infra
/
kubernetes
1
0
Fork 0
Code Pull Requests 4 Activity

home-assistant: Deploy Home Assistant 

This commit adds resources for deploying the Home Assistant ecosystem
inside Kubernetes.  Home Assistant itself, as well as Mosquitto, are
just normal Pods, managed by StatefulSets, that can run anywhere.
ZWaveJS2MQTT and Zigbee2MQTT, on the other hand, have to run on a
special node (a Raspberry Pi), where the respective controllers are
attached.

The Home Assistant UI is exposed externally via an Ingress resource.
The MQTT broker is also exposed externally, using the TCP proxy feature
of *ingress-nginx*.  Additionally, the Zigbee2MQTT and ZWaveJS2MQTT
control panels are exposed via Ingress resources, but these are
protected by Authelia.
Dustin 2023-07-24 17:48:38 -05:00
parent 2153097930
commit a7eac14d39
17 changed files with 1870 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
home-assistant/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
mosquitto.passwd

156
home-assistant/README.md Normal file
View File

@ -0,0 +1,156 @@
# Home Assistant
Originally, I tried to keep the Home Assistant ecosystem completely
self-contained. Every component ran on one Raspberry Pi. The thought
was that this would make it more resilient, so that network or infrastructure
problems would be less likely to affect smart home operations. Ultimately, it
turns out this actually made it noticeably *less* resilient, as the Raspberry
Pi became a single point of failure for the whole system.
When we moved to the new house, Home Assistant was unavailable for several
days, as I did not have a way to power and run the Raspberry Pi. Since none of
the smart home devices were installed yet, we initially did not think this was
an issue. We had forgotten to think about the shopping list and the chore
tracker, though, and how much we have come to rely on them.
Given how quickly and seamlessly the applications deployed in Kubernetes came
back online after the move, it suddenly made sense to move Home Assistant there
as well.
## Ecosystem
The Home Assistant ecosystem consists of these components:
* Home Assistant Core (API and Front-end)
* PostgreSQL (State history database)
* Mosquitto (MQTT server)
* Zigbee2MQTT (Zigbee integration)
* ZWaveJS2MQTT (ZWave integration)
Each of these components runs in a container in separate pods within the
*home-assistant* namespace.
![Component Diagram](hass-k8s.svg)
### Home Assistant Core
The core component of the Home Assistant ecosystem is the [Home Assistant]
server itself. Only a single instance of the server can run within a given
ecosystem, as Home Assistant is not cluster-aware. Home Assistant state is
stored on the filesystem, so the server runs in a pod managed by a StatefulSet
with a PersistentVolumeClaim.
The Home Assistant HTTP server, which hosts the UI, WebSocket, and REST API, is
exposed by a Service resource, which in turn is proxied by an Ingress resource.
[Home Assistant]: https://www.home-assistant.io/
### PostgreSQL
Although Home Assistant stores all of its internal state in JSON files on the
filesystem, it uses a relational SQL database for state history. This gives it
the ability to chart historical values for e.g. sensors, as well as provide the
Logbook view. By default, Home Assistant uses a SQLite database file, stored
on the filesystem alongside the other state files, but it also supports other
RDBMS engines, including PostgreSQL. Using PostgreSQL instead of SQLite has
a few advantages:
* More historical values can be retained without introducing performance issues
* Events can be recorded immediately instead of batched
* Backups and recovery are managed externally
PostgreSQL is _not_ managed in directly in this deployment; rather, the
Kustomization file patches the Home Assistant StatefulSet to provide
environment variables pointing at an externally-managed PostgreSQL database.
My Kubernetes cluster has a single PostgreSQL cluster, managed by the [postgres
operator], that hosts databases for several applications.
[postgres operator]: https://github.com/zalando/postgres-operator/
### Mosquitto
Most of my custom integrations, including remote control of the heads-up
displays, the chore list, and the Board Board™, are implemented using MQTT, as
is Frigate. Thus, the Home Assistant ecosystem needs an MQTT message broker.
[Mosquitto] is a lightweight but complete implementation, that works well with
Home Assistant. It is extremely configurable, supporting various
authentication, authorization, and access control mechanisms.
Home Assistant MQTT discovery relies heavily on retained MQTT messages, so
enabling persistence for Mosquitto is very important. Without it, retained
messages would be lost when the broker restarts, and all Home Assistant
entities configured via MQTT discovery would be lost.
Since Mosquitto is not clustered and persists data to the filesystem, it is
deployed as a StatefulSet with a PersistentVolumeClaim.
[Mosquitto]: https://mosquitto.org/
### Zigbee2MQTT
[Zigbee2MQTT] provides a bridge between a Zigbee network and Home Assistant via
MQTT. Zigbee devices communicate with the controller, which is attached to a
server via USB. Messages received from devices are published to the message
queue, and vice versa. Zigbee2MQTT stores its state on the filesystem, so the
StatefulSet needs a PersistentVolumeClaim.
Zigbee2MQTT also exposes a web UI for configuration and administration of the
Zigbee network. This UI is exposed by a Service and an Ingress, and protected
by [Authelia].
[Zigbee2MQTT]: https://zigbee2mqtt.io/
[Authelia]: https://authelia.com/
### ZWaveJS2MQTT
Similar to Zigbee2MQTT, [ZWaveJS2MQTT] provides a bridge between a Z-Wave
network and Home Assistant. While its name suggests it uses MQTT, this can
actually be bypassed and Home Assistant can communicate directly with the
ZWaveJS2MQTT server via a WebSocket connection.
ZWaveJS2MQTT has a web UI, which is exposed by a Service and an Ingress,
protected by Authelia. It stores state on the filesystem, and thus requires a
StatefulSet with a PersistentVolume Claim.
[ZWaveJS2MQTT]: https://github.com/zwave-js/zwavejs2mqtt/
## Raspberry Pi Node
While Home Assistant Core and Mosquitto can run on any node in the Kubernetes
cluster, Zigbee2MQTT and ZWaveJS2MQTT obviously have to run on the node where
their respective devices are attached. Originally, I had intended to run them
as containers on a Raspberry Pi, managed by Podman. While I was setting this
up, though, it occurred to me that that was not even necessary; Kubernetes has
all the necessary functionality to run containers on a specific node and enable
them to communicate with local hardware.
To that end, I have added a Raspberry Pi running [Fedora CoreOS] to the k8s
cluster and attached the Zigbee and Z-Wave radios to it. This node has two
special labels: `node-role.kubernetes.io/zigbee-ctrl` and
`node-role.kubernetes.io/zwave-ctrl`, indicating that it has the Zigbee and
Z-Wave controllers, respectively, attached to it. The Zigbee2MQTT and
ZWaveJS2MQTT pods have node selectors that match these labels, ensuring that
they are only scheduled on the correct node.
Since my Kubernetes cluster uses Longhorn for storage management, which exposes
volumes to pods via iSCSI, no state is actually stored on the Raspberry Pi.
To prevent pods besides Zigbee2MQTT and ZWaveJS2MQTT from being scheduled on
the Raspberry Pi, it has a `du5t1n.me/machine=raspberrypi:NoExecute` [taint].
The Zigbee2MQTT and ZWaveJS2MQTT pods, as well as critical services that are
deployed on every node in the cluster via DaemonSet resources, such as [Calico]
and [Longhorn], are configured with a toleration for this taint. All other
pods, which do not have such a toleration, will never be scheduled on this
node.
[Fedora CoreOS]: https://www.fedoraproject.org/coreos/
[taint]: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
[Calico]: https://www.tigera.io/project-calico/
[Longhorn]: https://longhorn.io

55
home-assistant/hass-k8s.plantuml Normal file
View File

@ -0,0 +1,55 @@
@startuml
person User
collections "Sensors and\nDevices" as sensors
cloud Kubernetes {
component Ingress as ingress {
port HTTPS as ingress_http
port MQTT as ingress_mqtt
}
node "Main Node Cluster" {
[Home Assistant] as hass
queue Mosquitto as mqtt
database PostgreSQL as postgres
}
node "Raspberry Pi Node" as pi {
[ZWaveJS2MQTT] as zwavejs
[Zigbee2MQTT] as z2m
rectangle "Zigbee Controller" as usb_zigbee
rectangle "ZWave Controller" as usb_zwave
z2m-[#red]-> usb_zigbee
zwavejs -[#red]-> usb_zwave
}
User --[#blue]-> ingress_http
sensors --[#purple]-> ingress_mqtt
sensors <-[#lightblue]--- hass
ingress --[#blue]-> hass
ingress ---[#blue]-> zwavejs
ingress ---[#blue]-> z2m
ingress --[#purple]-> mqtt
hass -[#teal]-> postgres
hass -[#orange]-> zwavejs
hass -[#purple]> mqtt
z2m -[#purple]-> mqtt
}
legend right
Legend
|<color:blue><&arrow-right></color> | HTTP |
|<color:purple><&arrow-right></color> | MQTT |
|<color:orange><&arrow-right></color> | WebSocket |
|<color:teal><&arrow-right></color> | PostgreSQL |
|<color:red><&arrow-right></color> | USB |
|<color:lightblue><&arrow-right></color> | ESPHome, etc. |
end legend
@enduml

