ctucx.git: nixfiles

ctucx' nixfiles

commit 0b4d2c664ed5db78f1cfa5b6ca5bab4be7b2f810
parent e96e036c4d3eaf9c4bd4081572ac2aca5a5e1620
Author: Katja (ctucx) <git@ctu.cx>
Date: Sun, 9 Mar 2025 13:28:21 +0100

configurations/nixos/configure/smarthome/zigbee2mqtt: use client-cert auth

3 files changed, 7 insertions(+), 27 deletions(-)
M
configurations/nixos/configure/smarthome/zigbee2mqtt.nix
|
20
+++++++-------------
D
secrets/briefkasten/zigbee2mqtt/htpasswd.age
|
13
-------------
M
secrets/secrets.nix
|
1
-
diff --git a/configurations/nixos/configure/smarthome/zigbee2mqtt.nix b/configurations/nixos/configure/smarthome/zigbee2mqtt.nix
@@ -4,15 +4,9 @@
 
   dns.zones."ctu.cx".subdomains."zigbee2mqtt.home".AAAA = [ config.networking.primaryIP ];
 
-  age.secrets = {
-    "zigbee2mqtt-htpasswd" = {
-      file  = ./. + "/../../../../secrets/${config.networking.hostName}/zigbee2mqtt/htpasswd.age";
-      owner = "nginx";
-    };
-    "zigbee2mqtt-secrets.yaml" = {
-      file  = ./. + "/../../../../secrets/${config.networking.hostName}/zigbee2mqtt/secrets.age";
-      owner = "zigbee2mqtt";
-    };
+  age.secrets."zigbee2mqtt-secrets.yaml" = {
+    file  = ./. + "/../../../../secrets/${config.networking.hostName}/zigbee2mqtt/secrets.age";
+    owner = "zigbee2mqtt";
   };
 
   systemd.services.zigbee2mqtt = {

@@ -38,13 +32,13 @@
         useACMEHost = "${config.networking.fqdn}";
         forceSSL    = true;
         kTLS        = true;
+        extraConfig = ''
+          ssl_client_certificate ${../../../../secrets/certs/root_ca.crt};
+          ssl_verify_client on;
+        '';
         locations."/" = {
           proxyPass       = "http://[::1]:${toString config.services.zigbee2mqtt.settings.frontend.port}";
           proxyWebsockets = true;
-          extraConfig     = ''
-            auth_basic           Auth;
-            auth_basic_user_file ${config.age.secrets.zigbee2mqtt-htpasswd.path};
-          '';
         };
       };
     };

diff --git a/secrets/briefkasten/zigbee2mqtt/htpasswd.age b/secrets/briefkasten/zigbee2mqtt/htpasswd.age
@@ -1,13 +0,0 @@
------BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4YTVkTlNTYTk0aGo5RmFD
-RUtJUnNGdW5CTlpNUXV6OHduS1FPYnViYnl3Cmg2MXBqN0ttYU0vR3kvR1RBdHhx
-QkNqTG4zS0N3MXFHNzBlRnBEOUxoOEEKLT4gc3NoLWVkMjU1MTkgNGhLQ013IFhR
-TC9jUTJOWjdTVUs1WXlDT3Boc0prT2xYM1RXVUhKZ0JBSHJTcURIakUKakhSV0h4
-c2V1a092d1VWeWtkb1dubHNCbFpMdlpqMlVLaXM1aVIwY2R5MAotPiArTl1XLC1n
-cmVhc2UgT0knIHBSalNXIFEgSFBCJnYKeUZaa0dudkI4R0o4OXMrZDhjaCsyQ2dM
-TjRLN1FObGd2TGlxQjNmRGNjUTRGalhlbk9ieXo1dWpPd2ZpMTFsNQoySUx4RVJu
-NDl5aUdBTThGaERZUXBaOWNqRXpqTVRJSlZkL0hTWVcvbWlYU2VFSnAKLS0tIHg3
-WisrQ01KV01wNjJrT2VWSXFmYVNKcUEzcFI1ZEMwaGxjelkyNHMrOUEKucFYEJvB
-44wbdpOq5qEXGg1TTABI0WTf5tRmuAnsrc13YiqONQj/5iAY5nOzDPfYhQ/AYJ8p
-7SGQvJc/QfA5v+ezC/o8
------END AGE ENCRYPTED FILE-----

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
@@ -55,7 +55,6 @@ let
       "telegraf/secrets.env.age"
 
       "zigbee2mqtt/secrets.age"
-      "zigbee2mqtt/htpasswd.age"
 
       "syncthing/key.age"
       "syncthing/cert.age"