo6324Mnei2WCcJm6TfqYN5wKowzg9dnivtRvTD8r/ZM8J3dtTwl9091d9TKcEhVf30a3EwKrSYsDpQUL4vagg7rgFUjbZMUSKZTEgA6o46VbR4glnOiVZMpMMtGWw=,iv:OsbhloYhHRzgUKoUjwiRspHrZFxAf2XL0+JIwwEpmeg=,tag:v4pE9dfnySmrRwlZK7Fyyw==,type:str] mac: ENC[AES256_GCM,data:aZl7545lk6KMNGanuyw4tcn5KsJNt2hrsEVn3VHTJdhtoLo6324Mnei2WCcJm6TfqYN5wKowzg9dnivtRvTD8r/ZM8J3dtTwl9091d9TKcEhVf30a3EwKrSYsDpQUL4vagg7rgFUjbZMUSKZTEgA6o46VbR4glnOiVZMpMMtGWw=,iv:OsbhloYhHRzgUKoUjwiRspHrZFxAf2XL0+JIwwEpmeg=,tag:v4pE9dfnySmrRwlZK7Fyyw==,type:str]
pgp: pgp:
- created_at: "2024-01-19T19:08:55Z" - created_at: "2024-03-25T18:15:38Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hQIMA82M54yws73UARAAwEU07Rt8Ab+2nopNDiDHSBgU6e22i7N3W0yuXslqVkX/ hQIMA82M54yws73UARAAgJH6DsIl1/bwjX6EYxDtX0QDl8PTVc+8rV3nv3b2VrXA
P/gQDG7aNe6KWFGgjMFB38VLhR/Y7KpunL1JGJZuss7qbYmruhbKIzR3q0OJqJ0Y ETAzKV864m7Q5tWfXwVzqt+T+WS1tRk1VLrWNDzTHtyGGN41TYGqq27emn+ppqTj
81rp4goDnRqtoD6Tmh0X59zDYZr8e6hSMNEdBiGjzyeMAH6nctBt0B0eO6QLkcYa caEiCh8B74ljPmHzDMG68satffp06TaxSKi5zJZe9I/Qn9a+TDtWc789W3856urT
N+mNcKQ+r40paI6Eg4iLFRXYiKTkYnt6mb2Yik9EyWZGI3dOYOe4S6w+90BH5i6B ImfwLDbuOjjmKd/X8GUjmAeESbztvBDvxSZKLE6pNbgonDK5qAmBaXD0b/bCQz3a
ZvK0WGj+mkvGTvbse5C8E0ruyiDTU/opscjIn5I7JUIM2KTkQxskt3Cxl7VzSqz7 1xXcriMI5b6OYCpXhwcpS6qjmj1WnsaLrkhW5uK36/QbTI4NP10QhrXz7VFU8ShF
mlUcaJ0DhwfoFj7PBUEUwQyoAkKh64UEnkpH74U2dYe0Z72aQCFpq5kbIbbQDbkI gHzldB0uBtqV3HbuSKYgkoGYcxTvaA5vGHhjO7fNGPTHVo9XxQ08PgH7l+7RpSx9
hnfo4YpsC2GClg4u0KjXTXW5Xgi1UxxIb95HhhPwfO1OF9uEJSRlHmkPJGfkHzM8 gDlb+N2UxXjwmNsExkSljTGQzakoBaoEJVGvEBz13Ubq+0dJETHIddjE+kKiGy+B
YZU9ZOZjklBAquh+zBnxPnZAsHlCRJwn/vNFryX9fec174rdiMqlcSJ+4hAO8l0M zLtN/W0bK06hHN5BBKqlHLJ9CzR0EWcVLUCiOTevONcxUgJ9Ng0w3LKTvbm7OTEO
XnctDPB033lHL1+nbXsKUQbq1iAi/ijY8hPaYDgdHTXZS1OdS74CE+xGsnVp2J1k 8lTvGc44oh3IXxfh4qK70azzPO2fLtEqVNRn7w3OmS1rr9lA5eC5YACgS4B8Nqpt
niqI2rBTDJ4DPeZm51QATmeoyOtbDVzieX5x6KK9tKdviHcm98p9KqY3dXFC5qi1 fo9zBqkWiJx+Ye6lVf1JmapVKfwMeWLID26YFh6sssoZ780iIH1cF41CHhpA++JQ
L26G3jPTkoYaPlEzra8RKyU/XulLhf5q7JfyTGys8jczmgbld1/sPf2hHxoFKcfS KyfdTckKiceSUGcvMfuxhWUrLBX6ivbIWw7+NnZp9aRgsVltiM+YCU/M8aGfJ83S
XgGfFziQ+uwiLMs4U/949dVJ3HsQdvMGilbbbLkK/HCM+sxHaHw7axBu4TH1Q6N5 XgFAom0ZegLeLOjwmghaSM4fohqFdNoB0NTCP1NCvmoiCyz6JVB06E/HdOAnHKiv
CWP6x2+Z9YS59cXwHiuav60TzzQ/wwGyJDdN3+cBjeOjNCw5WF74xoLR1JJcb6o= 3+T+wZaz+7blpMeDNtBjiCaFlXMgTxrtMRFtbwCkEZQjSSe05ux4gcfs+13Ax4M=
=KB2c =kVWV
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: CD8CE78CB0B3BDD4 fp: CD8CE78CB0B3BDD4
- created_at: "2024-01-19T19:08:55Z" - created_at: "2024-03-25T18:15:38Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hQEMA2W9MER3HLb7AQgAxTKY2cLyZI2Geztn09LIWYelHoc3H1YpWnpchQ9zclBP hQEMA2W9MER3HLb7AQf+I2sqlf5hbHw6z8jh6D6RcrU/U7WVGSWVVKezrRT+KE1k
5xFFYIfuWby1chHAoOHlAz+0FEr7oIQFHrBRtX5FWHdfTU5M3t49L7mX2FiX79/q e76UgsQKYcTvFcRAeUOwsCFJ61v3MCzfenCDpH+kY0KW0nR9LlJSA+ctPYetTVlz
z9J90fQSHl2m1rvCI6SoYkh1m9PdGT5pHEM+ebCYggQnDNxbhW545yDDzsd4rNEY 75fucquTukhMQpMpe4FmimDY4sw1qbLlzf89wl230ppOkXESEFKliJE4AAUkRfPj
jkIFNwHGIJ+BY+NaBCHwGhXli68+OcAJJDBjmIew+xggg/SWQZvvAj2EGqpCFyHx NEp0BGNrI8JjHeOUKrKnIILswu1hCDdh/8b30pLerhv9ecaA3mE0SoxO1srHEDEM
c5NRqhg3MTUa2D+BuvLRNzN+KDsGFNn6Rj+W/6Ud+5Ohw+Xbj0l33Zj/i+9Ferap 8UTsNa91h08xHN2DdyAsMy82Znuvmvr5fYNYbrj1ZEXyph5uin36jSZw8FieaAaV
4pKrkqf943CSIAkINvxXCZpqnxhUe8Xh0tWSMm2XldJeAWXo5BUf0mpymT+VdACe 7mlI8+9ooUPo+fS1oGTCyeNhYNxqfBBbtW4Eqt1cDdJeAcvAe/QkriZsmcYwV4ti
Swks8aSFxl4a9fHirTqovD9CwkCzLHfgEDnpxUjRJR8TF21lGoXD3OelMqxqGqVI KfEnCaWeHPq9v99wuPvevqt3k/6A9gt5n1oDdKoSyYTxUp7NWf/P/6+UFrkItjl1
xHeyIKZBO3VETzDF3VWPgacKvRb+xV3JM4eW2LPqrw== V9FfUj+jZ0AjLQOIBS8L9RFRpy4IbsFFeQh/UtT8Tw==
=razo =ogEp
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 65BD3044771CB6FB fp: 65BD3044771CB6FB
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted

