From 85863516060074403e17e81bc7fe91a6bd79cd91 Mon Sep 17 00:00:00 2001
From: Joakim Repomaa <joakim@repomaa.com>
Date: Sun, 30 Mar 2025 20:08:29 +0300
Subject: [PATCH] add mosquitto

---
 hosts/freun-dev/secrets.nix       |   5 ++++
 hosts/freun-dev/services.nix      |  44 ++++++++++++++++++++++++++++++
 modules/services/default.nix      |   1 +
 modules/services/mosquitto.nix    |  14 ++++++++++
 secrets/mosquitto/homie.age       | Bin 0 -> 541 bytes
 secrets/mosquitto/mokkimaatti.age |   9 ++++++
 secrets/mosquitto/openhab.age     |   9 ++++++
 secrets/mosquitto/shelly.age      | Bin 0 -> 541 bytes
 secrets/mosquitto/telegraf.age    |  10 +++++++
 secrets/secrets.nix               |   5 ++++
 10 files changed, 97 insertions(+)
 create mode 100644 modules/services/mosquitto.nix
 create mode 100644 secrets/mosquitto/homie.age
 create mode 100644 secrets/mosquitto/mokkimaatti.age
 create mode 100644 secrets/mosquitto/openhab.age
 create mode 100644 secrets/mosquitto/shelly.age
 create mode 100644 secrets/mosquitto/telegraf.age

diff --git a/hosts/freun-dev/secrets.nix b/hosts/freun-dev/secrets.nix
index 36233fc..e0bb5e4 100644
--- a/hosts/freun-dev/secrets.nix
+++ b/hosts/freun-dev/secrets.nix
@@ -19,6 +19,11 @@
           "dnote"
           "octodns"
           "mealie"
+          "mosquitto/homie"
+          "mosquitto/telegraf"
+          "mosquitto/openhab"
+          "mosquitto/shelly"
+          "mosquitto/mokkimaatti"
           "gitlab-runner/default"
           "gitlab-runner/docker"
         ]
diff --git a/hosts/freun-dev/services.nix b/hosts/freun-dev/services.nix
index 05e15e0..b709575 100644
--- a/hosts/freun-dev/services.nix
+++ b/hosts/freun-dev/services.nix
@@ -231,6 +231,50 @@ in
       };
     };
 
+    mosquitto = {
+      enable = true;
+      listeners = [
+        {
+          users = {
+            homie = {
+              acl = [
+                "readwrite homie/#"
+              ];
+              hashedPasswordFile = secrets."mosquitto/homie".path;
+            };
+            telegraf = {
+              acl = [
+                "read openhab/#"
+                "read homie/#"
+                "read shellies/#"
+                "read mokkimaatti/#"
+              ];
+              hashedPasswordFile = secrets."mosquitto/telegraf".path;
+            };
+            openhab = {
+              acl = [
+                "readwrite openhab/#"
+              ];
+              hashedPasswordFile = secrets."mosquitto/openhab".path;
+            };
+            shelly = {
+              acl = [
+                "readwrite shellies/#"
+              ];
+              hashedPasswordFile = secrets."mosquitto/shelly".path;
+            };
+            mokkimaatti = {
+              acl = [
+                "readwrite mokkimaatti/#"
+              ];
+              hashedPasswordFile = secrets."mosquitto/mokkimaatti".path;
+            };
+          };
+        }
+      ];
+      openFirewall = true;
+    };
+
     gitlab-runner = {
       enable = true;
       services = {
diff --git a/modules/services/default.nix b/modules/services/default.nix
index f6bf436..3c1e44b 100644
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -21,5 +21,6 @@
     ./adguardhome.nix
     ./mealie.nix
     ./uptime-kuma.nix
+    ./mosquitto.nix
   ];
 }
diff --git a/modules/services/mosquitto.nix b/modules/services/mosquitto.nix
new file mode 100644
index 0000000..fc1600a
--- /dev/null
+++ b/modules/services/mosquitto.nix
@@ -0,0 +1,14 @@
+{ config, lib, ... }:
+let
+  cfg = config.services.mosquitto;
+in
+{
+  options = {
+    services.mosquitto = {
+      openFirewall = lib.mkEnableOption "Open firewall port for Mosquitto";
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = map ({ port, ... }: port) cfg.listeners;
+  };
+}
diff --git a/secrets/mosquitto/homie.age b/secrets/mosquitto/homie.age
new file mode 100644
index 0000000000000000000000000000000000000000..3df237067cd624979b2154c54462137a54223f3e
GIT binary patch
literal 541
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCU7FZOqia#X1FG0Ze9
z$O|oT4-L#Jh)5|h_RZGUw=Bu^GV~29PI68(H7hf=wA9bb4(0MPFz`tUDsnTbN;mZ{
zwXk$dD>V$rGfK}*PPcHfh;R)lNiIwbD-Dk_D@V7@#Vs>GBTym7IZQvvAj7o0%*V(l
zJiN53z^OFLv&_uhE3>LH)UhBdr`)J4%DAfB-GnRA)Vs*nC_5>rvb@63)404O(;__B
zGB?bzyvobpJuEyWB_hit%s)53G#TBtfDrSvv~-0WlL)gcf1|QIe}ka1ymTWM)1VUb
ziYjLxSEC@m6z8%miwqaDyhOuN4_B^ClS-!ycO!#HqwvVg?7Zx>0^`(-(x4m@|I|R^
ztW2+z99Q?K5TCq?+-xpgU0sE=&~$(OjPexEz;K_G;)2qQq~Zv(V7Dj}<C2^RKc`|3
zle|i8Q%k1+?{u#7&*YWQB|C-+J*y~Z_M84|?@_kb8+xu^%=i1$_1{=zNy={X%g>+R
z`J?{!--i6`8PoqQc+V(4L-mufb!d9p<fCrS&mKJeMr_mE6H+YaorA=Vta<LwykC6b
za_;`BT2H<?emj25-)b?7<<ypo4n5Z<ZY|rxdu{vWv@NUa_A>N~-bhd~osr7-WTMs;
K_u1br#{vL?qRc}8