91
home-assistant/hass-k8s.svg Normal file
View File

@ -0,0 +1,91 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" contentStyleType="text/css" height="904px" preserveAspectRatio="none" style="width:806px;height:904px;background:#FFFFFF;" version="1.1" viewBox="0 0 806 904" width="806px" zoomAndPan="magnify"><defs/><g><!--MD5=[30afa6242ed7a9da9c35c8eba5ba651d]
cluster Kubernetes--><g id="cluster_Kubernetes"><path d="M57.2464,148.1425 C72.8123,128.8286 92.214,128.189 104.1087,152.1208 C115.7855,125.9835 142.1581,124.0586 157.8015,147.8557 C174.7207,126.4009 190.4163,119.4539 208.8861,146.2129 C220.4319,124.7817 239.8038,123.3179 252.18,145.3865 C265.4054,116.8808 289.5264,121.9115 303.9488,144.1658 C316.042,121.3276 334.8681,116.5609 352.2244,138.4902 C371.1235,111.7039 392.4528,111.3115 407.4913,142.1903 C420.044,120.2913 443.4672,114.165 457.8072,140.3187 C475.5697,123.8482 490.7774,125.5852 502.6847,147.2153 C515.9414,119.7659 535.6072,120.5546 551.3573,144.8709 C568.6659,115.679 585.6118,116.5042 603.991,143.8748 C622.3743,123.9819 638.1705,121.9282 651.2182,149.2157 C668.9889,127.8663 690.3538,124.3244 703.8279,153.6742 C721.8845,128.2877 739.4773,127.8107 758.1615,153 C760.0939,150.3048 762.8554,150.9003 763.9312,153.8722 C795.2957,169.872 793.7945,199.6149 762.9268,214.5852 C783.9446,231.9871 786.6811,250.7977 762.0782,267.4676 C785.2304,280.2895 788.4834,303.7953 766.3992,320.3157 C796.7514,338.2627 799.0321,359.3501 768.0422,379.0141 C790.7218,397.2949 797.683,414.2817 768.8201,433.301 C793.1584,449.9711 788.9279,476.6614 762.3823,487.2607 C785.2615,500.8452 786.708,522.4744 765.7714,538.9327 C789.6793,556.8885 785.0589,581.9199 760.3164,595.1555 C785.0846,612.1021 786.9606,631.045 759.6634,647.3401 C788.6784,670.296 784.2483,691.2011 751.1615,705 C753.9105,703.3567 756.1792,704.5693 755.8395,707.9031 C743.9935,728.3559 722.1519,734.9088 707.1417,711.409 C692.7617,732.9379 675.0014,731.0549 660.1188,711.9912 C641.6745,730.9877 623.0641,735.4859 609.2687,707.0115 C592.7529,735.5083 572.2415,734.797 554.0718,708.6831 C540.9951,733.4752 524.5135,735.8995 507.5171,712.4671 C493.8927,733.4646 473.514,735.0527 458.7675,713.7606 C442.071,736.9118 422.5399,737.7854 406.0193,713.5648 C391.6064,737.1455 374.3008,734.3677 359.0107,714.5142 C341.5876,738.6061 317.2427,736.8273 303.8695,710.1183 C292.1007,729.1648 270.8352,734.5268 257.7185,711.6005 C240.2799,735.3634 215.9742,735.6205 200.6439,709.2026 C186.8379,729.7348 164.7386,733.5557 152.7342,707.3555 C137.7461,731.2365 115.5488,735.2576 100.3711,707.5479 C78.5434,733.8745 55.2045,730.3017 43.1615,698 C46.1117,695.1937 47.9891,696.1241 49.7114,699.3364 C21.8893,684.4856 21.8099,665.8628 44.2392,645.8691 C19.3074,629.8246 20.8732,613.8603 44.3479,597.9256 C12.5741,581.7396 11.1125,564.5247 38.7887,542.3879 C14.4088,525.3824 11.611,498.4657 42.0357,484.5361 C17.8014,474.6108 14.5005,451.4402 32.8469,433.8027 C6,410.069 12.1165,390.9244 41.619,375.6978 C12.902,361.9919 12.2401,343.0865 36.137,323.8207 C13.1544,303.9336 9.9996,273.8305 44.8475,262.1057 C17.4969,249.3735 18.0006,229.7354 41.4737,213.4772 C9.8735,187.859 12.1311,162.6532 50.1615,146 C52.9857,143.1926 56.3201,144.6737 57.2464,148.1425 " fill="none" style="stroke:#181818;stroke-width:1.0;"/><text fill="#000000" font-family="sans-serif" font-size="14" font-weight="bold" lengthAdjust="spacing" textLength="93" x="354.1615" y="163.9951">Kubernetes</text></g><!--MD5=[e096f79fa97ccfd89068ba218504e485]
cluster ingress--><g id="cluster_ingress"><rect fill="none" height="121" rx="2.5" ry="2.5" style="stroke:#181818;stroke-width:1.0;" width="125" x="288.1615" y="207"/><rect fill="none" height="10" style="stroke:#181818;stroke-width:1.0;" width="15" x="393.1615" y="212"/><rect fill="none" height="2" style="stroke:#181818;stroke-width:1.0;" width="4" x="391.1615" y="214"/><rect fill="none" height="2" style="stroke:#181818;stroke-width:1.0;" width="4" x="391.1615" y="218"/><text fill="#000000" font-family="sans-serif" font-size="14" font-weight="bold" lengthAdjust="spacing" textLength="59" x="321.1615" y="232.9951">Ingress</text></g><!--MD5=[9132304c441034c2c431848372ce2d71]
cluster Main Node Cluster--><g id="cluster_Main Node Cluster"><polygon fill="none" points="59.1615,395,69.1615,385,363.1615,385,363.1615,582.5,353.1615,592.5,59.1615,592.5,59.1615,395" style="stroke:#181818;stroke-width:1.0;"/><line style="stroke:#181818;stroke-width:1.0;" x1="353.1615" x2="363.1615" y1="395" y2="385"/><line style="stroke:#181818;stroke-width:1.0;" x1="59.1615" x2="353.1615" y1="395" y2="395"/><line style="stroke:#181818;stroke-width:1.0;" x1="353.1615" x2="353.1615" y1="395" y2="592.5"/><text fill="#000000" font-family="sans-serif" font-size="14" font-weight="bold" lengthAdjust="spacing" textLength="144" x="135.1615" y="410.9951">Main Node Cluster</text></g><!--MD5=[b6b7207982b68db46f560888ead706d9]
cluster pi--><g id="cluster_pi"><polygon fill="none" points="387.1615,501,397.1615,491,742.1615,491,742.1615,679,732.1615,689,387.1615,689,387.1615,501" style="stroke:#181818;stroke-width:1.0;"/><line style="stroke:#181818;stroke-width:1.0;" x1="732.1615" x2="742.1615" y1="501" y2="491"/><line style="stroke:#181818;stroke-width:1.0;" x1="387.1615" x2="732.1615" y1="501" y2="501"/><line style="stroke:#181818;stroke-width:1.0;" x1="732.1615" x2="732.1615" y1="501" y2="689"/><text fill="#000000" font-family="sans-serif" font-size="14" font-weight="bold" lengthAdjust="spacing" textLength="146" x="487.6615" y="516.9951">Raspberry Pi Node</text></g><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="46" x="283.1615" y="185.6982">HTTPS</text><rect fill="#F1F1F1" height="12" style="stroke:#181818;stroke-width:1.5;" width="12" x="300.1615" y="201"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="41" x="374.6615" y="185.6982">MQTT</text><rect fill="#F1F1F1" height="12" style="stroke:#181818;stroke-width:1.5;" width="12" x="389.1615" y="201"/><!--MD5=[6f6ee88b903e9122fbf4126c002fb2d0]
entity hass--><g id="elem_hass"><rect fill="#F1F1F1" height="46.2969" rx="2.5" ry="2.5" style="stroke:#181818;stroke-width:0.5;" width="148" x="75.1615" y="425"/><rect fill="#F1F1F1" height="10" style="stroke:#181818;stroke-width:0.5;" width="15" x="203.1615" y="430"/><rect fill="#F1F1F1" height="2" style="stroke:#181818;stroke-width:0.5;" width="4" x="201.1615" y="432"/><rect fill="#F1F1F1" height="2" style="stroke:#181818;stroke-width:0.5;" width="4" x="201.1615" y="436"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="108" x="90.1615" y="457.9951">Home Assistant</text></g><!--MD5=[e6d32054fcb97c68952b5c4281bf48c7]
entity mqtt--><g id="elem_mqtt"><path d="M263.6615,435 L342.6615,435 C347.6615,435 347.6615,448.1484 347.6615,448.1484 C347.6615,448.1484 347.6615,461.2969 342.6615,461.2969 L263.6615,461.2969 C258.6615,461.2969 258.6615,448.1484 258.6615,448.1484 C258.6615,448.1484 258.6615,435 263.6615,435 " fill="#F1F1F1" style="stroke:#181818;stroke-width:0.5;"/><path d="M342.6615,435 C337.6615,435 337.6615,448.1484 337.6615,448.1484 C337.6615,461.2969 342.6615,461.2969 342.6615,461.2969 " fill="none" style="stroke:#181818;stroke-width:0.5;"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="69" x="263.6615" y="452.9951">Mosquitto</text></g><!--MD5=[0e1fecc31e3549f2a1667c6349b56d9e]
entity postgres--><g id="elem_postgres"><path d="M98.6615,541.5 C98.6615,531.5 149.1615,531.5 149.1615,531.5 C149.1615,531.5 199.6615,531.5 199.6615,541.5 L199.6615,566.7969 C199.6615,576.7969 149.1615,576.7969 149.1615,576.7969 C149.1615,576.7969 98.6615,576.7969 98.6615,566.7969 L98.6615,541.5 " fill="#F1F1F1" style="stroke:#181818;stroke-width:0.5;"/><path d="M98.6615,541.5 C98.6615,551.5 149.1615,551.5 149.1615,551.5 C149.1615,551.5 199.6615,551.5 199.6615,541.5 " fill="none" style="stroke:#181818;stroke-width:0.5;"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="81" x="108.6615" y="568.4951">PostgreSQL</text></g><!--MD5=[4827c2927b443a06e6266dac7d086993]
entity zwavejs--><g id="elem_zwavejs"><rect fill="#F1F1F1" height="46.2969" rx="2.5" ry="2.5" style="stroke:#181818;stroke-width:0.5;" width="149" x="402.6615" y="531"/><rect fill="#F1F1F1" height="10" style="stroke:#181818;stroke-width:0.5;" width="15" x="531.6615" y="536"/><rect fill="#F1F1F1" height="2" style="stroke:#181818;stroke-width:0.5;" width="4" x="529.6615" y="538"/><rect fill="#F1F1F1" height="2" style="stroke:#181818;stroke-width:0.5;" width="4" x="529.6615" y="542"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="109" x="417.6615" y="563.9951">ZWaveJS2MQTT</text></g><!--MD5=[38f3d938844eb67d5d82edb8cfb99459]
entity z2m--><g id="elem_z2m"><rect fill="#F1F1F1" height="46.2969" rx="2.5" ry="2.5" style="stroke:#181818;stroke-width:0.5;" width="139" x="586.6615" y="531"/><rect fill="#F1F1F1" height="10" style="stroke:#181818;stroke-width:0.5;" width="15" x="705.6615" y="536"/><rect fill="#F1F1F1" height="2" style="stroke:#181818;stroke-width:0.5;" width="4" x="703.6615" y="538"/><rect fill="#F1F1F1" height="2" style="stroke:#181818;stroke-width:0.5;" width="4" x="703.6615" y="542"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="99" x="601.6615" y="563.9951">Zigbee2MQTT</text></g><!--MD5=[70ade6f0fe8f2173fde4b774eb8b51f5]
entity usb_zigbee--><g id="elem_usb_zigbee"><rect fill="#F1F1F1" height="36.2969" rx="2.5" ry="2.5" style="stroke:#181818;stroke-width:0.5;" width="140" x="586.1615" y="637"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="120" x="596.1615" y="659.9951">Zigbee Controller</text></g><!--MD5=[fcc4016428805e8cb4a49050bce51a85]
entity usb_zwave--><g id="elem_usb_zwave"><rect fill="#F1F1F1" height="36.2969" rx="2.5" ry="2.5" style="stroke:#181818;stroke-width:0.5;" width="138" x="408.1615" y="637"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="118" x="418.1615" y="659.9951">ZWave Controller</text></g><!--MD5=[fee662a292a0353a69bd162820bae93b]
entity User--><g id="elem_User"><ellipse cx="306.1615" cy="15.1234" fill="#F1F1F1" rx="9.1234" ry="9.1234" style="stroke:#181818;stroke-width:0.5;"/><rect fill="#F1F1F1" height="36.2969" rx="9.1234" ry="9.1234" style="stroke:#181818;stroke-width:0.5;" width="52" x="280.1615" y="24.2468"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="32" x="290.1615" y="47.2419">User</text></g><!--MD5=[6584cfc8ea64c302810bc960f7c86144]
entity sensors--><g id="elem_sensors"><rect fill="#F1F1F1" height="48.5938" rx="2.5" ry="2.5" style="stroke:#181818;stroke-width:0.5;" width="103" x="398.6615" y="11"/><rect fill="#F1F1F1" height="48.5938" rx="2.5" ry="2.5" style="stroke:#181818;stroke-width:0.5;" width="103" x="394.6615" y="7"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="87" x="402.6615" y="27.9951">Sensors and</text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="55" x="402.6615" y="44.292">Devices</text></g><!--MD5=[7ca76e0ce9ba69a42f83c7ba68d1c9e0]
link z2m to usb_zigbee--><g id="link_z2m_usb_zigbee"><path d="M656.1615,577.46 C656.1615,593.66 656.1615,615.43 656.1615,631.61 " fill="none" id="z2m-to-usb_zigbee" style="stroke:#FF0000;stroke-width:1.0;"/><polygon fill="#FF0000" points="656.1615,636.87,660.1872,627.8815,656.1758,631.87,652.1872,627.8586,656.1615,636.87" style="stroke:#FF0000;stroke-width:1.0;"/></g><!--MD5=[c45abf488a30494e870fcd568001ab7f]
