nixos-config/services/mosquitto.nix

{ config, pkgs, ... }:

with pkgs;

let
  port = 1883;
  wsPort = 9001;

  mkSecret = file: {
    inherit file;
    owner = "mosquitto";
    group = "mosquitto";
  };
in {
  age.secrets = {
    mqtt-felix = mkSecret ../secrets/mqtt/felix.age;
    mqtt-birgit = mkSecret ../secrets/mqtt/birgit.age;
    mqtt-hass = mkSecret ../secrets/mqtt/hass.age;
    mqtt-tasmota = mkSecret ../secrets/mqtt/tasmota.age;
    mqtt-owntracks = mkSecret ../secrets/mqtt/owntracks.age;
    mqtt-owntracks-plain = mkSecret ../secrets/mqtt/owntracks-plain.age;
  };

  services.nginx = {
    virtualHosts."mqtt.felschr.com" = {
      enableACME = true;
      forceSSL = true;
      locations."/" = {
        proxyPass = "http://localhost:${toString wsPort}";
        proxyWebsockets = true;
      };
    };
  };

  networking.firewall.allowedTCPPorts = [ port ];

  services.mosquitto = {
    enable = true;
    listeners = [
      {
        port = port;
        users = {
          "hass" = {
            acl = [
              "readwrite homeassistant/#"
              "readwrite tasmota/#"
              "readwrite owntracks/#"
            ];
            hashedPasswordFile = config.age.secrets.mqtt-hass.path;
          };
          "tasmota" = {
            acl = [ "readwrite tasmota/#" "readwrite homeassistant/#" ];
            hashedPasswordFile = config.age.secrets.mqtt-tasmota.path;
          };
          "owntracks" = {
            acl = [ "readwrite owntracks/#" ];
            hashedPasswordFile = config.age.secrets.mqtt-owntracks.path;
          };
        };
      }
      {
        port = wsPort;
        settings.protocol = "websockets";
        users = {
          "felix" = {
            acl = [ "read owntracks/#" "readwrite owntracks/felix/#" ];
            hashedPasswordFile = config.age.secrets.mqtt-felix.path;
          };
          "birgit" = {
            acl = [ "read owntracks/#" "readwrite owntracks/birgit/#" ];
            hashedPasswordFile = config.age.secrets.mqtt-birgit.path;
          };
        };
      }
    ];
  };
}
refactor(mosquitto): split mosquitto out of home-assistant config 2021-12-12 19:20:31 +01:00			`{ config, pkgs, ... }:`

			`with pkgs;`

			`let`
			`port = 1883;`
			`wsPort = 9001;`
fix(secrets): fix permissions Also moves key references into respective configs where they are used. 2022-05-06 03:16:17 +02:00
			`mkSecret = file: {`
			`inherit file;`
			`owner = "mosquitto";`
			`group = "mosquitto";`
			`};`
refactor(mosquitto): split mosquitto out of home-assistant config 2021-12-12 19:20:31 +01:00			`in {`
fix(secrets): fix permissions Also moves key references into respective configs where they are used. 2022-05-06 03:16:17 +02:00			`age.secrets = {`
			`mqtt-felix = mkSecret ../secrets/mqtt/felix.age;`
			`mqtt-birgit = mkSecret ../secrets/mqtt/birgit.age;`
			`mqtt-hass = mkSecret ../secrets/mqtt/hass.age;`
			`mqtt-tasmota = mkSecret ../secrets/mqtt/tasmota.age;`
			`mqtt-owntracks = mkSecret ../secrets/mqtt/owntracks.age;`
			`mqtt-owntracks-plain = mkSecret ../secrets/mqtt/owntracks-plain.age;`
			`};`

refactor(mosquitto): split mosquitto out of home-assistant config 2021-12-12 19:20:31 +01:00			`services.nginx = {`
fix(mosquitto): fix broken host 2021-12-12 19:23:38 +01:00			`virtualHosts."mqtt.felschr.com" = {`
refactor(mosquitto): split mosquitto out of home-assistant config 2021-12-12 19:20:31 +01:00			`enableACME = true;`
			`forceSSL = true;`
			`locations."/" = {`
			`proxyPass = "http://localhost:${toString wsPort}";`
			`proxyWebsockets = true;`
			`};`
			`};`
			`};`

			`networking.firewall.allowedTCPPorts = [ port ];`

			`services.mosquitto = {`
			`enable = true;`
			`listeners = [`
			`{`
			`port = port;`
			`users = {`
			`"hass" = {`
			`acl = [`
			`"readwrite homeassistant/#"`
			`"readwrite tasmota/#"`
			`"readwrite owntracks/#"`
			`];`
feat: set up agenix secrets management 2022-05-04 03:02:47 +02:00			`hashedPasswordFile = config.age.secrets.mqtt-hass.path;`
refactor(mosquitto): split mosquitto out of home-assistant config 2021-12-12 19:20:31 +01:00			`};`
			`"tasmota" = {`
			`acl = [ "readwrite tasmota/#" "readwrite homeassistant/#" ];`
feat: set up agenix secrets management 2022-05-04 03:02:47 +02:00			`hashedPasswordFile = config.age.secrets.mqtt-tasmota.path;`
refactor(mosquitto): split mosquitto out of home-assistant config 2021-12-12 19:20:31 +01:00			`};`
			`"owntracks" = {`
			`acl = [ "readwrite owntracks/#" ];`
feat: set up agenix secrets management 2022-05-04 03:02:47 +02:00			`hashedPasswordFile = config.age.secrets.mqtt-owntracks.path;`
refactor(mosquitto): split mosquitto out of home-assistant config 2021-12-12 19:20:31 +01:00			`};`
			`};`
			`}`
			`{`
			`port = wsPort;`
			`settings.protocol = "websockets";`
			`users = {`
			`"felix" = {`
			`acl = [ "read owntracks/#" "readwrite owntracks/felix/#" ];`
feat: set up agenix secrets management 2022-05-04 03:02:47 +02:00			`hashedPasswordFile = config.age.secrets.mqtt-felix.path;`
refactor(mosquitto): split mosquitto out of home-assistant config 2021-12-12 19:20:31 +01:00			`};`
			`"birgit" = {`
			`acl = [ "read owntracks/#" "readwrite owntracks/birgit/#" ];`
feat: set up agenix secrets management 2022-05-04 03:02:47 +02:00			`hashedPasswordFile = config.age.secrets.mqtt-birgit.path;`
refactor(mosquitto): split mosquitto out of home-assistant config 2021-12-12 19:20:31 +01:00			`};`
			`};`
			`}`
			`];`
			`};`
			`}`