nix-config/hosts/broker/default.nix

{ config, pkgs, ... }:

let
  mymqttui = pkgs.writeScriptBin "mqttui" ''
    export MQTTUI_USERNAME=consumer
    export MQTTUI_PASSWORD=`cat ${(builtins.head config.services.mosquitto.listeners).users.consumer.passwordFile}`
    exec ${pkgs.mqttui}/bin/mqttui
  '';

  fqdn = "broker.serv.zentralwerk.org";

  mqttWebsocketPort = 9001;
in
{
  c3d2.deployment.server = "server10";

  microvm.mem = 1024;

  networking = {
    hostName = "broker";
    firewall.allowedTCPPorts = [
      # nginx
      80 443
      # mosquitto
      1883 8883
    ];
  };

  services.openssh.enable = true;

  # runs mainly to obtain a TLS certificate
  services.nginx = {
    enable = true;
    virtualHosts.${fqdn} = {
      default = true;
      enableACME = true;
      forceSSL = true;
      locations."/mqtt" = {
        proxyPass = "http://localhost:${toString mqttWebsocketPort}/";
        proxyWebsockets = true;
      };
    };
  };

  services.mosquitto = {
    enable = true;
    listeners =
      let
        users = {
          "zentralwerk-network" = {
            passwordFile = config.sops.secrets."mosquitto/users/zentralwerk-network".path;
            acl = [
              "write #"
            ];
          };
          "services" = {
            passwordFile = config.sops.secrets."mosquitto/users/services".path;
            acl = [
              "write #"
            ];
          };
          "consumer" = {
            passwordFile = config.sops.secrets."mosquitto/users/consumer".path;
            acl = [
              "read #"
            ];
          };
          "sensors" = {
            passwordFile = config.sops.secrets."mosquitto/users/sensors".path;
            acl = [
              "write esp-sdk/#"
              "write esp-proc/#"
            ];
          };
        };
      in [ {
        address = "0.0.0.0";
        port = 1883;
        inherit users;
      } {
        address = "::";
        port = 1883;
        inherit users;
      } {
        address = "0.0.0.0";
        port = 8883;
        settings = {
          certfile = "/run/credentials/mosquitto.service/cert.pem";
          keyfile = "/run/credentials/mosquitto.service/key.pem";
        };
        inherit users;
      } {
        address = "::";
        port = 8883;
        settings = {
          certfile = "/run/credentials/mosquitto.service/cert.pem";
          keyfile = "/run/credentials/mosquitto.service/key.pem";
        };
        inherit users;
      } {
        settings.protocol = "websockets";
        address = "::";
        port = mqttWebsocketPort;
        inherit users;
      } ];
  };
  systemd.services.mosquitto = {
    requires = [ "acme-finished-${fqdn}.target" ];
    serviceConfig.LoadCredential =
      let
        certDir = config.security.acme.certs.${fqdn}.directory;
      in [
        "cert.pem:${certDir}/fullchain.pem"
        "key.pem:${certDir}/key.pem"
      ];
  };
  security.acme.certs.${fqdn}.postRun = ''
    systemctl restart mosquitto
  '';

  sops = {
    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
    defaultSopsFile = ./secrets.yaml;
    secrets = let
      perms = {
        owner = config.systemd.services.mosquitto.serviceConfig.User;
        group = config.systemd.services.mosquitto.serviceConfig.Group;
        mode = "0440";
      };
    in
    {
      "mosquitto/users/zentralwerk-network" = perms;
      "mosquitto/users/services" = perms;
      "mosquitto/users/consumer" = perms;
      "mosquitto/users/sensors" = perms;
    };
  };

  environment.systemPackages = with pkgs; [
    mymqttui
  ];

  users.motd = ''
    C3D2 MQTT Broker
    ================

    Use `mqttui` to inspect the data in mosquitto.

  '';

  system.stateVersion = "22.05";
}
Deadnix, statix, other cleanups 2022-12-04 08:53:28 +01:00			`{ config, pkgs, ... }:`
mosquitto: works 2022-07-16 02:03:47 +02:00
broker: customize mqttui with username/password 2022-07-16 03:11:06 +02:00			`let`
			`mymqttui = pkgs.writeScriptBin "mqttui" ''`
			`export MQTTUI_USERNAME=consumer`
			export MQTTUI_PASSWORD=`cat ${(builtins.head config.services.mosquitto.listeners).users.consumer.passwordFile}`
			`exec ${pkgs.mqttui}/bin/mqttui`
			`'';`
broker: enable mqtt+tls 2022-07-17 01:48:16 +02:00
			`fqdn = "broker.serv.zentralwerk.org";`
broker: enable websockets 2022-07-19 18:25:28 +02:00
			`mqttWebsocketPort = 9001;`
broker: customize mqttui with username/password 2022-07-16 03:11:06 +02:00			`in`
mosquitto: works 2022-07-16 02:03:47 +02:00			`{`
Default microvm mounts to etc, home, var; random cleanups 2022-12-18 22:16:29 +01:00			`c3d2.deployment.server = "server10";`
mosquitto: works 2022-07-16 02:03:47 +02:00
			`microvm.mem = 1024;`

			`networking = {`
			`hostName = "broker";`
broker: enable mqtt+tls 2022-07-17 01:48:16 +02:00			`firewall.allowedTCPPorts = [`
			`# nginx`
			`80 443`
			`# mosquitto`
			`1883 8883`
			`];`
mosquitto: works 2022-07-16 02:03:47 +02:00			`};`

