From 9fc91817fd1faa7ff9b6ba52278e9cc87cb78040 Mon Sep 17 00:00:00 2001
From: blake <me@blakedheld.xyz>
Date: Sat, 11 Oct 2025 05:02:10 -0500
Subject: [PATCH] 273 current  2025-10-11 04:43:13  25.05.20251006.20c4598 
 6.12.50                          *

---
 flake.nix                                              |  2 +-
 .../homelab/services/smarthome/mosquitto/default.nix   | 10 +++++++---
 .../homelab/services/smarthome/zigbee2mqtt/default.nix |  2 ++
 secrets/secrets.yaml                                   |  7 +++++--
 4 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/flake.nix b/flake.nix
index 9380b15..b06c2ad 100644
--- a/flake.nix
+++ b/flake.nix
@@ -1,6 +1,6 @@
 # flake for blakes nixos config
 # define new devices in outputs
-# generation: 272 current  2025-10-11 04:36:05  25.05.20251006.20c4598  6.12.50                          *
+# generation: 273 current  2025-10-11 04:43:13  25.05.20251006.20c4598  6.12.50                          *
 {
   description = "blakes nix config";
   inputs = {
diff --git a/modules/homelab/services/smarthome/mosquitto/default.nix b/modules/homelab/services/smarthome/mosquitto/default.nix
index f4a4b4c..e9c6c79 100644
--- a/modules/homelab/services/smarthome/mosquitto/default.nix
+++ b/modules/homelab/services/smarthome/mosquitto/default.nix
@@ -60,9 +60,13 @@ in
       {
         port = 1883;
         address = "0.0.0.0";
-        settings.allow_anonymous = true;
-        acl = [ "pattern readwrite #" ];
-        omitPasswordAuth = true;
+        users.zigbee = {
+          acl = [ "readwrite #" ];
+          hashedPassword = "$7$101$140powz2MtsRawFT$ydndjal9wCAywIWtUEAh/IusdfDFvnHMupTFjdS7Ad/EjsEIbJgHrLY9waCe4Z3142XieuxMrXUDjMTp2qwyiw==";
+        };
+        #settings.allow_anonymous = true;
+        #acl = [ "pattern readwrite #" ];
+        #omitPasswordAuth = true;
       }
     ];
     # override umask to make permissions work out
diff --git a/modules/homelab/services/smarthome/zigbee2mqtt/default.nix b/modules/homelab/services/smarthome/zigbee2mqtt/default.nix
index 4c7e260..b48b5ba 100644
--- a/modules/homelab/services/smarthome/zigbee2mqtt/default.nix
+++ b/modules/homelab/services/smarthome/zigbee2mqtt/default.nix
@@ -63,6 +63,8 @@ in
             base_topic = "zigbee2mqtt";
             client_id = "zigbee2mqtt";
             server = "mqtt://localhost:1883";
+            user = "!/run/secrets/mosquitto_passwd passwd";
+            password = "!/run/secrets/mosquitto_passwd passwd";
             keepalive = 20;
           };
           serial = {
diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml
index 410b062..da08265 100644
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@@ -25,6 +25,9 @@ mosquitto_password_file: ENC[AES256_GCM,data:7ifs2hGnFQSgJOAKpN0usfiaqLjj7Rjb7zn
 #ENC[AES256_GCM,data:HJ81OxRD2xtNZKv+8oDqiT8mYpv45JMvjxU5pdmEKzl64SK3lQ==,iv:wStoC6XaZlvRPfbqti2CUbPrOOTt4KktaUp2ecVrggU=,tag:isOwKfNdQZAM+E8YQXBSFA==,type:comment]
 velocity_forwarding: ENC[AES256_GCM,data:MUNhW3q0/klK51k3,iv:dGT5N+IrZfBxMIwa0mUrIKF2HJvx/uZ5o/ps6bgDNOE=,tag:KNY2LKwmmnCdWqRnxSKctw==,type:str]
 minecraft_recpro_db_passwd: ENC[AES256_GCM,data:dPAkdEX0hBigo/lND2r3ShxnS4Jc5wTI2ShcKnvjig==,iv:WjPugYspUvhy6TAh5UF3etvxTZjAPe3bkgFxIkh6FDw=,tag:h9LGoxp2x8PHxcP8fEkSlA==,type:str]
+#ENC[AES256_GCM,data:+I4CVvVah0eHpnVAgLP6,iv:99HpIT/PKboD3vLF/06kAIKuRWJhfCOEVULfD0pO5A8=,tag:cESJHgpK1ocZCNE07YCJ9w==,type:comment]
+mosquitto_hoashed_passwd: ENC[AES256_GCM,data:toqBQ5EP4qTtKtv/O4IRlYqgRwdsaxD+HhPgCp0v8gvWM+ZTp2xMyV3/kqn3Zbvajw70BgaTVuhhyoXJCE2kmsR3GmdZ3cU1HTtIlELTcqoUShaHmUT600yCGwXQVc7ch3k55JFMVr3gjz9Ju0WDbQ==,iv:RcFFQVlICkbrvsIFR+1u1d32aayKV04kM4Ysr+91NTg=,tag:tuwh+vrmsvVFgCbY0STlrA==,type:str]
+mosquitto_passwd: ENC[AES256_GCM,data:FUdcjFRc6C8t7mzrsOVFCFvOagRHjc1sLusRxrvlKB6OdTDU2QCtj+MMLWznwUUuqalpOWFtOApgqjsy/3kbSgpXWgTYvkGSUpZjG67ArJWZXbYqsbcMYA==,iv:lJamk7yVX7cicRfFh9F7X/jc3bCVa5Z2e3KmRTc/VWI=,tag:NsABcMS0F+y54xIaDuX8+w==,type:str]
 sops:
     age:
         - recipient: age14gfh682a7m7jfp3qrulql03x5rs7yedwmxwksxrrmgjsunstyuksqx93pz
@@ -36,7 +39,7 @@ sops:
             U0tmdFBuZnJES3piOTZNV0VKQmQ0eVUKCWRQ/flLzmpC64WyLoipklZBmrkpYiUg
             PRu+itNolpPTHm96pe+P93g2iP0wgekG0cX21wkiU2xaLF3dY2FEIA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-10-10T08:43:27Z"
-    mac: ENC[AES256_GCM,data:3mH0+EY8MFLe78x38CFyWY7CzgkRftAAy25y6lWcqeY8U6XT9CCenaL6vsbZO5j1ypXMtYMlJOO2VFgM5SmbdEKY1rzZldNOoyeMpfV/hHRI6Gm1dD9IyXFFISb12MhO3kt/stWRs84ufGkKe/BpjcurnFlbCAy064cQd9Knu1Y=,iv:KZOlNj/WkbhwgY/OvuY+emTtYftaFZWi+CFIZwFfXiw=,tag:adndDqlpqiVx6VYqKLVETQ==,type:str]
+    lastmodified: "2025-10-11T10:01:15Z"
+    mac: ENC[AES256_GCM,data:iDK3n4bPsvVneMV5kwwZcGwvVKpTVkYUdGjrYewqUKUB7PUCQnUfdRteFLLlzuCMSjwIcsg5KugdIGjrOMvPTSxrbKSc4EJ2dJpQeObd/NUA1vhecKf/0zK6QOhhfmM4IMiY7vGuzBWNELoVRHjnhUOHYY8nqsccmtoeaC8S7v4=,iv:N9PfshlrrDp0LZzaPwo8PPggnCh2EL4uIEYiJvStaUc=,tag:Xl6T6hbmiqR8vjqF7jZLMA==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0