1 Dec 2024 |
hexa | 🤡 | 21:33:34 |
2 Dec 2024 |
spacekitteh | ok i've created a nixos module for an openthread border router, any feedback?
{
config,
pkgs,
lib,
...
}:
{
options.services.openthread-border-router = {
enable = lib.mkEnableOption "Enable an OpenThread Border Router";
package = lib.mkOption {
type = lib.types.package;
description = "The OpenThread Border Router package to use";
default = pkgs.otbr-posix;
};
radioProtocol = lib.mkOption {
description = "The protocol used to connect to the radio coprocessor";
default = "spinel+hdlc+uart://";
type = lib.types.string;
};
radioDevice = lib.mkOption {
description = "The device file for the radio coprocessor";
example = "/dev/ttyUSB0";
type = lib.types.path;
};
infrastructureInterface = lib.mkOption {
description = "The IPv6 interface to bridge the Thread network to";
example = "eth0";
type = lib.types.string;
};
logLevel = lib.mkOption {
description = "The log level";
type = lib.types.ints.between 1 7;
default = 5;
};
threadInterface = lib.mkOption {
description = "The Thread interface name to create";
default = "wpan0";
type = lib.types.string;
};
openFirewall = lib.mkOption {
description = "Open the firewall port for the server's REST API";
default = true;
type = lib.types.bool;
};
};
config =
let
cfg = config.services.openthread-border-router;
otbr = cfg.package;
threadInterface = cfg.threadInterface;
accessInterface = cfg.infrastructureInterface;
forwardIngressChain = "OTBR_FORWARD_INGRESS";
in
lib.mkIf cfg.enable {
networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [ 8081 ];
systemd.services.otbr = {
serviceConfig = {
AmbientCapabilities = [
"CAP_NET_ADMIN"
"CAP_NET_RAW"
];
CapabilityBoundingSet = [
"CAP_NET_ADMIN"
"CAP_NET_RAW"
];
};
script =
let
radioURI = "${cfg.radioProtocol}${cfg.radioDevice}";
in
"${otbr}/bin/otbr-agent --verbose -d ${builtins.toString cfg.logLevel} -I ${threadInterface} -B ${accessInterface} ${radioURI} trel://${accessInterface}";
path = [
otbr
pkgs.ipset
pkgs.iptables
];
postStop = ''
ipset_destroy_if_exist()
{
if ipset list "$1"; then
ipset destroy "$1"
fi
}
while ip6tables -C FORWARD -o ${threadInterface} -j ${forwardIngressChain}; do
ip6tables -D FORWARD -o ${threadInterface} -j ${forwardIngressChain}
done
if ip6tables -L ${forwardIngressChain}; then
ip6tables -w -F ${forwardIngressChain}
ip6tables -w -X ${forwardIngressChain}
fi
ipset_destroy_if_exist otbr-ingress-deny-src
ipset_destroy_if_exist otbr-ingress-deny-src-swap
ipset_destroy_if_exist otbr-ingress-allow-dst
ipset_destroy_if_exist otbr-ingress-allow-dst-swap
'';
preStart = ''
ipset create -exist otbr-ingress-deny-src hash:net family inet6
ipset create -exist otbr-ingress-deny-src-swap hash:net family inet6
ipset create -exist otbr-ingress-allow-dst hash:net family inet6
ipset create -exist otbr-ingress-allow-dst-swap hash:net family inet6
ip6tables -N ${forwardIngressChain}
ip6tables -I FORWARD 1 -o ${threadInterface} -j ${forwardIngressChain}
ip6tables -A ${forwardIngressChain} -m pkttype --pkt-type unicast -i ${threadInterface} -j DROP
ip6tables -A ${forwardIngressChain} -m set --match-set otbr-ingress-deny-src src -j DROP
ip6tables -A ${forwardIngressChain} -m set --match-set otbr-ingress-allow-dst dst -j ACCEPT
ip6tables -A ${forwardIngressChain} -m pkttype --pkt-type unicast -j DROP
ip6tables -A ${forwardIngressChain} -j ACCEPT
'';
};
};
}
| 04:45:59 |
| xenos76 joined the room. | 19:55:44 |
| ethan joined the room. | 22:51:10 |
3 Dec 2024 |
spacekitteh | Ooh actually I need to add some assertions to it to check that avahi is enabled and configured correctly | 02:21:01 |