			`services.openssh.enable = true;`
broker: enable mqtt+tls 2022-07-17 01:48:16 +02:00
			`# runs mainly to obtain a TLS certificate`
			`services.nginx = {`
			`enable = true;`
			`virtualHosts.${fqdn} = {`
			`default = true;`
			`enableACME = true;`
			`forceSSL = true;`
broker: enable websockets 2022-07-19 18:25:28 +02:00			`locations."/mqtt" = {`
			`proxyPass = "http://localhost:${toString mqttWebsocketPort}/";`
			`proxyWebsockets = true;`
			`};`
broker: enable mqtt+tls 2022-07-17 01:48:16 +02:00			`};`
			`};`

mosquitto: works 2022-07-16 02:03:47 +02:00			`services.mosquitto = {`
			`enable = true;`
broker: enable mqtt+tls 2022-07-17 01:48:16 +02:00			`listeners =`
			`let`
			`users = {`
			`"zentralwerk-network" = {`
			`passwordFile = config.sops.secrets."mosquitto/users/zentralwerk-network".path;`
			`acl = [`
			`"write #"`
			`];`
			`};`
			`"services" = {`
			`passwordFile = config.sops.secrets."mosquitto/users/services".path;`
			`acl = [`
			`"write #"`
			`];`
			`};`
			`"consumer" = {`
			`passwordFile = config.sops.secrets."mosquitto/users/consumer".path;`
			`acl = [`
			`"read #"`
			`];`
			`};`
broker: add sensors account 2022-09-05 23:26:08 +02:00			`"sensors" = {`
			`passwordFile = config.sops.secrets."mosquitto/users/sensors".path;`
			`acl = [`
			`"write esp-sdk/#"`
			`"write esp-proc/#"`
			`];`
			`};`
mosquitto: works 2022-07-16 02:03:47 +02:00			`};`
broker: enable websockets 2022-07-19 18:25:28 +02:00			`in [ {`
broker: listen on both ipv4 and ipv6 though sysctl net.ipv6.bindv6only is already at 0 2022-07-17 02:00:55 +02:00			`address = "0.0.0.0";`
			`port = 1883;`
			`inherit users;`
			`} {`
broker: enable mqtt+tls 2022-07-17 01:48:16 +02:00			`address = "::";`
			`port = 1883;`
			`inherit users;`
broker: listen on both ipv4 and ipv6 though sysctl net.ipv6.bindv6only is already at 0 2022-07-17 02:00:55 +02:00			`} {`
			`address = "0.0.0.0";`
			`port = 8883;`
			`settings = {`
			`certfile = "/run/credentials/mosquitto.service/cert.pem";`
			`keyfile = "/run/credentials/mosquitto.service/key.pem";`
			`};`
			`inherit users;`
broker: enable mqtt+tls 2022-07-17 01:48:16 +02:00			`} {`
			`address = "::";`
			`port = 8883;`
			`settings = {`
			`certfile = "/run/credentials/mosquitto.service/cert.pem";`
			`keyfile = "/run/credentials/mosquitto.service/key.pem";`
mosquitto: works 2022-07-16 02:03:47 +02:00			`};`
broker: enable mqtt+tls 2022-07-17 01:48:16 +02:00			`inherit users;`
broker: enable websockets 2022-07-19 18:25:28 +02:00			`} {`
			`settings.protocol = "websockets";`
			`address = "::";`
			`port = mqttWebsocketPort;`
			`inherit users;`
broker: enable mqtt+tls 2022-07-17 01:48:16 +02:00			`} ];`
mosquitto: works 2022-07-16 02:03:47 +02:00			`};`
broker: enable mqtt+tls 2022-07-17 01:48:16 +02:00			`systemd.services.mosquitto = {`
			`requires = [ "acme-finished-${fqdn}.target" ];`
			`serviceConfig.LoadCredential =`
			`let`
			`certDir = config.security.acme.certs.${fqdn}.directory;`
			`in [`
			`"cert.pem:${certDir}/fullchain.pem"`
			`"key.pem:${certDir}/key.pem"`
			`];`
			`};`
			`security.acme.certs.${fqdn}.postRun = ''`
			`systemctl restart mosquitto`
			`'';`
mosquitto: works 2022-07-16 02:03:47 +02:00
			`sops = {`
			`age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];`
Move sopsDefaultFile into hosts 2022-07-31 18:13:03 +02:00			`defaultSopsFile = ./secrets.yaml;`
mosquitto: works 2022-07-16 02:03:47 +02:00			`secrets = let`
			`perms = {`
			`owner = config.systemd.services.mosquitto.serviceConfig.User;`
			`group = config.systemd.services.mosquitto.serviceConfig.Group;`
			`mode = "0440";`
			`};`
			`in`
			`{`
			`"mosquitto/users/zentralwerk-network" = perms;`
			`"mosquitto/users/services" = perms;`
			`"mosquitto/users/consumer" = perms;`
broker: add sensors account 2022-09-05 23:26:08 +02:00			`"mosquitto/users/sensors" = perms;`
mosquitto: works 2022-07-16 02:03:47 +02:00			`};`
			`};`

			`environment.systemPackages = with pkgs; [`
broker: customize mqttui with username/password 2022-07-16 03:11:06 +02:00			`mymqttui`
mosquitto: works 2022-07-16 02:03:47 +02:00			`];`

broker: customize mqttui with username/password 2022-07-16 03:11:06 +02:00			`users.motd = ''`
			`C3D2 MQTT Broker`
			`================`

			Use `mqttui` to inspect the data in mosquitto.

			`'';`

mosquitto: works 2022-07-16 02:03:47 +02:00			`system.stateVersion = "22.05";`
			`}`