totoro: add some not-really-authed users to mosquitto just for separation

2024-10-13 14:57:02 +01:00 · 2024-10-13 14:57:02 +01:00 · 5db6c14cd3
commit 5db6c14cd3
parent d87a9cee2d
1 changed files with 25 additions and 2 deletions
--- a/ops/nixos/totoro/home-assistant.nix
+++ b/ops/nixos/totoro/home-assistant.nix
@ -8,21 +8,44 @@ in {
    settings = {
      homeassistant = true;
      serial.port = "/dev/serial/by-id/usb-ITead_Sonoff_Zigbee_3.0_USB_Dongle_Plus_eca6e9ba6596ed11ac206b4ce259fb3e-if00-port0";
-      mqtt.server = "mqtt://localhost:1883";
+      mqtt = {
+        server = "mqtt://localhost:1883";
+        user = "zigbee2mqtt";
+        password = "zigbee2mqtt";
+      };
      frontend = {
        port = 8099;
        host = config.my.ip.tailscale6;
      };
    };
  };
-  services.mosquitto = {
+  services.mosquitto = let
+    localhostUsers = {
+      zigbee2mqtt = {
+        password = "zigbee2mqtt";
+        acl = [
+          "readwrite zigbee2mqtt/#"
+          "readwrite homeassistant/#"
+        ];
+      };
+      homeassistant = {
+        password = "homeassistant";
+        acl = [
+          "readwrite zigbee2mqtt/#"
+          "readwrite homeassistant/#"
+        ];
+      };
+    };
+  in {
    enable = true;
    listeners = [{
      address = "127.0.0.1";
      port = 1883;
+      users = localhostUsers;
    } {
      address = "::1";
      port = 1883;
+      users = localhostUsers;
    }];
  };