link zwavejs to usb_zwave--><g id="link_zwavejs_usb_zwave"><path d="M477.1615,577.46 C477.1615,593.66 477.1615,615.43 477.1615,631.61 " fill="none" id="zwavejs-to-usb_zwave" style="stroke:#FF0000;stroke-width:1.0;"/><polygon fill="#FF0000" points="477.1615,636.87,481.1872,627.8815,477.1758,631.87,473.1872,627.8586,477.1615,636.87" style="stroke:#FF0000;stroke-width:1.0;"/></g><!--MD5=[2eaeac1b6463e8a58895c359d8ccf3ef]
link User to ingress_http--><g id="link_User_ingress_http"><path d="M306.1615,61.3 C306.1615,100.01 306.1615,169.79 306.1615,195.83 " fill="none" id="User-to-ingress_http" style="stroke:#0000FF;stroke-width:1.0;"/><polygon fill="#0000FF" points="306.1615,200.96,310.1615,191.96,306.1615,195.96,302.1615,191.96,306.1615,200.96" style="stroke:#0000FF;stroke-width:1.0;"/></g><!--MD5=[f4055cfd7d04694c3222861b21d1c5fb]
link sensors to ingress_mqtt--><g id="link_sensors_ingress_mqtt"><path d="M440.2315,60.18 C428.3115,98.73 406.3315,169.86 398.2515,196.01 " fill="none" id="sensors-to-ingress_mqtt" style="stroke:#800080;stroke-width:1.0;"/><polygon fill="#800080" points="396.7415,200.88,403.2161,193.4584,398.2149,196.102,395.5713,191.1009,396.7415,200.88" style="stroke:#800080;stroke-width:1.0;"/></g><!--MD5=[640d58796ac87721643faad5c0527562]
reverse link sensors to hass--><g id="link_sensors_hass"><path d="M456.0115,65.45 C463.9915,99.61 475.1615,156.36 475.1615,206 C475.1615,206 475.1615,206 475.1615,295.5 C475.1615,359.35 349.8715,326.27 241.1615,377 C215.3315,389.05 189.8515,409.27 172.2815,424.89 " fill="none" id="sensors-backto-hass" style="stroke:#ADD8E6;stroke-width:1.0;"/><polygon fill="#ADD8E6" points="454.7615,60.16,452.9497,69.8408,455.917,65.0246,460.7332,67.9919,454.7615,60.16" style="stroke:#ADD8E6;stroke-width:1.0;"/></g><!--MD5=[5cf90139667a1e51a2d38d4c52eb965b]
link ingress to hass--><g id="link_ingress_hass"><path d="M315.6766,328.1603 C315.525,328.2552 315.3732,328.3503 315.2213,328.4454 C314.0057,329.2068 312.779,329.9765 311.5423,330.7539 C309.0689,332.3086 306.5554,333.8942 304.0102,335.5063 C283.649,348.4025 261.2615,362.99 241.1615,377 C220.8215,391.18 198.6915,407.97 181.2315,421.56 " fill="none" id="ingress-to-hass" style="stroke:#0000FF;stroke-width:1.0;"/><polygon fill="#0000FF" points="176.9015,424.94,186.4596,422.5648,180.8459,421.8673,181.5434,416.2536,176.9015,424.94" style="stroke:#0000FF;stroke-width:1.0;"/></g><!--MD5=[0ffb3635875a9fa0acc167011742fe21]
link ingress to zwavejs--><g id="link_ingress_zwavejs"><path d="M372.9106,328.199 C372.936,328.38 372.9617,328.5615 372.9874,328.7435 C373.1937,330.2001 373.4097,331.6934 373.6359,333.2213 C375.4452,345.4438 377.904,359.8725 381.1865,375.33 C387.7515,406.245 397.6115,441.275 412.1615,471 C422.2515,491.61 438.2015,511.84 451.7815,527.05 " fill="none" id="ingress-to-zwavejs" style="stroke:#0000FF;stroke-width:1.0;"/><polygon fill="#0000FF" points="455.1815,530.81,452.1141,521.451,451.8288,527.1006,446.1791,526.8153,455.1815,530.81" style="stroke:#0000FF;stroke-width:1.0;"/></g><!--MD5=[5130fa1120dc4fbbc9c93a42cfa7cd2b]
link ingress to z2m--><g id="link_ingress_z2m"><path d="M405.7064,328.2904 C406.2465,328.775 406.7913,329.2639 407.3407,329.7568 C408.4395,330.7426 409.5567,331.745 410.6914,332.7631 C415.2304,336.8355 420.0509,341.1605 425.1062,345.6961 C445.3271,363.8384 469.3027,385.3494 494.029,407.5338 C543.4815,451.9025 595.9365,498.965 627.3615,527.16 " fill="none" id="ingress-to-z2m" style="stroke:#0000FF;stroke-width:1.0;"/><polygon fill="#0000FF" points="631.3815,530.77,627.3677,521.7761,627.665,527.4252,622.016,527.7225,631.3815,530.77" style="stroke:#0000FF;stroke-width:1.0;"/></g><!--MD5=[1015ab4ec28bfa1bb9d7cd52675e4533]
link ingress to mqtt--><g id="link_ingress_mqtt"><path d="M354.7994,328.4617 C354.6589,328.7842 354.5178,329.1081 354.376,329.4336 C349.8387,339.8484 344.6321,351.7994 339.3152,364.0038 C328.6815,388.4125 317.6065,413.835 310.5615,430.01 " fill="none" id="ingress-to-mqtt" style="stroke:#800080;stroke-width:1.0;"/><polygon fill="#800080" points="308.4515,434.87,315.7159,428.2195,310.4503,430.2869,308.383,425.0214,308.4515,434.87" style="stroke:#800080;stroke-width:1.0;"/></g><!--MD5=[9daf2f7d234cf58b6b300dbd08850eb7]
link hass to postgres--><g id="link_hass_postgres"><path d="M149.1615,471.06 C149.1615,487.16 149.1615,509.07 149.1615,526.19 " fill="none" id="hass-to-postgres" style="stroke:#008080;stroke-width:1.0;"/><polygon fill="#008080" points="149.1615,531.33,153.1615,522.33,149.1615,526.33,145.1615,522.33,149.1615,531.33" style="stroke:#008080;stroke-width:1.0;"/></g><!--MD5=[e530c0b8fd179adb0629d520b2a9c8ce]
link hass to zwavejs--><g id="link_hass_zwavejs"><path d="M223.3015,467.65 C229.3215,468.88 235.3315,470.02 241.1615,471 C294.8915,480.02 311.5215,465.64 363.1615,483 C393.0915,493.06 423.3715,512.18 445.2015,527.89 " fill="none" id="hass-to-zwavejs" style="stroke:#FFA500;stroke-width:1.0;"/><polygon fill="#FFA500" points="449.4515,530.99,444.5291,522.4594,445.409,528.0474,439.821,528.9274,449.4515,530.99" style="stroke:#FFA500;stroke-width:1.0;"/></g><!--MD5=[44532c20c1898bf5b8490e04284282e7]
link hass to mqtt--><g id="link_hass_mqtt"><path d="M223.4515,448 C233.4415,448 243.4315,448 253.4115,448 " fill="none" id="hass-to-mqtt" style="stroke:#800080;stroke-width:1.0;"/><polygon fill="#800080" points="258.6415,448,249.6415,444,253.6415,448,249.6415,452,258.6415,448" style="stroke:#800080;stroke-width:1.0;"/></g><!--MD5=[750a72ec489501e1e5fee7612d1663b0]
link z2m to mqtt--><g id="link_z2m_mqtt"><path d="M636.0215,530.77 C619.7415,514.43 595.3015,493.35 569.1615,483 C536.6315,470.12 446.8215,475.8 412.1615,471 C392.6715,468.3 371.4215,464.26 352.9115,460.38 " fill="none" id="z2m-to-mqtt" style="stroke:#800080;stroke-width:1.0;"/><polygon fill="#800080" points="347.7615,459.29,355.7478,465.0536,352.6548,460.3172,357.3913,457.2242,347.7615,459.29" style="stroke:#800080;stroke-width:1.0;"/></g><rect fill="#DDDDDD" height="128.0781" id="_legend" rx="7.5" ry="7.5" style="stroke:#000000;stroke-width:1.0;" width="135.3333" x="644.6988" y="756.6061"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="52" x="649.6988" y="774.6012">Legend</text><path d="M656.5321,783.3665 L656.5321,785.6998 L650.6988,785.6998 L650.6988,786.8665 L656.5321,786.8665 L656.5321,789.1998 L660.0321,786.2482 L656.5321,783.3665 " fill="#0000FF" style="stroke:;stroke-width:0.0;stroke-dasharray:;"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="4" x="661.0321" y="792.8981"> </text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="37" x="669.0321" y="792.8981">HTTP</text><path d="M656.5321,799.6634 L656.5321,801.9967 L650.6988,801.9967 L650.6988,803.1634 L656.5321,803.1634 L656.5321,805.4967 L660.0321,802.545 L656.5321,799.6634 " fill="#800080" style="stroke:;stroke-width:0.0;stroke-dasharray:;"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="4" x="661.0321" y="809.1949"> </text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="41" x="669.0321" y="809.1949">MQTT</text><path d="M656.5321,815.9602 L656.5321,818.2936 L650.6988,818.2936 L650.6988,819.4602 L656.5321,819.4602 L656.5321,821.7936 L660.0321,818.8419 L656.5321,815.9602 " fill="#FFA500" style="stroke:;stroke-width:0.0;stroke-dasharray:;"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="4" x="661.0321" y="825.4918"> </text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="79" x="669.0321" y="825.4918">WebSocket</text><path d="M656.5321,832.2571 L656.5321,834.5904 L650.6988,834.5904 L650.6988,835.7571 L656.5321,835.7571 L656.5321,838.0904 L660.0321,835.1388 L656.5321,832.2571 " fill="#008080" style="stroke:;stroke-width:0.0;stroke-dasharray:;"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="4" x="661.0321" y="841.7887"> </text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="81" x="669.0321" y="841.7887">PostgreSQL</text><path d="M656.5321,848.554 L656.5321,850.8873 L650.6988,850.8873 L650.6988,852.054 L656.5321,852.054 L656.5321,854.3873 L660.0321,851.4357 L656.5321,848.554 " fill="#FF0000" style="stroke:;stroke-width:0.0;stroke-dasharray:;"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="4" x="661.0321" y="858.0856"> </text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="29" x="669.0321" y="858.0856">USB</text><path d="M656.5321,864.8509 L656.5321,867.1842 L650.6988,867.1842 L650.6988,868.3509 L656.5321,868.3509 L656.5321,870.6842 L660.0321,867.7325 L656.5321,864.8509 " fill="#ADD8E6" style="stroke:;stroke-width:0.0;stroke-dasharray:;"/><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="4" x="661.0321" y="874.3824"> </text><text fill="#000000" font-family="sans-serif" font-size="14" lengthAdjust="spacing" textLength="102" x="669.0321" y="874.3824">ESPHome, etc.</text><line style="stroke:#000000;stroke-width:1.0;" x1="649.6988" x2="775.0321" y1="779.9029" y2="779.9029"/><line style="stroke:#000000;stroke-width:1.0;" x1="649.6988" x2="775.0321" y1="796.1998" y2="796.1998"/><line style="stroke:#000000;stroke-width:1.0;" x1="649.6988" x2="775.0321" y1="812.4967" y2="812.4967"/><line style="stroke:#000000;stroke-width:1.0;" x1="649.6988" x2="775.0321" y1="828.7936" y2="828.7936"/><line style="stroke:#000000;stroke-width:1.0;" x1="649.6988" x2="775.0321" y1="845.0904" y2="845.0904"/><line style="stroke:#000000;stroke-width:1.0;" x1="649.6988" x2="775.0321" y1="861.3873" y2="861.3873"/><line style="stroke:#000000;stroke-width:1.0;" x1="649.6988" x2="775.0321" y1="877.6842" y2="877.6842"/><line style="stroke:#000000;stroke-width:1.0;" x1="649.6988" x2="649.6988" y1="779.9029" y2="877.6842"/><line style="stroke:#000000;stroke-width:1.0;" x1="665.0321" x2="665.0321" y1="779.9029" y2="877.6842"/><line style="stroke:#000000;stroke-width:1.0;" x1="775.0321" x2="775.0321" y1="779.9029" y2="877.6842"/><!--MD5=[8c0c21c8b43cccde4ab6dc47d49e42a1]
@startuml
person User
collections "Sensors and\nDevices" as sensors
cloud Kubernetes {
component Ingress as ingress {
port HTTPS as ingress_http
port MQTT as ingress_mqtt
}
node "Main Node Cluster" {
[Home Assistant] as hass
queue Mosquitto as mqtt
database PostgreSQL as postgres
}
node "Raspberry Pi Node" as pi {
[ZWaveJS2MQTT] as zwavejs
[Zigbee2MQTT] as z2m
rectangle "Zigbee Controller" as usb_zigbee
rectangle "ZWave Controller" as usb_zwave
z2m-[#red]-> usb_zigbee
zwavejs -[#red]-> usb_zwave
}
User - -[#blue]-> ingress_http
sensors - -[#purple]-> ingress_mqtt
sensors <-[#lightblue]- - - hass
ingress - -[#blue]-> hass
ingress - - -[#blue]-> zwavejs
ingress - - -[#blue]-> z2m
ingress - -[#purple]-> mqtt
hass -[#teal]-> postgres
hass -[#orange]-> zwavejs
hass -[#purple]> mqtt
z2m -[#purple]-> mqtt
}
legend right
Legend
|<color:blue><&arrow-right></color> | HTTP |
|<color:purple><&arrow-right></color> | MQTT |
|<color:orange><&arrow-right></color> | WebSocket |
|<color:teal><&arrow-right></color> | PostgreSQL |
|<color:red><&arrow-right></color> | USB |
|<color:lightblue><&arrow-right></color> | ESPHome, etc. |
end legend
@enduml
PlantUML version 1.2022.12(Sun Oct 23 18:12:26 UTC 2022)
(GPL source distribution)
Java Runtime: OpenJDK Runtime Environment
JVM: OpenJDK 64-Bit Server VM
Default Encoding: UTF-8
Language: en
Country: null
--></g></svg>
Side by Side

