oitc/acs.relay-control-service

By oitc

Updated 3 months ago

OITC Access Control System: service that controls the door relays.

Image
Security
Message queues
0

320

oitc/acs.relay-control-service repository overview

OITC Access Control System: Relay control service

Quick reference

Maintained by: Michael Oberdorf IT-Consulting

Source code: GitHub

Container image: DockerHub

Access Control System documentation: ACS Documentation

github-action-test-shield github-action-release-shield github-release-shield github-releasedate-shield github-stars-shield github-forks-shield github-issues-shield github-license-shield

docker-release-shield docker-pulls-shield docker-stars-shield docker-size-shield

Description

This service is part of the Michael Oberdorf IT-Consulting (OITC) Access Control System (ACS).

On accessing entry points, this information is available in the internal bus system. This service listens on these events and triggers the relay to unlock the associated door.

This service is NO standalone service. It requires an OITC ACS system to be running.

Configuration

Container configuration

The container get's the configuration from environment variables.

Variable nameDescriptionRequiredDefault value
MQTT_SERVERThe MQTT server hostname or IP address.OPTIONALlocalhost
MQTT_PORTThe TCP port of the MQTT server.OPTIONAL1883
MQTT_TLSShould SSL communication be enabled (true) or not (false).OPTIONALfalse
MQTT_CACERT_FILEIf TLS is enabled, the path to the CA certificate file to validate the MQTT server certificate.OPTIONAL/etc/ssl/certs/ca-certificates.crt
MQTT_TLS_INSECUREIf TLS is enabled, skip the hostname validation of the TLS certificate.OPTIONALfalse
MQTT_CLIENT_IDThe MQTT client id to use for the MQTT connection.OPTIONAL
MQTT_USERNAMEThe MQTT username for MQTT authentication.OPTIONAL
MQTT_PASSWORDThe MQTT password for MQTT authentication.OPTIONAL
MQTT_PASSWORD_FILEThe filepath where the MQTT password is stored for MQTT authentication.OPTIONAL
MQTT_TOPIC_DOOR_ACCESSThe MQTT topic to subscribe that contains the door access information.MANDATORY
LDAP_SERVERThe LDAP server that has the relay configuration.OPTIONALlocalhost
LDAP_PORTThe LDAP server TCP port.OPIONAL389
LDAP_TLSShould SSL communication be enabled (true) or not (false).OPTIONALfalse
LDAP_USERDNThe LDAP user DN for LDAP authentication.OPTIONAL
LDAP_PASSWORDThe LDAP password for LDAP authentication.OPTIONAL
LDAP_PASSWORD_FILEThe filepath where the LDAP password is stored for LDAP authentication.OPTIONAL
LDAP_BASEDNThe search base DN where the relay configuration can be found.MANDATORY
LDAP_FILTERThe LDAP filter to search for the relay configuration.OPTIONAL(&(objectclass=ipHost)(objectclass=oitcACSAccessPointExtension)(ipHostNumber={entrypoint_ip}))
PROMETHEUS_LISTENER_ADDRThe listener address to expose the prometheus exporter.OPTIONAL0.0.0.0
PROMETHEUS_LISTENER_PORTThe TCP listener port to expose the prometheus exporter.OPTIONAL8080
TZTimezoneOPTIONALUTC

HINT:

  • MQTT_PASSWORD_FILE will be priorized before MQTT_PASSWORD
  • LDAP_PASSWORD_FILE will be priorized before LDAP_PASSWORD

Docker compose configuration

services:
  smtp-bridge-service:
    restart: always
    user: 2200:2200
    image: oitc/acs.relay-control-service:latest
    environment:
      MQTT_SERVER: test.mosquitto.org
      MQTT_PORT: 1883
      MQTT_PROTOCOL_VERSION: 3
      MQTT_TOPIC_ACS_STATUS: location/oitc-acs/general/status
      MQTT_TOPIC_DOOR_ACCESS: location/oitc-acs/entrypoints/+/access
      LDAP_BASEDN: uid=ACS Relay Control Service,ou=Technical Accounts,dc=example,dc=org

A bigger example can be found here: docker-compose.yaml

MQTT message formats

Please have a look to the main documentation: MQTT message reference

Local Relay Board integration

This tool currently support only the MCP2200 chip based USB Relay Board USB Relay Module 4 Channels, for Home Automation - v2 from Denkovi Assembly Electronics LTD.

Further relay type implementations are under development.

To run the container service in a secure way you:

  1. need to allow writes in the container to allow a write to the udev device (read_only: false)
  2. The udev system needs to be configured for the relay to allow writes from non root. See the udev rule example: 53-mcp2200.rules
  3. When using Linux Kernel 6.8, you need to disable the kernel module hid_mcp2200. See the modprobe blacklist example: blacklist_mcp2200.conf

Donate

I would appreciate a small donation to support the further development of my open source projects.

Donate with PayPal

License

Apache License Version 2.0

Tag summary

Content type

Image

Digest

sha256:ed4251fd8

Size

94.2 MB

Last updated

3 months ago

docker pull oitc/acs.relay-control-service