diff --git a/hosts/freun-dev/secrets.nix b/hosts/freun-dev/secrets.nix
index 36233fc..e0bb5e4 100644
--- a/hosts/freun-dev/secrets.nix
+++ b/hosts/freun-dev/secrets.nix
@@ -19,6 +19,11 @@
           "dnote"
           "octodns"
           "mealie"
+          "mosquitto/homie"
+          "mosquitto/telegraf"
+          "mosquitto/openhab"
+          "mosquitto/shelly"
+          "mosquitto/mokkimaatti"
           "gitlab-runner/default"
           "gitlab-runner/docker"
         ]
diff --git a/hosts/freun-dev/services.nix b/hosts/freun-dev/services.nix
index 05e15e0..b709575 100644
--- a/hosts/freun-dev/services.nix
+++ b/hosts/freun-dev/services.nix
@@ -231,6 +231,50 @@ in
       };
     };
 
+    mosquitto = {
+      enable = true;
+      listeners = [
+        {
+          users = {
+            homie = {
+              acl = [
+                "readwrite homie/#"
+              ];
+              hashedPasswordFile = secrets."mosquitto/homie".path;
+            };
+            telegraf = {
+              acl = [
+                "read openhab/#"
+                "read homie/#"
+                "read shellies/#"
+                "read mokkimaatti/#"
+              ];
+              hashedPasswordFile = secrets."mosquitto/telegraf".path;
+            };
+            openhab = {
+              acl = [
+                "readwrite openhab/#"
+              ];
+              hashedPasswordFile = secrets."mosquitto/openhab".path;
+            };
+            shelly = {
+              acl = [
+                "readwrite shellies/#"
+              ];
+              hashedPasswordFile = secrets."mosquitto/shelly".path;
+            };
+            mokkimaatti = {
+              acl = [
+                "readwrite mokkimaatti/#"
+              ];
+              hashedPasswordFile = secrets."mosquitto/mokkimaatti".path;
+            };
+          };
+        }
+      ];
+      openFirewall = true;
+    };
+
     gitlab-runner = {
       enable = true;
       services = {
diff --git a/modules/services/default.nix b/modules/services/default.nix
index f6bf436..3c1e44b 100644
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -21,5 +21,6 @@
     ./adguardhome.nix
     ./mealie.nix
     ./uptime-kuma.nix
+    ./mosquitto.nix
   ];
 }
diff --git a/modules/services/mosquitto.nix b/modules/services/mosquitto.nix
new file mode 100644
index 0000000..fc1600a
--- /dev/null
+++ b/modules/services/mosquitto.nix
@@ -0,0 +1,14 @@
+{ config, lib, ... }:
+let
+  cfg = config.services.mosquitto;
+in
+{
+  options = {
+    services.mosquitto = {
+      openFirewall = lib.mkEnableOption "Open firewall port for Mosquitto";
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = map ({ port, ... }: port) cfg.listeners;
+  };
+}
diff --git a/secrets/mosquitto/homie.age b/secrets/mosquitto/homie.age
new file mode 100644
index 0000000..3df2370
Binary files /dev/null and b/secrets/mosquitto/homie.age differ
diff --git a/secrets/mosquitto/mokkimaatti.age b/secrets/mosquitto/mokkimaatti.age
new file mode 100644
