!QhvgabMQzwEQeWehhZ:lossy.network

NixOS Home Automation

422 Members
Declarative Home Automation and other Sidequests | https://wiki.nixos.org/wiki/Home_Assistant117 Servers

Load older messages


SenderMessageTime
1 Dec 2024
@hexa:lossy.networkhexa🤡21:33:34
2 Dec 2024
@spacekitteh:matrix.orgspacekitteh

ok i've created a nixos module for an openthread border router, any feedback?

{
  config,
  pkgs,
  lib,
  ...
}:
{
  options.services.openthread-border-router = {
    enable = lib.mkEnableOption "Enable an OpenThread Border Router";
    package = lib.mkOption {
      type = lib.types.package;
      description = "The OpenThread Border Router package to use";
      default = pkgs.otbr-posix;
    };
    radioProtocol = lib.mkOption {
      description = "The protocol used to connect to the radio coprocessor";
      default = "spinel+hdlc+uart://";
      type = lib.types.string;
    };
    radioDevice = lib.mkOption {
      description = "The device file for the radio coprocessor";
      example = "/dev/ttyUSB0";
      type = lib.types.path;
    };
    infrastructureInterface = lib.mkOption {
      description = "The IPv6 interface to bridge the Thread network to";
      example = "eth0";
      type = lib.types.string;
    };
    logLevel = lib.mkOption {
      description = "The log level";
      type = lib.types.ints.between 1 7;
      default = 5;
    };
    threadInterface = lib.mkOption {
      description = "The Thread interface name to create";
      default = "wpan0";
      type = lib.types.string;
    };
    openFirewall = lib.mkOption {
      description = "Open the firewall port for the server's REST API";
      default = true;
      type = lib.types.bool;
    };
  };
  config =
    let
      cfg = config.services.openthread-border-router;
      otbr = cfg.package;
      threadInterface = cfg.threadInterface;
      accessInterface = cfg.infrastructureInterface;
      forwardIngressChain = "OTBR_FORWARD_INGRESS";

    in
    lib.mkIf cfg.enable {
      networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [ 8081 ];
      systemd.services.otbr = {
        serviceConfig = {
          AmbientCapabilities = [
            "CAP_NET_ADMIN"
            "CAP_NET_RAW"
          ];
          CapabilityBoundingSet = [
            "CAP_NET_ADMIN"
            "CAP_NET_RAW"
          ];
        };
        script =
          let
            radioURI = "${cfg.radioProtocol}${cfg.radioDevice}";
          in
          "${otbr}/bin/otbr-agent --verbose -d ${builtins.toString cfg.logLevel} -I ${threadInterface} -B ${accessInterface} ${radioURI} trel://${accessInterface}";
        path = [
          otbr
          pkgs.ipset
          pkgs.iptables
        ];
        postStop = ''
          ipset_destroy_if_exist()
          {
              if ipset list "$1"; then
                  ipset destroy "$1"
              fi
          }
          while ip6tables -C FORWARD -o ${threadInterface} -j ${forwardIngressChain}; do
              ip6tables -D FORWARD -o ${threadInterface} -j ${forwardIngressChain}
          done

          if ip6tables -L ${forwardIngressChain}; then
              ip6tables -w -F ${forwardIngressChain}
              ip6tables -w -X ${forwardIngressChain}
          fi

          ipset_destroy_if_exist otbr-ingress-deny-src
          ipset_destroy_if_exist otbr-ingress-deny-src-swap
          ipset_destroy_if_exist otbr-ingress-allow-dst
          ipset_destroy_if_exist otbr-ingress-allow-dst-swap
        '';
        preStart = ''
          ipset create -exist otbr-ingress-deny-src hash:net family inet6
          ipset create -exist otbr-ingress-deny-src-swap hash:net family inet6
          ipset create -exist otbr-ingress-allow-dst hash:net family inet6
          ipset create -exist otbr-ingress-allow-dst-swap hash:net family inet6

          ip6tables -N ${forwardIngressChain}
          ip6tables -I FORWARD 1 -o ${threadInterface} -j ${forwardIngressChain}

          ip6tables -A ${forwardIngressChain} -m pkttype --pkt-type unicast -i ${threadInterface} -j DROP
          ip6tables -A ${forwardIngressChain} -m set --match-set otbr-ingress-deny-src src -j DROP
          ip6tables -A ${forwardIngressChain} -m set --match-set otbr-ingress-allow-dst dst -j ACCEPT
          ip6tables -A ${forwardIngressChain} -m pkttype --pkt-type unicast -j DROP
          ip6tables -A ${forwardIngressChain} -j ACCEPT
        '';
      };
    };
}

