modules/automation/mqtt.nix at main · kitten.sh/system

kitten.sh / system
Personal Nix setup
system / modules / automation / mqtt.nix
at main 1.6 kB view raw
 1{ lib, config, ... }:
 2
 3with lib;
 4let
 5  cfg = config.modules.automation;
 6in {
 7  options.modules.automation.mqtt = {
 8    enable = mkOption {
 9      default = cfg.enable;
10      example = true;
11      description = "Whether to enable the MQTT Mosquitto broker.";
12      type = types.bool;
13    };
14
15    port = mkOption {
16      default = 1883;
17      example = 1883;
18      description = "The port to start Moquitto on.";
19      type = types.port;
20    };
21
22    cafile = mkOption {
23      default = ../base/certs/ca.crt;
24      type = types.path;
25    };
26
27    certfile = mkOption {
28      default = config.age.secrets."mqtt.crt".path;
29      type = types.path;
30    };
31
32    keyfile = mkOption {
33      default = config.age.secrets."mqtt.key".path;
34      type = types.path;
35    };
36  };
37
38  config = mkIf cfg.mqtt.enable {
39    age.secrets = let
40      owner = config.users.users.mosquitto.name;
41      group = config.users.users.mosquitto.group;
42      mode = "0440";
43    in {
44      "mqtt.crt" = {
45        inherit owner group mode;
46        file = ./certs/mqtt.crt.age;
47      };
48      "mqtt.key" = {
49        inherit owner group mode;
50        file = ./certs/mqtt.key.age;
51      };
52    };
53
54    services.mosquitto = {
55      enable = true;
56      listeners = [
57        {
58          acl = [ "pattern readwrite #" ];
59          port = cfg.mqtt.port;
60          omitPasswordAuth = true;
61          settings = {
62            cafile = cfg.mqtt.cafile;
63            certfile = cfg.mqtt.certfile;
64            keyfile = cfg.mqtt.keyfile;
65            require_certificate = true;
66            allow_anonymous = true;
67          };
68        }
69      ];
70    };
71  };
72}