literal 0
HcmV?d00001

diff --git a/secrets/mosquitto/mokkimaatti.age b/secrets/mosquitto/mokkimaatti.age
new file mode 100644
index 0000000..d7d3d43
--- /dev/null
+++ b/secrets/mosquitto/mokkimaatti.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 osOCZA eWLRpIyRno4qtjjwpXxlwsW4I5a59h+c8W4mJpb7rmg
+i1LmqRoWZ8wB1EYxNvtqoMSr1lqGbcHHqyAPK1Ldy3Y
+-> ssh-ed25519 DFiohQ Wn2NMzQBdv6KsZnBUj82FGo3FdOcyZqd1A+KkQy5G1w
+ZCrFCEeikNUmG1pO/f0wy7GzTzwCYoNhQBTeofmo98g
+-> ssh-ed25519 PT7ffg RnEdUTw4G7dVL/YWr5vls5IEf1BbrdBCjgk+ZTABlQo
+G2PEFcmClmcd8Ap6L4VEipULRZuGj3izzeB0l/cI6FU
+--- +Jmqn5CDZN3jaexEWZzZvuKvxjZfXfEdyUW3cQIIsnQ
+�`�������Ŭ8\�R�Yo�"���2�/�<[�>�u�y��W��ލ�`Ǯ <��V��-��d�B�*��)n�(�oB7s��s—����)aE)�Ѕ4����(��mQ�Fy�xj'�:��wX,Q�V����
\ No newline at end of file
diff --git a/secrets/mosquitto/openhab.age b/secrets/mosquitto/openhab.age
new file mode 100644
index 0000000..4b78e8b
--- /dev/null
+++ b/secrets/mosquitto/openhab.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 osOCZA dkgMfjgrKalX7uGrncrep3rtVZFXUHeqwbPix7ngyFY
+a9jzF29C7Ltg7tn7Rcoi95847kRhWePylmMU7PGOkdo
+-> ssh-ed25519 DFiohQ CeZgWwo/TDb89fUVx2ueTArKGPuBjdp2sklqTpkgoj4
+7/H9QMGzIBXcSYTnzXfJwlvlKLI4B1miPU+LXzmiHtE
+-> ssh-ed25519 PT7ffg 456boso/C85lpir1PYUYD1pzb70vQvTrAN3gKy15s1s
+Sv2hsM/Yx1hUeGWih5zMYXzJaapm767IDzC/4wmKulU
+--- /iFmcxXywCLhEOLKLjzrKx/QW93++yzI7tXvn/asMUQ
+�`���:�*�ޥ���')�{;tɤ`E�`����♇������U��::���h��<A�ɢ�%�ZgsE�ol
��c���j���u�����B�-��"{i���Iп�e8N��6��V��S�F�$m�ƥ漖o�
\ No newline at end of file
diff --git a/secrets/mosquitto/shelly.age b/secrets/mosquitto/shelly.age
new file mode 100644
index 0000000000000000000000000000000000000000..3de83fc317d7e54220d2cdd798218f1ab3856663
GIT binary patch
literal 541
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCU7FZOqia#W}+FwZS5
z@+x*U@G;0uEOzn8b2p3d)erUe%`OTLa4t#I&I>4xDo6|nP3CgUF)VlYFE!1zG|I|L
zbvMk)$POwtbuMu?Ff>Z@3NVXGDay(#cJV3>N=LWN#Vs>GBT%8DvM?ng-_55?yWG#v
z)hHs{r6f12+|we{zp64I*)Pk<-@U*jKPcBDH<T;a%gNKAFv`iq$E3*B&(tK;+%wz7
zAj>B(B`Mt4xiH(*!l1asJv`mr#1q}NfDrSvv~-2!piI9qmvY013iEP{G>gd8D37ob
z6H|jgr^MuPpECW(6rZ4SeN+7~XJ0Puj0*P%|FYox(zMJH@5JITXTPvy3ordjUmq7E
z@ANW%uS^%Of^=8k6i+T)U0sEA^NQeNN8j>n?_^`MWN()W_l!)VZ1d3IC|8d}^9=t|
z{}5v{7dPKTM*}YN+s(g=x=#MgKhoWNzj?z$vwjh^)Q<r<HSC;?={d@OQq1-CT%Osq
zNS1g1!JkdF5-ep78*NtPC#Bu{D*L~o=tGOrf>|q;{@?fOja=Y|v#WdV$j22-Z?%Y6
zP+OQCCc3;*S%-gr(B*eeuJX^izrOhBnG3nI!j<bDERSLQDJXqmaUes;Ob@oFx%-a#
IiKgBM0DTh2k^lez