04:45:59
@xenos76:matrix.orgxenos76 joined the room.19:55:44
@ethan:roo.keethan joined the room.22:51:10
3 Dec 2024
@spacekitteh:matrix.orgspacekittehOoh actually I need to add some assertions to it to check that avahi is enabled and configured correctly02:21:01
@hexa:lossy.networkhexathe default nixos firewall uses nftables02:22:11
@hexa:lossy.networkhexaand boy that is a lot of vendor specific lingo02:22:29
@hexa:lossy.networkhexa * and I don't really understand otbr, so I hard to comment on the rest02:23:07
@hexa:lossy.networkhexa

to unclutter it a bit you could

let
  inherit (lib)
    mkEnableOption
    mkOption
    mkPackageOption
    types
    ;
in
02:23:48
@hexa:lossy.networkhexayou can also put the config let scope outside the module02:24:27
@hexa:lossy.networkhexahaving two let blocks doesn't really have a positive benefit02:24:37
@hexa:lossy.networkhexa it just creates another scope, which has a cost02:24:49
@spacekitteh:matrix.orgspacekitteh
In reply to @hexa:lossy.network
the default nixos firewall uses nftables
Unfortunately, otbr uses iptables and ipset :(
05:04:39
@spacekitteh:matrix.orgspacekitteh
In reply to @hexa:lossy.network
it just creates another scope, which has a cost
Right, I forget it's an interpreted language lol
05:05:14
4 Dec 2024
@mckr:matrix.orgmckr joined the room.05:21:37
@nmrshll:matrix.orgnmrshll joined the room.15:01:00
@hexa:lossy.networkhexahm great19:37:19
@hexa:lossy.networkhexaaiohttp is on 3.10.10 on master19:37:37
@hexa:lossy.networkhexafrom october 10th19:38:18
@hexa:lossy.networkhexathe latest version is 3.11.9 now19:38:28
@hexa:lossy.networkhexaand home-assistant and a few dependencies want it19:39:04
@netpleb:matrix.orgnetpleb

trying to get my zigbee dongle to work with HA...I added

  services.zigbee2mqtt = {
    enable = true;
    settings = {
      homeassistant = config.services.home-assistant.enable;
      permit_join = true;
      serial = {
        port = "/dev/serial/by-id/usb-ITead_Sonoff_Zigbee_3.0_USB_Dongle_Plus_06cdf5f0f71bef11930299d94909ffd0-if00-port0";
      };
    };
  };

but I am confused as to whether I also need to add "zha" to services.home-assistant.extraComponents

19:55:35
@crtified:crtified.meCRTified
In reply to @netpleb:matrix.org

trying to get my zigbee dongle to work with HA...I added

  services.zigbee2mqtt = {
    enable = true;
    settings = {
      homeassistant = config.services.home-assistant.enable;
      permit_join = true;
      serial = {
        port = "/dev/serial/by-id/usb-ITead_Sonoff_Zigbee_3.0_USB_Dongle_Plus_06cdf5f0f71bef11930299d94909ffd0-if00-port0";
      };
    };
  };

but I am confused as to whether I also need to add "zha" to services.home-assistant.extraComponents

That's not needed. zha is an alternative for interfacing zigbee
20:00:54
@crtified:crtified.meCRTifiedzigbee2mqtt however requires an additional mqtt broker like mosquitto20:01:12
@netpleb:matrix.orgnetpleb
In reply to @crtified:crtified.me
zigbee2mqtt however requires an additional mqtt broker like mosquitto
thanks for your help. I am also now starting to understand that. In my case I already have mosquitto installed and working (used by my HA zwave integration). So do I need to just somehow tell mosquito about zigbee2mqtt?
20:02:14
@crtified:crtified.meCRTified
In reply to @netpleb:matrix.org
thanks for your help. I am also now starting to understand that. In my case I already have mosquitto installed and working (used by my HA zwave integration). So do I need to just somehow tell mosquito about zigbee2mqtt?
You rather need to tell zigbee2mqtt about mosquitto. mosquitto is the message broker, and both HA and z2m connect to the broker as client, listening and sending messages over it
20:03:07
@crtified:crtified.meCRTifiedSo on the HA side, you'll need the MQTT component in place20:03:22
@crtified:crtified.meCRTifiedand for both, you need some type of credentials20:03:34
@crtified:crtified.meCRTified * and for both, you need some type of credentials to connect to mosquitto20:03:40
@netpleb:matrix.orgnetpleb
In reply to @crtified:crtified.me
So on the HA side, you'll need the MQTT component in place
Ok, I am starting to finally understand. I do have the MQTT component in place on the HA side. I've (currently) disabled auth with mosquitto just while I try to get things working
20:04:29

Show newer messages


Back to Room ListRoom Version: 6