4
nixos/unifi.nix
View file

@ -37,8 +37,6 @@ in {
groups.unifi.gid = 990; groups.unifi.gid = 990;
}; };
systemd.services.unifi = mkIf cfg.enable { systemd.services.unifi = mkIf cfg.enable {
serviceConfig.BindPaths = [ gensokyo-zone.sharedMounts.unifi.path = mkDefault "/var/lib/unifi";
"/mnt/shared/unifi:/var/lib/unifi"
];
}; };
} }

12
nixos/zigbee2mqtt.nix
View file

@ -1,10 +1,13 @@
{ {
config, config,
lib, lib,
gensokyo-zone,
access,
... ...
}: let }: let
inherit (gensokyo-zone.lib) mkAlmostDefault;
inherit (lib.modules) mkIf mkDefault;
cfg = config.services.zigbee2mqtt; cfg = config.services.zigbee2mqtt;
inherit (lib) mkIf mkDefault;
in { in {
sops.secrets.z2m-secret = { sops.secrets.z2m-secret = {
sopsFile = mkDefault ./secrets/zigbee2mqtt.yaml; sopsFile = mkDefault ./secrets/zigbee2mqtt.yaml;
@ -23,8 +26,11 @@ in {
mqtt = { mqtt = {
user = "z2m"; user = "z2m";
password = "!secret z2m_pass"; password = "!secret z2m_pass";
server = mkIf (!config.services.mosquitto.enable) ( server = let
mkDefault "mqtt://mqtt.local.${config.networking.domain}:1883" utsuho = access.nixosFor "utsuho";
mqttHost = access.getHostnameFor "utsuho" "lan";
in mkIf (!config.services.mosquitto.enable) (
assert utsuho.services.mosquitto.enable; mkAlmostDefault "mqtt://${mqttHost}:1883"
); );
}; };
homeassistant = true; homeassistant = true;