After

Width:  |  Height:  |  Size: 23 KiB

95
home-assistant/home-assistant.yaml Normal file
View File

@ -0,0 +1,95 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
app.kubernetes.io/component: home-assistant
app.kubernetes.io/instance: home-assistant
app.kubernetes.io/name: home-assistant
app.kubernetes.io/part-of: home-assistant
name: home-assistant
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 60Gi
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: home-assistant
app.kubernetes.io/instance: home-assistant
app.kubernetes.io/name: home-assistant
app.kubernetes.io/part-of: home-assistant
name: home-assistant
spec:
ports:
- port: 8123
name: http
selector:
app.kubernetes.io/component: home-assistant
app.kubernetes.io/instance: home-assistant
app.kubernetes.io/name: home-assistant
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
labels:
app.kubernetes.io/component: home-assistant
app.kubernetes.io/instance: home-assistant
app.kubernetes.io/name: home-assistant
app.kubernetes.io/part-of: home-assistant
name: home-assistant
spec:
serviceName: home-assistant
selector:
matchLabels:
app.kubernetes.io/component: home-assistant
app.kubernetes.io/instance: home-assistant
app.kubernetes.io/name: home-assistant
template:
metadata:
labels:
app.kubernetes.io/component: home-assistant
app.kubernetes.io/instance: home-assistant
app.kubernetes.io/name: home-assistant
app.kubernetes.io/part-of: home-assistant
spec:
containers:
- name: home-assistant
image: ghcr.io/home-assistant/home-assistant:stable
env:
- name: TZ
value: America/Chicago
ports:
- containerPort: 8123
name: http
readinessProbe: &probe
httpGet:
port: 8123
path: /
failureThreshold: 3
periodSeconds: 60
successThreshold: 1
timeoutSeconds: 1
startupProbe:
<<: *probe
failureThreshold: 30
periodSeconds: 3
initialDelaySeconds: 3
securityContext:
runAsUser: 300
runAsGroup: 300
volumeMounts:
- name: home-assistant-data
mountPath: /config
subPath: data
securityContext:
fsGroup: 300
volumes:
- name: home-assistant-data
persistentVolumeClaim:
claimName: home-assistant

91
home-assistant/ingress.yaml Normal file
View File

@ -0,0 +1,91 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: home-assistant
labels:
app.kubernetes.io/name: home-assistant
app.kubernetes.io/component: home-assistant
app.kubernetes.io/instance: home-assistant
app.kubernetes.io/part-of: home-assistant
spec:
ingressClassName: nginx
rules:
- host: homeassistant.pyrocufflink.blue
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: home-assistant
port:
name: http
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: zigbee2mqtt
labels:
app.kubernetes.io/name: zigbee2mqtt
app.kubernetes.io/component: zigbee2mqtt
app.kubernetes.io/instance: zigbee2mqtt
app.kubernetes.io/part-of: home-assistant
annotations:
nginx.ingress.kubernetes.io/auth-method: GET
nginx.ingress.kubernetes.io/auth-url: http://authelia.authelia.svc.cluster.local:9091/api/verify
nginx.ingress.kubernetes.io/auth-signin: https://auth.pyrocufflink.blue/?rm=$request_method
nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
nginx.ingress.kubernetes.io/auth-snippet: |
proxy_set_header X-Forwarded-Method $request_method;
nginx.ingress.kubernetes.io/use-regex: 'true'
nginx.ingress.kubernetes.io/rewrite-target: /$1
spec:
ingressClassName: nginx
rules:
- host: homeassistant.pyrocufflink.blue
http:
paths:
- path: /zigbee/(.*)
pathType: Prefix
backend:
service:
name: zigbee2mqtt
port:
name: http
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: zwavejs2mqtt
labels:
app.kubernetes.io/name: zwavejs2mqtt
app.kubernetes.io/component: zwavejs2mqtt
app.kubernetes.io/instance: zwavejs2mqtt
app.kubernetes.io/part-of: home-assistant
annotations:
nginx.ingress.kubernetes.io/auth-method: GET
nginx.ingress.kubernetes.io/auth-url: http://authelia.authelia.svc.cluster.local:9091/api/verify
nginx.ingress.kubernetes.io/auth-signin: https://auth.pyrocufflink.blue/?rm=$request_method
nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
nginx.ingress.kubernetes.io/auth-snippet: |
proxy_set_header X-Forwarded-Method $request_method;
nginx.ingress.kubernetes.io/use-regex: 'true'
nginx.ingress.kubernetes.io/rewrite-target: /$1
nginx.ingress.kubernetes.io/configuration-snippet: |
proxy_set_header X-External-Path /zwave;
spec:
ingressClassName: nginx
rules:
- host: homeassistant.pyrocufflink.blue
http:
paths:
- path: /zwave/(.*)
pathType: Prefix
backend:
service:
name: zwavejs2mqtt
port:
name: http

48
home-assistant/kustomization.yaml Normal file
View File

@ -0,0 +1,48 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: home-assistant
resources:
- namespace.yaml
- home-assistant.yaml
- mosquitto-cert.yaml
- mosquitto.yaml
- zigbee2mqtt.yaml
- zwavejs2mqtt.yaml
- ingress.yaml
configMapGenerator:
- name: mosquitto
files:
- mosquitto.conf
secretGenerator:
- name: mosquitto
files:
- passwd=mosquitto.passwd
patches:
- patch: |-
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: home-assistant
spec:
template:
spec:
containers:
- name: home-assistant
env:
- name: RECORDER_DB_PASSWORD
valueFrom:
secretKeyRef:
name: home-assistant.homeassistant.default.credentials.postgresql.acid.zalan.do
key: password
- name: RECORDER_DB_USERNAME
valueFrom:
secretKeyRef:
name: home-assistant.homeassistant.default.credentials.postgresql.acid.zalan.do
key: username
- name: RECORDER_DB_URL
value: postgresql://$(RECORDER_DB_USERNAME):$(RECORDER_DB_PASSWORD)@default.postgresql/homeassistant

