diff --git a/hosts/freun-dev/services.nix b/hosts/freun-dev/services.nix index f989b6d..feaef52 100644 --- a/hosts/freun-dev/services.nix +++ b/hosts/freun-dev/services.nix @@ -247,7 +247,25 @@ in mosquitto = { enable = true; + subdomain = "mqtt"; listeners = [ + { + users = { + homie = { + acl = [ + "readwrite homie/#" + ]; + hashedPasswordFile = secrets."mosquitto/homie".path; + }; + }; + port = 8084; + settings = { + protocol = "websockets"; + cafile = "/run/credentials/mosquitto.service/fullchain.pem"; + certfile = "/run/credentials/mosquitto.service/fullchain.pem"; + keyfile = "/run/credentials/mosquitto.service/key.pem"; + }; + } { users = { homie = { diff --git a/modules/services/mosquitto.nix b/modules/services/mosquitto.nix index fc1600a..b68f627 100644 --- a/modules/services/mosquitto.nix +++ b/modules/services/mosquitto.nix @@ -1,14 +1,39 @@ -{ config, lib, ... }: +{ + config, + lib, + ... +}: let cfg = config.services.mosquitto; + fqdn = "${cfg.subdomain}.${config.networking.domain}"; + acme = config.security.acme; in { options = { services.mosquitto = { openFirewall = lib.mkEnableOption "Open firewall port for Mosquitto"; + subdomain = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + }; }; }; - config = lib.mkIf cfg.enable { - networking.firewall.allowedTCPPorts = map ({ port, ... }: port) cfg.listeners; - }; + config = lib.mkIf cfg.enable ( + lib.mkMerge [ + { networking.firewall.allowedTCPPorts = map ({ port, ... }: port) cfg.listeners; } + (lib.mkIf (cfg.subdomain != null) { + security.acme.certs.${fqdn}.postRun = '' + systemctl restart mosquitto + ''; + + systemd.services.mosquitto = { + requires = [ "acme-${fqdn}.service" ]; + serviceConfig.LoadCredential = [ + "fullchain.pem:${acme.certs.${fqdn}.directory}/fullchain.pem" + "key.pem:${acme.certs.${fqdn}.directory}/key.pem" + ]; + }; + }) + ] + ); }