6
systems/hakurei/nixos.nix
View file

@ -11,8 +11,8 @@
tei = access.nixosFor "tei"; tei = access.nixosFor "tei";
utsuho = access.nixosFor "utsuho"; utsuho = access.nixosFor "utsuho";
inherit (mediabox.services) plex; inherit (mediabox.services) plex;
inherit (tei.services) home-assistant zigbee2mqtt mosquitto; inherit (tei.services) home-assistant zigbee2mqtt;
inherit (utsuho.services) unifi; inherit (utsuho.services) unifi mosquitto;
inherit (config.services) nginx; inherit (config.services) nginx;
inherit (nginx) virtualHosts; inherit (nginx) virtualHosts;
in { in {
@ -225,7 +225,7 @@ in {
in { in {
vouch.enableLocal = false; vouch.enableLocal = false;
access.mosquitto = assert mosquitto.enable; { access.mosquitto = assert mosquitto.enable; {
host = getHostnameFor "tei" "lan"; host = getHostnameFor "utsuho" "lan";
}; };
access.plex = assert plex.enable; { access.plex = assert plex.enable; {
url = "http://${getHostnameFor "mediabox" "lan"}:${toString plex.port}"; url = "http://${getHostnameFor "mediabox" "lan"}:${toString plex.port}";

1
systems/tei/lxc.json
View file

@ -3,7 +3,6 @@
"lxc.mount.entry": [ "lxc.mount.entry": [
"/rpool/caches/zigbee2mqtt mnt/caches/zigbee2mqtt none bind,optional,create=dir", "/rpool/caches/zigbee2mqtt mnt/caches/zigbee2mqtt none bind,optional,create=dir",
"/rpool/shared/zigbee2mqtt mnt/shared/zigbee2mqtt none bind,optional,create=dir", "/rpool/shared/zigbee2mqtt mnt/shared/zigbee2mqtt none bind,optional,create=dir",
"/rpool/shared/mosquitto mnt/shared/mosquitto none bind,optional,create=dir",
"/rpool/shared/hass mnt/shared/hass none bind,optional,create=dir", "/rpool/shared/hass mnt/shared/hass none bind,optional,create=dir",
"/rpool/shared/grocy mnt/shared/grocy none bind,optional,create=dir", "/rpool/shared/grocy mnt/shared/grocy none bind,optional,create=dir",
"/rpool/shared/barcodebuddy mnt/shared/barcodebuddy none bind,optional,create=dir", "/rpool/shared/barcodebuddy mnt/shared/barcodebuddy none bind,optional,create=dir",

20
systems/tei/nixos.nix
View file

@ -1,12 +1,8 @@
{ {
config, config,
lib,
meta, meta,
... ...
}: let }: {
inherit (lib.modules) mkIf mkMerge;
inherit (config.services) mosquitto home-assistant;
in {
imports = let imports = let
inherit (meta) nixos; inherit (meta) nixos;
in [ in [
@ -19,7 +15,6 @@ in {
nixos.access.zigbee2mqtt nixos.access.zigbee2mqtt
nixos.access.grocy nixos.access.grocy
nixos.access.barcodebuddy nixos.access.barcodebuddy
nixos.mosquitto
nixos.home-assistant nixos.home-assistant
nixos.zigbee2mqtt nixos.zigbee2mqtt
nixos.syncplay nixos.syncplay
@ -38,18 +33,5 @@ in {
sops.defaultSopsFile = ./secrets.yaml; sops.defaultSopsFile = ./secrets.yaml;
networking.firewall = {
interfaces.local.allowedTCPPorts = mkMerge [
(mkIf home-assistant.enable [
home-assistant.config.http.server_port
])
(mkIf mosquitto.enable (map (
listener:
listener.port
)
mosquitto.listeners))
];
};
system.stateVersion = "23.11"; system.stateVersion = "23.11";
} }

1
systems/utsuho/nixos.nix
View file

@ -14,6 +14,7 @@ in {
nixos.access.unifi nixos.access.unifi
nixos.unifi nixos.unifi
nixos.dnsmasq nixos.dnsmasq
nixos.mosquitto
]; ];
services.cloudflared = let services.cloudflared = let

2
tf/cloudflare_records.tf
View file

@ -20,6 +20,7 @@ module "hakurei_system_records" {
"unifi", "unifi",
"pbx", "pbx",
"smb", "smb",
"mqtt",
"kitchen", "kitchen",
"home", "home",
"z2m", "z2m",
@ -80,7 +81,6 @@ module "tewi_system_records" {
zone_zone = cloudflare_zone.gensokyo-zone_zone.zone zone_zone = cloudflare_zone.gensokyo-zone_zone.zone
net_data = local.systems.tei.network net_data = local.systems.tei.network
local_subdomains = [ local_subdomains = [
"mqtt",
"postgresql", "postgresql",
] ]
} }