91
home-assistant/migrate.yaml Normal file
View File

@ -0,0 +1,91 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: migrate
data:
migrate-hass.sh: |-
#!/bin/sh
dnf install -y rsync openssh-clients
rsync -ai dustin@rosalina.pyrocufflink.blue:/var/tmp/hass2-restore/var/lib/homeassistant/ /config/
chown -R 300:300 /config/
sed -i \
-e /server_host/d \
-e 's/::1/172.30.0.160/28/' \
/config/http.yaml
migrate-mosquitto.sh: |-
#!/bin/sh
dnf install -y rsync openssh-clients
rsync -ai dustin@rosalina.pyrocufflink.blue:/var/tmp/hass2-restore/var/lib/mosquitto/ /mosquitto/data/
chown -R 300:300 /mosquitto/data
migrate-zigbee2mqtt.sh: |-
#!/bin/sh
dnf install -y rsync openssh-clients
rsync -ai dustin@rosalina.pyrocufflink.blue:/var/tmp/hass2-restore/var/lib/zigbee2mqtt/ /app/data/
chown -R 302:302 /app/data/
sed -i \
-e 's@^ server: .*@ server: mqtts://mqtt.pyrocufflink.blue:30783@' \
/app/data/configuration.yaml
migrate-zwavejs2mqtt.sh: |-
#!/bin/sh
dnf install -y rsync openssh-clients
rsync -ai dustin@rosalina.pyrocufflink.blue:/var/tmp/hass2-restore/var/lib/zwavejs/ /usr/src/app/store/
chown -R 303:303 /usr/src/app/store/
---
apiVersion: v1
kind: Pod
metadata:
name: home-assistant-migrate
spec:
containers:
- image: registry.fedoraproject.org/fedora
name: migrate
command:
- python3
- -c
- 'from signal import *;signal(SIGTERM, lambda x, y: None);pause()'
volumeMounts:
#- mountPath: /config
# name: home-assistant-data
# subPath: data
#- mountPath: /mosquitto/data
# name: mosquitto-data
# subPath: data
#- mountPath: /app/data
# name: zigbee2mqtt-data
# subPath: data
- mountPath: /usr/src/app/store
name: zwavejs2mqtt-data
subPath: data
- mountPath: /run/migrate.sh
name: migrate-script
#subPath: migrate-hass.sh
#subPath: migrate-mosquitto.sh
#subPath: migrate-zigbee2mqtt.sh
subPath: migrate-zwavejs2mqtt.sh
volumes:
#- name: home-assistant-data
# persistentVolumeClaim:
# claimName: home-assistant
#- name: mosquitto-data
# persistentVolumeClaim:
# claimName: mosquitto
#- name: zigbee2mqtt-data
# persistentVolumeClaim:
# claimName: zigbee2mqtt
- name: zwavejs2mqtt-data
persistentVolumeClaim:
claimName: zwavejs2mqtt
- name: migrate-script
configMap:
name: migrate
defaultMode: 0755

15
home-assistant/mosquitto-cert.yaml Normal file
View File

@ -0,0 +1,15 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: mosquitto
spec:
secretName: mosquitto-cert
dnsNames:
- mqtt.pyrocufflink.blue
issuerRef:
group: cert-manager.io
kind: ClusterIssuer
name: zerossl
privateKey:
algorithm: ECDSA
rotationPolicy: Always