hexa | the default nixos firewall uses nftables | 02:22:11 |
hexa | and boy that is a lot of vendor specific lingo | 02:22:29 |
hexa | * and I don't really understand otbr, so I hard to comment on the rest | 02:23:07 |
hexa | to unclutter it a bit you could
let
inherit (lib)
mkEnableOption
mkOption
mkPackageOption
types
;
in
| 02:23:48 |
hexa | you can also put the config let scope outside the module | 02:24:27 |
hexa | having two let blocks doesn't really have a positive benefit | 02:24:37 |
hexa | it just creates another scope, which has a cost | 02:24:49 |
spacekitteh | In reply to @hexa:lossy.network the default nixos firewall uses nftables Unfortunately, otbr uses iptables and ipset :( | 05:04:39 |
spacekitteh | In reply to @hexa:lossy.network it just creates another scope, which has a cost Right, I forget it's an interpreted language lol | 05:05:14 |
4 Dec 2024 |
| mckr joined the room. | 05:21:37 |
| nmrshll joined the room. | 15:01:00 |
hexa | hm great | 19:37:19 |
hexa | aiohttp is on 3.10.10 on master | 19:37:37 |
hexa | from october 10th | 19:38:18 |
hexa | the latest version is 3.11.9 now | 19:38:28 |
hexa | and home-assistant and a few dependencies want it | 19:39:04 |
netpleb | trying to get my zigbee dongle to work with HA...I added
services.zigbee2mqtt = {
enable = true;
settings = {
homeassistant = config.services.home-assistant.enable;
permit_join = true;
serial = {
port = "/dev/serial/by-id/usb-ITead_Sonoff_Zigbee_3.0_USB_Dongle_Plus_06cdf5f0f71bef11930299d94909ffd0-if00-port0";
};
};
};
but I am confused as to whether I also need to add "zha" to services.home-assistant.extraComponents
| 19:55:35 |
CRTified | In reply to @netpleb:matrix.org
trying to get my zigbee dongle to work with HA...I added
services.zigbee2mqtt = {
enable = true;
settings = {
homeassistant = config.services.home-assistant.enable;
permit_join = true;
serial = {
port = "/dev/serial/by-id/usb-ITead_Sonoff_Zigbee_3.0_USB_Dongle_Plus_06cdf5f0f71bef11930299d94909ffd0-if00-port0";
};
};
};
but I am confused as to whether I also need to add "zha" to services.home-assistant.extraComponents
That's not needed. zha is an alternative for interfacing zigbee | 20:00:54 |
CRTified | zigbee2mqtt however requires an additional mqtt broker like mosquitto | 20:01:12 |
netpleb | In reply to @crtified:crtified.me zigbee2mqtt however requires an additional mqtt broker like mosquitto thanks for your help. I am also now starting to understand that. In my case I already have mosquitto installed and working (used by my HA zwave integration). So do I need to just somehow tell mosquito about zigbee2mqtt? | 20:02:14 |
CRTified | In reply to @netpleb:matrix.org thanks for your help. I am also now starting to understand that. In my case I already have mosquitto installed and working (used by my HA zwave integration). So do I need to just somehow tell mosquito about zigbee2mqtt? You rather need to tell zigbee2mqtt about mosquitto. mosquitto is the message broker, and both HA and z2m connect to the broker as client, listening and sending messages over it | 20:03:07 |
CRTified | So on the HA side, you'll need the MQTT component in place | 20:03:22 |
CRTified | and for both, you need some type of credentials | 20:03:34 |
CRTified | * and for both, you need some type of credentials to connect to mosquitto | 20:03:40 |
netpleb | In reply to @crtified:crtified.me So on the HA side, you'll need the MQTT component in place Ok, I am starting to finally understand. I do have the MQTT component in place on the HA side. I've (currently) disabled auth with mosquitto just while I try to get things working | 20:04:29 |