Add valetudo to home-assistant

hosts/iron/ports.nix

@@ -9,6 +9,7 @@ custom-utils.validatePortAttrset {
   matrix-synapse.tcp = 8008;
   mautrix-signal.tcp = 29319;
   mautrix-whatsapp.tcp = 29318;
+  mqtt.tcp = 1883;
   navidrome.tcp = 4533;
   nginx-http.tcp = 80;
   nginx-https.tcp = 443;

hosts/iron/secrets.yaml

@@ -11,6 +11,9 @@ synapse-turn-shared-secret: ENC[AES256_GCM,data:Q1XRds3Zud1kYkvD6s9WUzP+kNDNsxB5
 rmfakecloud: ENC[AES256_GCM,data:ktKBKb6cRv1VF8tRvXIpxIy9hPinVPKK05mgvYzz18PEdcrCLpldm5xf7ffHtY5XzDOAMXDCiz6x4xyv7071frrF0spOEPnIzVhxwG8H2Ck=,iv:qJdHjv0RziAs4G9UGeRwGQ4GE5kaObJWpIYWpRKhr9c=,tag:PXgvU1hZK/gvWGyFJaHekg==,type:str]
 esphome: ENC[AES256_GCM,data:QyPrVPhqvaCfx7oRmJ14EFpEIpQRwlLwTABK9qTP/wYcoflFsorNAmIoTiX/4KziQl050ByztnjIhrsxFx2dN6dv+RiLVWP+k0G63rfeS5gxe8QSgzsEtWWaUk3DE87i20DUusj1/B6yUsMApMohjaufuVzReL2MtVSVgtDUS6nVqGnRubrdujAxyRWvjQtamWBa1fjz39U876F10KMUYB+iGtObfNJGH18lAQ1arKEUQQSl8u1vNJuZiKqFhzxcu/IF6AhJgcKmCi2nrcEgbrv4ZwOcJ7+VG29qY7C4LCeAU4wOWJmtnCSf9osSwzR5hFco46L3Y8k0XXEOiEAJl+8ZLNKqQJpShh9wioMrj9XNpX/PvGCpBLTHsXTCGktDdbK/RLEGZnnL0s6If7Qs0XTwWZEe0q4IsltfdWJdZQWbvlY58ooUkK55wml/SlpuHgSdY6pOp/bOnBwvIrh/962DWtSXDxNnvps4Qy0eRUtpS2G6+rLIXXkq7KlSUg/A5XRNWbLGX5u7pJuvJ5xlldFW+tb1rqyrKXGIGra3Y6Ib4Z17znmajMSIeQItChj8UsOqlcHaCI5s8kDFjafJfpTTtAm0mj2cBFYmWHC/WR1YAtd2mrffr258CShtO+eeAqhSSTopIL637udKaY1Vto1dVReTmK24ANopQOaxnTtFjBdQaeluP4PAWrAGADBio1iwjsWIQlr0vnMjSBd0JcnW0Q3i+/5zhQfaEzZ6FQXOs05+l7ryLrGgBbyM2FRLTuAWBsv5yv3lz8FiSGVNaLMW5rofZpFvX0oa7P9HyU/RIpUzx307VBsIJlzrW2NgWvc9iLHLHWJDa7xcemGTvZDp/0BujYHeYYfVViPtVcCicLvDLikgtJRlkdPmyRoMSx0o3taoPsYoVZielo5EZpLiaLwuCNnCk2fRxAgPUa4+zGhZc2Z/BrOvK7sxcyIXEYRrZ8Ti2iNQJthNNb1CzSUXpdpSZtFi1jjiC45V0dlg/lSqrkRjyA9DpGbegt3WpO/6X+uc9vSAgR4f/0xNngTKzCfFV+fyUJXffpje9fQhQnecsTDjjc3aLiESqc3mx8MP6gHI9fS8z8PU72t+4tJxe8hjo7VWlInOVKV9zp9Tn+P4Ez1MebPJRlrwHGSVFsPhKct+CgzE+Q0B3vvcWyQfdJHeFCPWsTWmcCUoJf61fQO/3JwZI8YE3HET+NsRoxVHTl099LzWWCbrfT4uN3+O3VQbceLM+KxKCLVGNEHKlF8NHCIk4KCWhKNwhXvuMjf4GgtYbENFn1QbmiQFpYfIl8FA8PZVk7x+dzuROL4NpIKaBfrg34LQnxFpc2YCBnEsmsJVPybR5ZHC8eDL7JdVSg+FhvOxzBkvCeQjG8746/t0HJYPucisFCmP1isGpcn8Eku+BT/2XocHsUwpyo+RQoruWKwkLtnCHeaGSszqWzugSGXU4b4T2HB2yU9ORpt6uP+wbtc49GeMHrUGiO+w6BQm3TzPEZ0XMh4+8iayGhbd8T213C72sHpo5eCbv7C2zE/3dxHr2/+xtfstQFRuMPhq/r/4aqkeGKTwWEBcOwD1knlnbXo5OZsdvX9SeqF+mno/uDxZW00QqaWiQz89SWLGHtC4gjbE2wU2IpiGZMTOtNieOrjjCfdX3ZkrhA==,iv:Qn0nDrXRCOJaTJJBK6/PEGbhS1pbB0dTZYakgha5wJQ=,tag:8GeYWlsxgAGfFL61V5CwXg==,type:str]
 home-assistant: ENC[AES256_GCM,data:wcFMxDdRCHf/shO9v2WaGgrsa9J2WP62xFs=,iv:9ckeIO62cFZUo8fPyQj445CrJVTooNlwLapM/oTsrkk=,tag:mlfxtXDPsB3T79P9BX9oJQ==,type:str]
+mqtt-users:
+    home-assistant: ENC[AES256_GCM,data:oIjCw7ZnA5iOBmQdW1jcy3QQnpjT32pY,iv:5HFRkXJBdMXQbjk2ubQs3sEy5qEteiqSe2hrNc8+H40=,tag:7B6yI4oCHanE0JE/gHaKnQ==,type:str]
+    valetudo: ENC[AES256_GCM,data:+HRz6X+A5dhmx43G99ka0u9VozuzOFWR,iv:SPw5yoiBqN7sBH5EofevacTtu45jmuTPqToKrar0aJ0=,tag:lf+usB/eNNP1yuWW/QyTqQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -26,8 +29,8 @@ sops:
             SU1USkxFUUY2NVhmUHBhZkdrNDR1Q0kKiXIicInELRjDR3tuyA+lnXeCcd9lYvbV
             GnBRGPM7BNO/6AA7HhAei48Kt+XE6+jQX66yTXyviKhK7Lpjrlb2YQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-14T23:31:19Z"
-    mac: ENC[AES256_GCM,data:0M0g9zxaeHDJS82HB+bUpK1txwf8Eojgg39NAl3phEsyGUalCLr8m/4JfAM58EUFfrmD89CJ5diIl8DGAaF4VSWDDOWDZ7q5Mlz2XDzIS9hM5HWOpSL2ZdhcUm+hu1YYwPrluCP27dEW0OMNxXorRPIVmougSYq0M2sw+xJ5hXE=,iv:9w6ojfH3Nnmg1DRvUjs5cZdcYz2f1uXNFw4FtPY8LtY=,tag:/LeqlUl0pOmwvobO/Cg0qw==,type:str]
+    lastmodified: "2024-11-19T22:31:29Z"
+    mac: ENC[AES256_GCM,data:VEeLfkMhm/JiB+R/mWVHzoX7vtQHT+b+G14kNk0ri8PtJ9WtvaDJFs8zX87gaH/XUorOhR6+2uNyafyoKQGBtKlWFjpaFufTHp2V3pSJ2GF1MLKBR9DvAE6Js/Odpp7u7Gm7AVDP3Q4N1wZ6uhL3Abzedd4/OcYlEvtd1Vod0i0=,iv:dnwOokPPpaNhkmP1S2pZiaAdt6F7unc3ZA0D0zrdhz0=,tag:VTMzfGMpmqO4stnjFVaDUQ==,type:str]
     pgp:
         - created_at: "2024-01-31T01:20:30Z"
           enc: |-