874
home-assistant/mosquitto.conf Normal file
View File

@ -0,0 +1,874 @@
# Config file for mosquitto
#
# See mosquitto.conf(5) for more information.
#
# Default values are shown, uncomment to change.
#
# Use the # character to indicate a comment, but only if it is the
# very first character on the line.
# =================================================================
# General configuration
# =================================================================
# Use per listener security settings.
#
# It is recommended this option be set before any other options.
#
# If this option is set to true, then all authentication and access control
# options are controlled on a per listener basis. The following options are
# affected:
#
# password_file acl_file psk_file auth_plugin auth_opt_* allow_anonymous
# auto_id_prefix allow_zero_length_clientid
#
# Note that if set to true, then a durable client (i.e. with clean session set
# to false) that has disconnected will use the ACL settings defined for the
# listener that it was most recently connected to.
#
# The default behaviour is for this to be set to false, which maintains the
# setting behaviour from previous versions of mosquitto.
#per_listener_settings false
# This option controls whether a client is allowed to connect with a zero
# length client id or not. This option only affects clients using MQTT v3.1.1
# and later. If set to false, clients connecting with a zero length client id
# are disconnected. If set to true, clients will be allocated a client id by
# the broker. This means it is only useful for clients with clean session set
# to true.
#allow_zero_length_clientid true
# If allow_zero_length_clientid is true, this option allows you to set a prefix
# to automatically generated client ids to aid visibility in logs.
# Defaults to 'auto-'
#auto_id_prefix auto-
# This option affects the scenario when a client subscribes to a topic that has
# retained messages. It is possible that the client that published the retained
# message to the topic had access at the time they published, but that access
# has been subsequently removed. If check_retain_source is set to true, the
# default, the source of a retained message will be checked for access rights
# before it is republished. When set to false, no check will be made and the
# retained message will always be published. This affects all listeners.
#check_retain_source true
# QoS 1 and 2 messages will be allowed inflight per client until this limit
# is exceeded. Defaults to 0. (No maximum)
# See also max_inflight_messages
#max_inflight_bytes 0
# The maximum number of QoS 1 and 2 messages currently inflight per
# client.
# This includes messages that are partway through handshakes and
# those that are being retried. Defaults to 20. Set to 0 for no
# maximum. Setting to 1 will guarantee in-order delivery of QoS 1
# and 2 messages.
#max_inflight_messages 20
# For MQTT v5 clients, it is possible to have the server send a "server
# keepalive" value that will override the keepalive value set by the client.
# This is intended to be used as a mechanism to say that the server will
# disconnect the client earlier than it anticipated, and that the client should
# use the new keepalive value. The max_keepalive option allows you to specify
# that clients may only connect with keepalive less than or equal to this
# value, otherwise they will be sent a server keepalive telling them to use
# max_keepalive. This only applies to MQTT v5 clients. The maximum value
# allowable is 65535. Do not set below 10.
#max_keepalive 65535
# For MQTT v5 clients, it is possible to have the server send a "maximum packet
# size" value that will instruct the client it will not accept MQTT packets
# with size greater than max_packet_size bytes. This applies to the full MQTT
# packet, not just the payload. Setting this option to a positive value will
# set the maximum packet size to that number of bytes. If a client sends a
# packet which is larger than this value, it will be disconnected. This applies
# to all clients regardless of the protocol version they are using, but v3.1.1
# and earlier clients will of course not have received the maximum packet size
# information. Defaults to no limit. Setting below 20 bytes is forbidden
# because it is likely to interfere with ordinary client operation, even with
# very small payloads.
#max_packet_size 0
# QoS 1 and 2 messages above those currently in-flight will be queued per
# client until this limit is exceeded. Defaults to 0. (No maximum)
# See also max_queued_messages.
# If both max_queued_messages and max_queued_bytes are specified, packets will
# be queued until the first limit is reached.
#max_queued_bytes 0
# Set the maximum QoS supported. Clients publishing at a QoS higher than
# specified here will be disconnected.
#max_qos 2
# The maximum number of QoS 1 and 2 messages to hold in a queue per client
# above those that are currently in-flight. Defaults to 1000. Set
# to 0 for no maximum (not recommended).
# See also queue_qos0_messages.
# See also max_queued_bytes.
#max_queued_messages 1000
#
# This option sets the maximum number of heap memory bytes that the broker will
# allocate, and hence sets a hard limit on memory use by the broker. Memory
# requests that exceed this value will be denied. The effect will vary
# depending on what has been denied. If an incoming message is being processed,
# then the message will be dropped and the publishing client will be
# disconnected. If an outgoing message is being sent, then the individual
# message will be dropped and the receiving client will be disconnected.
# Defaults to no limit.
#memory_limit 0
# This option sets the maximum publish payload size that the broker will allow.
# Received messages that exceed this size will not be accepted by the broker.
# The default value is 0, which means that all valid MQTT messages are
# accepted. MQTT imposes a maximum payload size of 268435455 bytes.
#message_size_limit 0
# This option allows persistent clients (those with clean session set to false)
# to be removed if they do not reconnect within a certain time frame.
#
# This is a non-standard option in MQTT V3.1 but allowed in MQTT v3.1.1.
#
# Badly designed clients may set clean session to false whilst using a randomly
# generated client id. This leads to persistent clients that will never
# reconnect. This option allows these clients to be removed.
#
# The expiration period should be an integer followed by one of h d w m y for
# hour, day, week, month and year respectively. For example
#
# persistent_client_expiration 2m
# persistent_client_expiration 14d
# persistent_client_expiration 1y
#
# The default if not set is to never expire persistent clients.
#persistent_client_expiration
# Write process id to a file. Default is a blank string which means
# a pid file shouldn't be written.
# This should be set to /var/run/mosquitto/mosquitto.pid if mosquitto is
# being run automatically on boot with an init script and
# start-stop-daemon or similar.
#pid_file
# Set to true to queue messages with QoS 0 when a persistent client is
# disconnected. These messages are included in the limit imposed by
# max_queued_messages and max_queued_bytes
# Defaults to false.
# This is a non-standard option for the MQTT v3.1 spec but is allowed in
# v3.1.1.
#queue_qos0_messages false
# Set to false to disable retained message support. If a client publishes a
# message with the retain bit set, it will be disconnected if this is set to
# false.
#retain_available true
# Disable Nagle's algorithm on client sockets. This has the effect of reducing
# latency of individual messages at the potential cost of increasing the number
# of packets being sent.
#set_tcp_nodelay false
# Time in seconds between updates of the $SYS tree.
# Set to 0 to disable the publishing of the $SYS tree.
#sys_interval 10
# The MQTT specification requires that the QoS of a message delivered to a
# subscriber is never upgraded to match the QoS of the subscription. Enabling
# this option changes this behaviour. If upgrade_outgoing_qos is set true,
# messages sent to a subscriber will always match the QoS of its subscription.
# This is a non-standard option explicitly disallowed by the spec.
#upgrade_outgoing_qos false
# When run as root, drop privileges to this user and its primary
# group.
# Set to root to stay as root, but this is not recommended.
# If set to "mosquitto", or left unset, and the "mosquitto" user does not exist
# then it will drop privileges to the "nobody" user instead.
# If run as a non-root user, this setting has no effect.
# Note that on Windows this has no effect and so mosquitto should be started by
# the user you wish it to run as.
#user mosquitto
# =================================================================
# Listeners
# =================================================================
# Listen on a port/ip address combination. By using this variable
# multiple times, mosquitto can listen on more than one port. If
# this variable is used and neither bind_address nor port given,
# then the default listener will not be started.
# The port number to listen on must be given. Optionally, an ip
# address or host name may be supplied as a second argument. In
# this case, mosquitto will attempt to bind the listener to that
# address and so restrict access to the associated network and
# interface. By default, mosquitto will listen on all interfaces.
# Note that for a websockets listener it is not possible to bind to a host
# name.
#
# On systems that support Unix Domain Sockets, it is also possible
# to create a # Unix socket rather than opening a TCP socket. In
# this case, the port number should be set to 0 and a unix socket
# path must be provided, e.g.
# listener 0 /tmp/mosquitto.sock
#
# listener port-number [ip address/host name/unix socket path]
listener 8883
# By default, a listener will attempt to listen on all supported IP protocol
# versions. If you do not have an IPv4 or IPv6 interface you may wish to
# disable support for either of those protocol versions. In particular, note
# that due to the limitations of the websockets library, it will only ever
# attempt to open IPv6 sockets if IPv6 support is compiled in, and so will fail
# if IPv6 is not available.
#
# Set to `ipv4` to force the listener to only use IPv4, or set to `ipv6` to
# force the listener to only use IPv6. If you want support for both IPv4 and
# IPv6, then do not use the socket_domain option.
#
#socket_domain
# Bind the listener to a specific interface. This is similar to
# the [ip address/host name] part of the listener definition, but is useful
# when an interface has multiple addresses or the address may change. If used
# with the [ip address/host name] part of the listener definition, then the
# bind_interface option will take priority.
# Not available on Windows.
#
# Example: bind_interface eth0
#bind_interface
# When a listener is using the websockets protocol, it is possible to serve
# http data as well. Set http_dir to a directory which contains the files you
# wish to serve. If this option is not specified, then no normal http
# connections will be possible.
#http_dir
# The maximum number of client connections to allow. This is
# a per listener setting.
# Default is -1, which means unlimited connections.
# Note that other process limits mean that unlimited connections
# are not really possible. Typically the default maximum number of
# connections possible is around 1024.
#max_connections -1
# The listener can be restricted to operating within a topic hierarchy using
# the mount_point option. This is achieved be prefixing the mount_point string
# to all topics for any clients connected to this listener. This prefixing only
# happens internally to the broker; the client will not see the prefix.
#mount_point
# Choose the protocol to use when listening.
# This can be either mqtt or websockets.
# Certificate based TLS may be used with websockets, except that only the
# cafile, certfile, keyfile, ciphers, and ciphers_tls13 options are supported.
#protocol mqtt
# Set use_username_as_clientid to true to replace the clientid that a client
# connected with with its username. This allows authentication to be tied to
# the clientid, which means that it is possible to prevent one client
# disconnecting another by using the same clientid.
# If a client connects with no username it will be disconnected as not
# authorised when this option is set to true.
# Do not use in conjunction with clientid_prefixes.
# See also use_identity_as_username.
#use_username_as_clientid
# Change the websockets headers size. This is a global option, it is not
# possible to set per listener. This option sets the size of the buffer used in
# the libwebsockets library when reading HTTP headers. If you are passing large
# header data such as cookies then you may need to increase this value. If left
# unset, or set to 0, then the default of 1024 bytes will be used.
#websockets_headers_size
# -----------------------------------------------------------------
# Certificate based SSL/TLS support
# -----------------------------------------------------------------
# The following options can be used to enable certificate based SSL/TLS support
# for this listener. Note that the recommended port for MQTT over TLS is 8883,
# but this must be set manually.
#
# See also the mosquitto-tls man page and the "Pre-shared-key based SSL/TLS
# support" section. Only one of certificate or PSK encryption support can be
# enabled for any listener.
# Both of certfile and keyfile must be defined to enable certificate based
# TLS encryption.
# Path to the PEM encoded server certificate.
certfile /run/secrets/mosquitto/tls.crt
# Path to the PEM encoded keyfile.
keyfile /run/secrets/mosquitto/tls.key
# If you wish to control which encryption ciphers are used, use the ciphers
# option. The list of available ciphers can be optained using the "openssl
# ciphers" command and should be provided in the same format as the output of
# that command. This applies to TLS 1.2 and earlier versions only. Use
# ciphers_tls1.3 for TLS v1.3.
#ciphers
# Choose which TLS v1.3 ciphersuites are used for this listener.
# Defaults to "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
#ciphers_tls1.3
# If you have require_certificate set to true, you can create a certificate
# revocation list file to revoke access to particular client certificates. If
# you have done this, use crlfile to point to the PEM encoded revocation file.
#crlfile
# To allow the use of ephemeral DH key exchange, which provides forward
# security, the listener must load DH parameters. This can be specified with
# the dhparamfile option. The dhparamfile can be generated with the command
# e.g. "openssl dhparam -out dhparam.pem 2048"
#dhparamfile
# By default an TLS enabled listener will operate in a similar fashion to a
# https enabled web server, in that the server has a certificate signed by a CA
# and the client will verify that it is a trusted certificate. The overall aim
# is encryption of the network traffic. By setting require_certificate to true,
# the client must provide a valid certificate in order for the network
# connection to proceed. This allows access to the broker to be controlled
# outside of the mechanisms provided by MQTT.
#require_certificate false
# cafile and capath define methods of accessing the PEM encoded
# Certificate Authority certificates that will be considered trusted when
# checking incoming client certificates.
# cafile defines the path to a file containing the CA certificates.
# capath defines a directory that will be searched for files
# containing the CA certificates. For capath to work correctly, the
# certificate files must have ".crt" as the file ending and you must run
# "openssl rehash <path to capath>" each time you add/remove a certificate.
#cafile
#capath
# If require_certificate is true, you may set use_identity_as_username to true
# to use the CN value from the client certificate as a username. If this is
# true, the password_file option will not be used for this listener.
#use_identity_as_username false
# -----------------------------------------------------------------
# Pre-shared-key based SSL/TLS support
# -----------------------------------------------------------------
# The following options can be used to enable PSK based SSL/TLS support for
# this listener. Note that the recommended port for MQTT over TLS is 8883, but
# this must be set manually.
#
# See also the mosquitto-tls man page and the "Certificate based SSL/TLS
# support" section. Only one of certificate or PSK encryption support can be
# enabled for any listener.
# The psk_hint option enables pre-shared-key support for this listener and also
# acts as an identifier for this listener. The hint is sent to clients and may
# be used locally to aid authentication. The hint is a free form string that
# doesn't have much meaning in itself, so feel free to be creative.
# If this option is provided, see psk_file to define the pre-shared keys to be
# used or create a security plugin to handle them.
#psk_hint
# When using PSK, the encryption ciphers used will be chosen from the list of
# available PSK ciphers. If you want to control which ciphers are available,
# use the "ciphers" option. The list of available ciphers can be optained
# using the "openssl ciphers" command and should be provided in the same format
# as the output of that command.
#ciphers
# Set use_identity_as_username to have the psk identity sent by the client used
# as its username. Authentication will be carried out using the PSK rather than
# the MQTT username/password and so password_file will not be used for this
# listener.
#use_identity_as_username false
# =================================================================
# Persistence
# =================================================================
# If persistence is enabled, save the in-memory database to disk
# every autosave_interval seconds. If set to 0, the persistence
# database will only be written when mosquitto exits. See also
# autosave_on_changes.
# Note that writing of the persistence database can be forced by
# sending mosquitto a SIGUSR1 signal.
autosave_interval 1800
# If true, mosquitto will count the number of subscription changes, retained
# messages received and queued messages and if the total exceeds
# autosave_interval then the in-memory database will be saved to disk.
# If false, mosquitto will save the in-memory database to disk by treating
# autosave_interval as a time in seconds.
#autosave_on_changes false
# Save persistent message data to disk (true/false).
# This saves information about all messages, including
# subscriptions, currently in-flight messages and retained
# messages.
# retained_persistence is a synonym for this option.
persistence true
# The filename to use for the persistent database, not including
# the path.
#persistence_file mosquitto.db
# Location for persistent database.
# Default is an empty string (current directory).
# Set to e.g. /var/lib/mosquitto if running as a proper service on Linux or
# similar.
persistence_location /mosquitto/data