literal 0
HcmV?d00001

diff --git a/secrets/mosquitto/telegraf.age b/secrets/mosquitto/telegraf.age
new file mode 100644
index 0000000..1784941
--- /dev/null
+++ b/secrets/mosquitto/telegraf.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 osOCZA mY+/XDi0aUXqyjMUtw3loj34odb0pTPOXpP3xMaGTy4
+bpSIdOmSeIvdO4Aw+hpBuNTlZRNYDk8GdbCVfAoJSIc
+-> ssh-ed25519 DFiohQ Dju2lm9o2KhU965PEAqGt9LI9BtNsV2bldkPbOC9WzE
+v+8qH52YoNUwrSbvlaN0H7VET9UfEecXwoMaLPXQEiw
+-> ssh-ed25519 PT7ffg AFg8dFq8hX/RrrjDLYEpBcrIy630iRRYAkLvag4DF0E
+Moh8lmYzweMiGLrdBd7kqi13/7vxscNEa15/IRfbCOA
+--- 6Wnopn2zv15ph9bi31fUEafeKzVTZEp2igI8nVW4P84
+'��Q�����FbNJ�i��۲��olk�*_'w��
+����5�.��>�\�%(�ElſPܞ"�(�b�N��/m��	��\J���x����6"jַd%8
������	b�����P ��#0���k]s�v�.�
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 683084f..93dfb23 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -29,6 +29,11 @@ in
   "octodns.age".publicKeys = users ++ [ freun-dev ];
   "mealie.age".publicKeys = users ++ [ freun-dev ];
   "borgbackup-radish.age".publicKeys = users ++ [ radish ];
+  "mosquitto/homie.age".publicKeys = users ++ [ freun-dev ];
+  "mosquitto/telegraf.age".publicKeys = users ++ [ freun-dev ];
+  "mosquitto/openhab.age".publicKeys = users ++ [ freun-dev ];
+  "mosquitto/shelly.age".publicKeys = users ++ [ freun-dev ];
+  "mosquitto/mokkimaatti.age".publicKeys = users ++ [ freun-dev ];
   "gitlab-runner/default.age".publicKeys = users ++ [ freun-dev ];
   "gitlab-runner/docker.age".publicKeys = users ++ [ freun-dev ];
 }