mosquitto: works

2022-07-16 02:03:47 +02:00 · 2022-07-16 02:03:47 +02:00 · 7b5f6b388e
parent 993881325f
commit 7b5f6b388e
3 changed files with 81 additions and 4 deletions
--- a/flake.lock
+++ b/flake.lock
@ -525,11 +525,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1656440118,
-        "narHash": "sha256-nmms19tpuGqjKZBYLUpuZj3Uy6mgtxA4ynSHoX8OzlI=",
+        "lastModified": 1657928876,
+        "narHash": "sha256-vK8OIjiD3XpzTH6uv358IU71Jwvu5o2+q8ISg+Vg+tU=",
        "ref": "refs/heads/master",
-        "rev": "7b5db509271e9fbf9d722cf22a08e3658c7b8c82",
-        "revCount": 136,
+        "rev": "ce0f7c9f962851cdead48cf8dd3ee088aa00efed",
+        "revCount": 143,
        "type": "git",
        "url": "ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git"
      },
--- a/flake.nix
+++ b/flake.nix
@ -428,6 +428,16 @@
          };
      in {

+        broker = nixosSystem' {
+          modules = [
+            self.nixosModules.microvm
+            ./hosts/containers/broker
+            {
+              sops.defaultSopsFile = "${secrets}/hosts/broker/secrets.yaml";
+            }
+          ];
+        };
+
        freifunk = nixosSystem' {
          modules = [
            self.nixosModules.microvm
--- a/hosts/containers/broker/default.nix
+++ b/hosts/containers/broker/default.nix
@ -0,0 +1,67 @@
+{ config, pkgs, lib, zentralwerk, ... }:
+
+{
+  c3d2 = {
+    deployment = {
+      server = "server10";
+      mounts = [ "etc" "var"];
+    };
+  };
+
+  microvm.mem = 1024;
+
+  networking = {
+    hostName = "broker";
+    firewall.allowedTCPPorts = [ 1883 ];
+  };
+
+  services.openssh.enable = true;
+  services.mosquitto = {
+    enable = true;
+    listeners = [
+      {
+        address = "0.0.0.0";
+        users."zentralwerk-network" = {
+          passwordFile = config.sops.secrets."mosquitto/users/zentralwerk-network".path;
+          acl = [
+            "write #"
+          ];
+        };
+        users."services" = {
+          passwordFile = config.sops.secrets."mosquitto/users/services".path;
+          acl = [
+            "write #"
+          ];
+        };
+        users."consumer" = {
+          passwordFile = config.sops.secrets."mosquitto/users/consumer".path;
+          acl = [
+            "read #"
+          ];
+        };
+      }
+    ];
+  };
+
+  sops = {
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    secrets = let
+      perms = {
+        owner = config.systemd.services.mosquitto.serviceConfig.User;
+        group = config.systemd.services.mosquitto.serviceConfig.Group;
+        mode = "0440";
+      };
+    in
+    {
+      "mosquitto/users/zentralwerk-network" = perms;
+      "mosquitto/users/services" = perms;
+      "mosquitto/users/consumer" = perms;
+    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    mqttui
+  ];
+
+  system.stateVersion = "22.05";
+}