# =================================================================
# Logging
# =================================================================
# Places to log to. Use multiple log_dest lines for multiple
# logging destinations.
# Possible destinations are: stdout stderr syslog topic file dlt
#
# stdout and stderr log to the console on the named output.
#
# syslog uses the userspace syslog facility which usually ends up
# in /var/log/messages or similar.
#
# topic logs to the broker topic '$SYS/broker/log/<severity>',
# where severity is one of D, E, W, N, I, M which are debug, error,
# warning, notice, information and message. Message type severity is used by
# the subscribe/unsubscribe log_types and publishes log messages to
# $SYS/broker/log/M/susbcribe or $SYS/broker/log/M/unsubscribe.
#
# The file destination requires an additional parameter which is the file to be
# logged to, e.g. "log_dest file /var/log/mosquitto.log". The file will be
# closed and reopened when the broker receives a HUP signal. Only a single file
# destination may be configured.
#
# The dlt destination is for the automotive `Diagnostic Log and Trace` tool.
# This requires that Mosquitto has been compiled with DLT support.
#
# Note that if the broker is running as a Windows service it will default to
# "log_dest none" and neither stdout nor stderr logging is available.
# Use "log_dest none" if you wish to disable logging.
#log_dest stderr
# Types of messages to log. Use multiple log_type lines for logging
# multiple types of messages.
# Possible types are: debug, error, warning, notice, information,
# none, subscribe, unsubscribe, websockets, all.
# Note that debug type messages are for decoding the incoming/outgoing
# network packets. They are not logged in "topics".
#log_type error
#log_type warning
#log_type notice
#log_type information
# If set to true, client connection and disconnection messages will be included
# in the log.
#connection_messages true
# If using syslog logging (not on Windows), messages will be logged to the
# "daemon" facility by default. Use the log_facility option to choose which of
# local0 to local7 to log to instead. The option value should be an integer
# value, e.g. "log_facility 5" to use local5.
#log_facility
# If set to true, add a timestamp value to each log message.
#log_timestamp true
# Set the format of the log timestamp. If left unset, this is the number of
# seconds since the Unix epoch.
# This is a free text string which will be passed to the strftime function. To
# get an ISO 8601 datetime, for example:
# log_timestamp_format %Y-%m-%dT%H:%M:%S
#log_timestamp_format
# Change the websockets logging level. This is a global option, it is not
# possible to set per listener. This is an integer that is interpreted by
# libwebsockets as a bit mask for its lws_log_levels enum. See the
# libwebsockets documentation for more details. "log_type websockets" must also
# be enabled.
#websockets_log_level 0
# =================================================================
# Security
# =================================================================
# If set, only clients that have a matching prefix on their
# clientid will be allowed to connect to the broker. By default,
# all clients may connect.
# For example, setting "secure-" here would mean a client "secure-
# client" could connect but another with clientid "mqtt" couldn't.
#clientid_prefixes
# Boolean value that determines whether clients that connect
# without providing a username are allowed to connect. If set to
# false then a password file should be created (see the
# password_file option) to control authenticated client access.
#
# Defaults to false, unless there are no listeners defined in the configuration
# file, in which case it is set to true, but connections are only allowed from
# the local machine.
allow_anonymous false
# -----------------------------------------------------------------
# Default authentication and topic access control
# -----------------------------------------------------------------
# Control access to the broker using a password file. This file can be
# generated using the mosquitto_passwd utility. If TLS support is not compiled
# into mosquitto (it is recommended that TLS support should be included) then
# plain text passwords are used, in which case the file should be a text file
# with lines in the format:
# username:password
# The password (and colon) may be omitted if desired, although this
# offers very little in the way of security.
#
# See the TLS client require_certificate and use_identity_as_username options
# for alternative authentication options. If an auth_plugin is used as well as
# password_file, the auth_plugin check will be made first.
password_file /mosquitto/config/passwd
# Access may also be controlled using a pre-shared-key file. This requires
# TLS-PSK support and a listener configured to use it. The file should be text
# lines in the format:
# identity:key
# The key should be in hexadecimal format without a leading "0x".
# If an auth_plugin is used as well, the auth_plugin check will be made first.
#psk_file
# Control access to topics on the broker using an access control list
# file. If this parameter is defined then only the topics listed will
# have access.
# If the first character of a line of the ACL file is a # it is treated as a
# comment.
# Topic access is added with lines of the format:
#
# topic [read|write|readwrite|deny] <topic>
#
# The access type is controlled using "read", "write", "readwrite" or "deny".
# This parameter is optional (unless <topic> contains a space character) - if
# not given then the access is read/write. <topic> can contain the + or #
# wildcards as in subscriptions.
#
# The "deny" option can used to explicity deny access to a topic that would
# otherwise be granted by a broader read/write/readwrite statement. Any "deny"
# topics are handled before topics that grant read/write access.
#
# The first set of topics are applied to anonymous clients, assuming
# allow_anonymous is true. User specific topic ACLs are added after a
# user line as follows:
#
# user <username>
#
# The username referred to here is the same as in password_file. It is
# not the clientid.
#
#
# If is also possible to define ACLs based on pattern substitution within the
# topic. The patterns available for substition are:
#
# %c to match the client id of the client
# %u to match the username of the client
#
# The substitution pattern must be the only text for that level of hierarchy.
#
# The form is the same as for the topic keyword, but using pattern as the
# keyword.
# Pattern ACLs apply to all users even if the "user" keyword has previously
# been given.
#
# If using bridges with usernames and ACLs, connection messages can be allowed
# with the following pattern:
# pattern write $SYS/broker/connection/%c/state
#
# pattern [read|write|readwrite] <topic>
#
# Example:
#
# pattern write sensor/%u/data
#
# If an auth_plugin is used as well as acl_file, the auth_plugin check will be
# made first.
#acl_file
# -----------------------------------------------------------------
# External authentication and topic access plugin options
# -----------------------------------------------------------------
# External authentication and access control can be supported with the
# auth_plugin option. This is a path to a loadable plugin. See also the
# auth_opt_* options described below.
#
# The auth_plugin option can be specified multiple times to load multiple
# plugins. The plugins will be processed in the order that they are specified
# here. If the auth_plugin option is specified alongside either of
# password_file or acl_file then the plugin checks will be made first.
#
#auth_plugin
# If the auth_plugin option above is used, define options to pass to the
# plugin here as described by the plugin instructions. All options named
# using the format auth_opt_* will be passed to the plugin, for example:
#
# auth_opt_db_host
# auth_opt_db_port
# auth_opt_db_username
# auth_opt_db_password
# =================================================================
# Bridges
# =================================================================
# A bridge is a way of connecting multiple MQTT brokers together.
# Create a new bridge using the "connection" option as described below. Set
# options for the bridges using the remaining parameters. You must specify the
# address and at least one topic to subscribe to.
#
# Each connection must have a unique name.
#
# The address line may have multiple host address and ports specified. See
# below in the round_robin description for more details on bridge behaviour if
# multiple addresses are used. Note that if you use an IPv6 address, then you
# are required to specify a port.
#
# The direction that the topic will be shared can be chosen by
# specifying out, in or both, where the default value is out.
# The QoS level of the bridged communication can be specified with the next
# topic option. The default QoS level is 0, to change the QoS the topic
# direction must also be given.
#
# The local and remote prefix options allow a topic to be remapped when it is
# bridged to/from the remote broker. This provides the ability to place a topic
# tree in an appropriate location.
#
# For more details see the mosquitto.conf man page.
#
# Multiple topics can be specified per connection, but be careful
# not to create any loops.
#
# If you are using bridges with cleansession set to false (the default), then
# you may get unexpected behaviour from incoming topics if you change what
# topics you are subscribing to. This is because the remote broker keeps the
# subscription for the old topic. If you have this problem, connect your bridge
# with cleansession set to true, then reconnect with cleansession set to false
# as normal.
#connection <name>
#address <host>[:<port>] [<host>[:<port>]]
#topic <topic> [[[out | in | both] qos-level] local-prefix remote-prefix]
# If you need to have the bridge connect over a particular network interface,
# use bridge_bind_address to tell the bridge which local IP address the socket
# should bind to, e.g. `bridge_bind_address 192.168.1.10`
#bridge_bind_address
# If a bridge has topics that have "out" direction, the default behaviour is to
# send an unsubscribe request to the remote broker on that topic. This means
# that changing a topic direction from "in" to "out" will not keep receiving
# incoming messages. Sending these unsubscribe requests is not always
# desirable, setting bridge_attempt_unsubscribe to false will disable sending
# the unsubscribe request.
#bridge_attempt_unsubscribe true
# Set the version of the MQTT protocol to use with for this bridge. Can be one
# of mqttv50, mqttv311 or mqttv31. Defaults to mqttv311.
#bridge_protocol_version mqttv311
# Set the clean session variable for this bridge.
# When set to true, when the bridge disconnects for any reason, all
# messages and subscriptions will be cleaned up on the remote
# broker. Note that with cleansession set to true, there may be a
# significant amount of retained messages sent when the bridge
# reconnects after losing its connection.
# When set to false, the subscriptions and messages are kept on the
# remote broker, and delivered when the bridge reconnects.
#cleansession false
# Set the amount of time a bridge using the lazy start type must be idle before
# it will be stopped. Defaults to 60 seconds.
#idle_timeout 60
# Set the keepalive interval for this bridge connection, in
# seconds.
#keepalive_interval 60
# Set the clientid to use on the local broker. If not defined, this defaults to
# 'local.<clientid>'. If you are bridging a broker to itself, it is important
# that local_clientid and clientid do not match.
#local_clientid
# If set to true, publish notification messages to the local and remote brokers
# giving information about the state of the bridge connection. Retained
# messages are published to the topic $SYS/broker/connection/<clientid>/state
# unless the notification_topic option is used.
# If the message is 1 then the connection is active, or 0 if the connection has
# failed.
# This uses the last will and testament feature.
#notifications true
# Choose the topic on which notification messages for this bridge are
# published. If not set, messages are published on the topic
# $SYS/broker/connection/<clientid>/state
#notification_topic
# Set the client id to use on the remote end of this bridge connection. If not
# defined, this defaults to 'name.hostname' where name is the connection name
# and hostname is the hostname of this computer.
# This replaces the old "clientid" option to avoid confusion. "clientid"
# remains valid for the time being.
#remote_clientid
# Set the password to use when connecting to a broker that requires
# authentication. This option is only used if remote_username is also set.
# This replaces the old "password" option to avoid confusion. "password"
# remains valid for the time being.
#remote_password
# Set the username to use when connecting to a broker that requires
# authentication.
# This replaces the old "username" option to avoid confusion. "username"
# remains valid for the time being.
#remote_username
# Set the amount of time a bridge using the automatic start type will wait
# until attempting to reconnect.
# This option can be configured to use a constant delay time in seconds, or to
# use a backoff mechanism based on "Decorrelated Jitter", which adds a degree
# of randomness to when the restart occurs.
#
# Set a constant timeout of 20 seconds:
# restart_timeout 20
#
# Set backoff with a base (start value) of 10 seconds and a cap (upper limit) of
# 60 seconds:
# restart_timeout 10 30
#
# Defaults to jitter with a base of 5 and cap of 30
#restart_timeout 5 30
# If the bridge has more than one address given in the address/addresses
# configuration, the round_robin option defines the behaviour of the bridge on
# a failure of the bridge connection. If round_robin is false, the default
# value, then the first address is treated as the main bridge connection. If
# the connection fails, the other secondary addresses will be attempted in
# turn. Whilst connected to a secondary bridge, the bridge will periodically
# attempt to reconnect to the main bridge until successful.
# If round_robin is true, then all addresses are treated as equals. If a
# connection fails, the next address will be tried and if successful will
# remain connected until it fails
#round_robin false
# Set the start type of the bridge. This controls how the bridge starts and
# can be one of three types: automatic, lazy and once. Note that RSMB provides
# a fourth start type "manual" which isn't currently supported by mosquitto.
#
# "automatic" is the default start type and means that the bridge connection
# will be started automatically when the broker starts and also restarted
# after a short delay (30 seconds) if the connection fails.
#
# Bridges using the "lazy" start type will be started automatically when the
# number of queued messages exceeds the number set with the "threshold"
# parameter. It will be stopped automatically after the time set by the
# "idle_timeout" parameter. Use this start type if you wish the connection to
# only be active when it is needed.
#
# A bridge using the "once" start type will be started automatically when the
# broker starts but will not be restarted if the connection fails.
#start_type automatic
# Set the number of messages that need to be queued for a bridge with lazy
# start type to be restarted. Defaults to 10 messages.
# Must be less than max_queued_messages.
#threshold 10
# If try_private is set to true, the bridge will attempt to indicate to the
# remote broker that it is a bridge not an ordinary client. If successful, this
# means that loop detection will be more effective and that retained messages
# will be propagated correctly. Not all brokers support this feature so it may
# be necessary to set try_private to false if your bridge does not connect
# properly.
#try_private true
# Some MQTT brokers do not allow retained messages. MQTT v5 gives a mechanism
# for brokers to tell clients that they do not support retained messages, but
# this is not possible for MQTT v3.1.1 or v3.1. If you need to bridge to a
# v3.1.1 or v3.1 broker that does not support retained messages, set the
# bridge_outgoing_retain option to false. This will remove the retain bit on
# all outgoing messages to that bridge, regardless of any other setting.
#bridge_outgoing_retain true
# If you wish to restrict the size of messages sent to a remote bridge, use the
# bridge_max_packet_size option. This sets the maximum number of bytes for
# the total message, including headers and payload.
# Note that MQTT v5 brokers may provide their own maximum-packet-size property.
# In this case, the smaller of the two limits will be used.
# Set to 0 for "unlimited".
#bridge_max_packet_size 0
# -----------------------------------------------------------------
# Certificate based SSL/TLS support
# -----------------------------------------------------------------
# Either bridge_cafile or bridge_capath must be defined to enable TLS support
# for this bridge.
# bridge_cafile defines the path to a file containing the
# Certificate Authority certificates that have signed the remote broker
# certificate.
# bridge_capath defines a directory that will be searched for files containing
# the CA certificates. For bridge_capath to work correctly, the certificate
# files must have ".crt" as the file ending and you must run "openssl rehash
# <path to capath>" each time you add/remove a certificate.
#bridge_cafile
#bridge_capath
# If the remote broker has more than one protocol available on its port, e.g.
# MQTT and WebSockets, then use bridge_alpn to configure which protocol is
# requested. Note that WebSockets support for bridges is not yet available.
#bridge_alpn
# When using certificate based encryption, bridge_insecure disables
# verification of the server hostname in the server certificate. This can be
# useful when testing initial server configurations, but makes it possible for
# a malicious third party to impersonate your server through DNS spoofing, for
# example. Use this option in testing only. If you need to resort to using this
# option in a production environment, your setup is at fault and there is no
# point using encryption.
#bridge_insecure false
# Path to the PEM encoded client certificate, if required by the remote broker.
#bridge_certfile
# Path to the PEM encoded client private key, if required by the remote broker.
#bridge_keyfile
# -----------------------------------------------------------------
# PSK based SSL/TLS support
# -----------------------------------------------------------------
# Pre-shared-key encryption provides an alternative to certificate based
# encryption. A bridge can be configured to use PSK with the bridge_identity
# and bridge_psk options. These are the client PSK identity, and pre-shared-key
# in hexadecimal format with no "0x". Only one of certificate and PSK based
# encryption can be used on one
# bridge at once.
#bridge_identity
#bridge_psk
# =================================================================
# External config files
# =================================================================
# External configuration files may be included by using the
# include_dir option. This defines a directory that will be searched
# for config files. All files that end in '.conf' will be loaded as
# a configuration file. It is best to have this as the last option
# in the main file. This option will only be processed from the main
# configuration file. The directory specified must not contain the
# main configuration file.
# Files within include_dir will be loaded sorted in case-sensitive
# alphabetical order, with capital letters ordered first. If this option is
# given multiple times, all of the files from the first instance will be
# processed before the next instance. See the man page for examples.
#include_dir