hosts/iron/services/home-assistant.nix

@@ -1,6 +1,7 @@
 args@{ lib, pkgs, config, custom-utils, ... }:
 let
   ports = import ../ports.nix args;
+  interfaces = import ../interfaces.nix;
 in
 {
   sops.secrets.home-assistant = {
@@ -9,6 +10,12 @@ in
     group = "hass";
     mode = "0640";
   };
+  sops.secrets."mqtt-users/home-assistant" = {
+    sopsFile = ../secrets.yaml;
+  };
+  sops.secrets."mqtt-users/valetudo" = {
+    sopsFile = ../secrets.yaml;
+  };
   services.home-assistant = {
     enable = true;
     lovelaceConfig = {
@@ -61,6 +68,9 @@ in
     customComponents = with pkgs.home-assistant-custom-components; [
       adaptive_lighting
     ];
+    customLovelaceModules = with pkgs.home-assistant-custom-lovelace-modules; [
+      valetudo-map-card
+    ];
     lovelaceConfigWritable = false;
     configWritable = false;
     config = {
@@ -150,9 +160,35 @@ in
           url = "https://cal.jalr.de/radicale";
         }
       ];
+      mqtt = { };
     };
   };
 
+  services.mosquitto = {
+    enable = true;
+    persistence = true;
+    listeners = [
+      {
+        port = ports.mqtt.tcp;
+        users = {
+          valetudo = {
+            passwordFile = config.sops.secrets."mqtt-users/valetudo".path;
+            acl = [
+              "readwrite homeassistant/+/donald/#"
+              "readwrite valetudo/donald/#"
+            ];
+          };
+          home-assistant = {
+            passwordFile = config.sops.secrets."mqtt-users/home-assistant".path;
+            acl = [ "readwrite #" ];
+          };
+        };
+      }
+    ];
+  };
+  networking.firewall.interfaces."${interfaces.lan}".allowedTCPPorts = [ ports.mqtt.tcp ];
+  networking.firewall.interfaces.iot.allowedTCPPorts = [ ports.mqtt.tcp ];
+
   systemd.services.home-assistant.serviceConfig.ExecStartPre = [
     (
       pkgs.writeShellScript "home-assistant-secrets" ''