index 0000000..d7d3d43
--- /dev/null
+++ b/secrets/mosquitto/mokkimaatti.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 osOCZA eWLRpIyRno4qtjjwpXxlwsW4I5a59h+c8W4mJpb7rmg
+i1LmqRoWZ8wB1EYxNvtqoMSr1lqGbcHHqyAPK1Ldy3Y
+-> ssh-ed25519 DFiohQ Wn2NMzQBdv6KsZnBUj82FGo3FdOcyZqd1A+KkQy5G1w
+ZCrFCEeikNUmG1pO/f0wy7GzTzwCYoNhQBTeofmo98g
+-> ssh-ed25519 PT7ffg RnEdUTw4G7dVL/YWr5vls5IEf1BbrdBCjgk+ZTABlQo
+G2PEFcmClmcd8Ap6L4VEipULRZuGj3izzeB0l/cI6FU
+--- +Jmqn5CDZN3jaexEWZzZvuKvxjZfXfEdyUW3cQIIsnQ
+�`�������Ŭ8\�R�Yo�"���2�/�<[�>�u�y��W��ލ�`Ǯ <��V��-��d�B�*��)n�(�oB7s��s—����)aE)�Ѕ4����(��mQ�Fy�xj'�:��wX,Q�V����
\ No newline at end of file
diff --git a/secrets/mosquitto/openhab.age b/secrets/mosquitto/openhab.age
new file mode 100644
index 0000000..4b78e8b
--- /dev/null
+++ b/secrets/mosquitto/openhab.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 osOCZA dkgMfjgrKalX7uGrncrep3rtVZFXUHeqwbPix7ngyFY
+a9jzF29C7Ltg7tn7Rcoi95847kRhWePylmMU7PGOkdo
+-> ssh-ed25519 DFiohQ CeZgWwo/TDb89fUVx2ueTArKGPuBjdp2sklqTpkgoj4
+7/H9QMGzIBXcSYTnzXfJwlvlKLI4B1miPU+LXzmiHtE
+-> ssh-ed25519 PT7ffg 456boso/C85lpir1PYUYD1pzb70vQvTrAN3gKy15s1s
+Sv2hsM/Yx1hUeGWih5zMYXzJaapm767IDzC/4wmKulU
+--- /iFmcxXywCLhEOLKLjzrKx/QW93++yzI7tXvn/asMUQ
+�`���:�*�ޥ���')�{;tɤ`E�`����♇������U��::���h��<A�ɢ�%�ZgsE�ol
��c���j���u�����B�-��"{i���Iп�e8N��6��V��S�F�$m�ƥ漖o�
\ No newline at end of file
diff --git a/secrets/mosquitto/shelly.age b/secrets/mosquitto/shelly.age
new file mode 100644
index 0000000..3de83fc
Binary files /dev/null and b/secrets/mosquitto/shelly.age differ
diff --git a/secrets/mosquitto/telegraf.age b/secrets/mosquitto/telegraf.age
new file mode 100644
index 0000000..1784941
--- /dev/null
+++ b/secrets/mosquitto/telegraf.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 osOCZA mY+/XDi0aUXqyjMUtw3loj34odb0pTPOXpP3xMaGTy4
+bpSIdOmSeIvdO4Aw+hpBuNTlZRNYDk8GdbCVfAoJSIc
+-> ssh-ed25519 DFiohQ Dju2lm9o2KhU965PEAqGt9LI9BtNsV2bldkPbOC9WzE
+v+8qH52YoNUwrSbvlaN0H7VET9UfEecXwoMaLPXQEiw
+-> ssh-ed25519 PT7ffg AFg8dFq8hX/RrrjDLYEpBcrIy630iRRYAkLvag4DF0E
+Moh8lmYzweMiGLrdBd7kqi13/7vxscNEa15/IRfbCOA
+--- 6Wnopn2zv15ph9bi31fUEafeKzVTZEp2igI8nVW4P84
+'��Q�����FbNJ�i��۲��olk�*_'w��
+����5�.��>�\�%(�ElſPܞ"�(�b�N��/m��	��\J���x����6"jַd%8
������	b�����P ��#0���k]s�v�.�
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 683084f..93dfb23 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -29,6 +29,11 @@ in
   "octodns.age".publicKeys = users ++ [ freun-dev ];
   "mealie.age".publicKeys = users ++ [ freun-dev ];
   "borgbackup-radish.age".publicKeys = users ++ [ radish ];
+  "mosquitto/homie.age".publicKeys = users ++ [ freun-dev ];
+  "mosquitto/telegraf.age".publicKeys = users ++ [ freun-dev ];
+  "mosquitto/openhab.age".publicKeys = users ++ [ freun-dev ];
+  "mosquitto/shelly.age".publicKeys = users ++ [ freun-dev ];
+  "mosquitto/mokkimaatti.age".publicKeys = users ++ [ freun-dev ];
   "gitlab-runner/default.age".publicKeys = users ++ [ freun-dev ];
   "gitlab-runner/docker.age".publicKeys = users ++ [ freun-dev ];
 }