114
home-assistant/mosquitto.yaml Normal file
View File

@ -0,0 +1,114 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
app.kubernetes.io/component: mosquitto
app.kubernetes.io/instance: mosquitto
app.kubernetes.io/name: mosquitto
app.kubernetes.io/part-of: home-assistant
name: mosquitto
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 6Gi
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: mosquitto
app.kubernetes.io/instance: mosquitto
app.kubernetes.io/name: mosquitto
app.kubernetes.io/part-of: home-assistant
name: mosquitto
spec:
ports:
- port: 8883
name: mqtt
nodePort: 30783
selector:
app.kubernetes.io/component: mosquitto
app.kubernetes.io/instance: mosquitto
app.kubernetes.io/name: mosquitto
type: NodePort
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
labels:
app.kubernetes.io/component: mosquitto
app.kubernetes.io/instance: mosquitto
app.kubernetes.io/name: mosquitto
app.kubernetes.io/part-of: home-assistant
name: mosquitto
spec:
serviceName: mosquitto
selector:
matchLabels:
app.kubernetes.io/component: mosquitto
app.kubernetes.io/instance: mosquitto
app.kubernetes.io/name: mosquitto
template:
metadata:
labels:
app.kubernetes.io/component: mosquitto
app.kubernetes.io/instance: mosquitto
app.kubernetes.io/name: mosquitto
app.kubernetes.io/part-of: home-assistant
spec:
containers:
- name: mosquitto
image: docker.io/library/eclipse-mosquitto:2.0.15
ports:
- containerPort: 8883
name: mqtt
readinessProbe: &probe
tcpSocket:
port: 8883
failureThreshold: 3
periodSeconds: 60
successThreshold: 1
timeoutSeconds: 1
startupProbe:
<<: *probe
failureThreshold: 30
periodSeconds: 1
securityContext:
runAsUser: 300
runAsGroup: 300
volumeMounts:
- mountPath: /mosquitto/config/mosquitto.conf
name: mosquitto-config
subPath: mosquitto.conf
- mountPath: /mosquitto/config/passwd
name: mosquitto-passwd
subPath: passwd
- mountPath: /mosquitto/data
name: mosquitto-data
subPath: data
- mountPath: /mosquitto/log
name: mosquitto-log
subPath: log
- mountPath: /run/secrets/mosquitto
name: mosquitto-cert
securityContext:
fsGroup: 300
volumes:
- name: mosquitto-cert
secret:
secretName: mosquitto-cert
- name: mosquitto-config
configMap:
name: mosquitto
- name: mosquitto-data
persistentVolumeClaim:
claimName: mosquitto
- name: mosquitto-log
emptyDir: {}
- name: mosquitto-passwd
secret:
secretName: mosquitto

4
home-assistant/namespace.yaml Normal file
View File

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: home-assistant

105
home-assistant/zigbee2mqtt.yaml Normal file
View File

@ -0,0 +1,105 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
app.kubernetes.io/component: zigbee2mqtt
app.kubernetes.io/instance: zigbee2mqtt
app.kubernetes.io/name: zigbee2mqtt
app.kubernetes.io/part-of: home-assistant
name: zigbee2mqtt
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: zigbee2mqtt
app.kubernetes.io/instance: zigbee2mqtt
app.kubernetes.io/name: zigbee2mqtt
app.kubernetes.io/part-of: home-assistant
name: zigbee2mqtt
spec:
ports:
- port: 8080
name: http
selector:
app.kubernetes.io/component: zigbee2mqtt
app.kubernetes.io/instance: zigbee2mqtt
app.kubernetes.io/name: zigbee2mqtt
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
labels:
app.kubernetes.io/component: zigbee2mqtt
app.kubernetes.io/instance: zigbee2mqtt
app.kubernetes.io/name: zigbee2mqtt
app.kubernetes.io/part-of: home-assistant
name: zigbee2mqtt
spec:
serviceName: zigbee2mqtt
selector:
matchLabels:
app.kubernetes.io/component: zigbee2mqtt
app.kubernetes.io/instance: zigbee2mqtt
app.kubernetes.io/name: zigbee2mqtt
template:
metadata:
labels:
app.kubernetes.io/component: zigbee2mqtt
app.kubernetes.io/instance: zigbee2mqtt
app.kubernetes.io/name: zigbee2mqtt
app.kubernetes.io/part-of: home-assistant
spec:
nodeSelector:
node-role.kubernetes.io/zigbee-ctrl: ''
tolerations:
- key: du5t1n.me/machine
value: raspberrypi
effect: NoExecute
containers:
- name: zigbee2mqtt
image: docker.io/koenkk/zigbee2mqtt:1.32.1
ports:
- containerPort: 8080
name: http
readinessProbe: &probe
httpGet:
port: 8080
path: /
failureThreshold: 3
periodSeconds: 60
successThreshold: 1
timeoutSeconds: 1
startupProbe:
<<: *probe
failureThreshold: 30
periodSeconds: 3
initialDelaySeconds: 3
securityContext:
runAsUser: 302
runAsGroup: 302
privileged: true
volumeMounts:
- mountPath: /app/data
name: zigbee2mqtt-data
subPath: data
- mountPath: /dev/ttyACM0
name: zigbee-device
securityContext:
fsGroup: 302
volumes:
- name: zigbee2mqtt-data
persistentVolumeClaim:
claimName: zigbee2mqtt
- name: zigbee-device
hostPath:
path: /dev/serial/by-id/usb-dresden_elektronik_ingenieurtechnik_GmbH_ConBee_II_DE2433174-if00
type: CharDevice

110
home-assistant/zwavejs2mqtt.yaml Normal file
View File

@ -0,0 +1,110 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
app.kubernetes.io/component: zwavejs2mqtt
app.kubernetes.io/instance: zwavejs2mqtt
app.kubernetes.io/name: zwavejs2mqtt
app.kubernetes.io/part-of: home-assistant
name: zwavejs2mqtt
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: zwavejs2mqtt
app.kubernetes.io/instance: zwavejs2mqtt
app.kubernetes.io/name: zwavejs2mqtt
app.kubernetes.io/part-of: home-assistant
name: zwavejs2mqtt
spec:
ports:
- port: 8091
name: http
- port: 3000
name: ws
selector:
app.kubernetes.io/component: zwavejs2mqtt
app.kubernetes.io/instance: zwavejs2mqtt
app.kubernetes.io/name: zwavejs2mqtt
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
labels:
app.kubernetes.io/component: zwavejs2mqtt
app.kubernetes.io/instance: zwavejs2mqtt
app.kubernetes.io/name: zwavejs2mqtt
app.kubernetes.io/part-of: home-assistant
name: zwavejs2mqtt
spec:
serviceName: zwavejs2mqtt
selector:
matchLabels:
app.kubernetes.io/component: zwavejs2mqtt
app.kubernetes.io/instance: zwavejs2mqtt
app.kubernetes.io/name: zwavejs2mqtt
template:
metadata:
labels:
app.kubernetes.io/component: zwavejs2mqtt
app.kubernetes.io/instance: zwavejs2mqtt
app.kubernetes.io/name: zwavejs2mqtt
app.kubernetes.io/part-of: home-assistant
spec:
nodeSelector:
node-role.kubernetes.io/zwave-ctrl: ''
tolerations:
- key: du5t1n.me/machine
value: raspberrypi
effect: NoExecute
containers:
- name: zwavejs2mqtt
image: docker.io/zwavejs/zwavejs2mqtt:8.20.0
ports:
- containerPort: 8091
name: http
- containerPort: 3000
name: ws
readinessProbe: &probe
httpGet:
port: 8091
path: /health/zwave
failureThreshold: 3
periodSeconds: 60
successThreshold: 1
timeoutSeconds: 1
startupProbe:
<<: *probe
failureThreshold: 30
periodSeconds: 3
initialDelaySeconds: 3
securityContext:
privileged: true
readOnlyRootFilesystem: true
runAsGroup: 303
runAsUser: 303
volumeMounts:
- mountPath: /usr/src/app/store
name: zwavejs2mqtt-data
subPath: data
- mountPath: /dev/ttyUSB0
name: zwave-device
securityContext:
fsGroup: 303
volumes:
- name: zwavejs2mqtt-data
persistentVolumeClaim:
claimName: zwavejs2mqtt
- name: zwave-device
hostPath:
path: /dev/serial/by-id/usb-Silicon_Labs_CP2102N_USB_to_UART_Bridge_Controller_98c39ad72c45eb1193dfa552b003b68c-if00-port0
type: CharDevice

10
ingress/ingress-nginx.yaml
View File

@ -31,6 +31,15 @@ metadata:
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: v1
kind: ConfigMap
metadata:
name: tcp-services
namespace: ingress-nginx
data:
8883: home-assistant/mosquitto:8883
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
@ -430,6 +439,7 @@ spec:
# Publish the node's IP address as the ingress External IP
- --report-node-internal-ip-address
- --default-ssl-certificate=default/pyrocufflink-cert
- --tcp-services-configmap=ingress-nginx/tcp-services
env:
- name: POD_NAME
valueFrom:

6
storage/longhorn-settings.yaml Normal file
View File

@ -0,0 +1,6 @@
apiVersion: longhorn.io/v1beta2
kind: Setting
metadata:
name: taint-toleration
namespace: longhorn-system
value: du5t1n.me/machine=raspberrypi:NoExecute

4
storage/longhorn.yaml
View File

@ -3873,6 +3873,10 @@ spec:
app.kubernetes.io/version: v1.4.1
app: longhorn-manager
spec:
tolerations:
- key: du5t1n.me/machine
operator: Exists
effect: NoExecute
initContainers:
- name: wait-longhorn-admission-webhook
image: longhornio/longhorn-manager:v1.4.1