From 7b5f6b388ed5b5b910bd3414a5026b9a7bb1be81 Mon Sep 17 00:00:00 2001
From: polygon <polygon@wh2.tu-dresden.de>
Date: Sat, 16 Jul 2022 02:03:47 +0200
Subject: [PATCH] mosquitto: works

---
 flake.lock                          |  8 ++--
 flake.nix                           | 10 +++++
 hosts/containers/broker/default.nix | 67 +++++++++++++++++++++++++++++
 3 files changed, 81 insertions(+), 4 deletions(-)
 create mode 100644 hosts/containers/broker/default.nix

diff --git a/flake.lock b/flake.lock
index df1ce91d..f7a50ad8 100644
--- a/flake.lock
+++ b/flake.lock
@@ -525,11 +525,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1656440118,
-        "narHash": "sha256-nmms19tpuGqjKZBYLUpuZj3Uy6mgtxA4ynSHoX8OzlI=",
+        "lastModified": 1657928876,
+        "narHash": "sha256-vK8OIjiD3XpzTH6uv358IU71Jwvu5o2+q8ISg+Vg+tU=",
         "ref": "refs/heads/master",
-        "rev": "7b5db509271e9fbf9d722cf22a08e3658c7b8c82",
-        "revCount": 136,
+        "rev": "ce0f7c9f962851cdead48cf8dd3ee088aa00efed",
+        "revCount": 143,
         "type": "git",
         "url": "ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git"
       },
diff --git a/flake.nix b/flake.nix
index 406924b3..3015989c 100644
--- a/flake.nix
+++ b/flake.nix
@@ -428,6 +428,16 @@
           };
       in {
 
+        broker = nixosSystem' {
+          modules = [
+            self.nixosModules.microvm
+            ./hosts/containers/broker
+            {
+              sops.defaultSopsFile = "${secrets}/hosts/broker/secrets.yaml";
+            }
+          ];
+        };
+
         freifunk = nixosSystem' {
           modules = [
             self.nixosModules.microvm
diff --git a/hosts/containers/broker/default.nix b/hosts/containers/broker/default.nix
new file mode 100644
index 00000000..58eeed0f
--- /dev/null
+++ b/hosts/containers/broker/default.nix
@@ -0,0 +1,67 @@
+{ config, pkgs, lib, zentralwerk, ... }:
+
+{
+  c3d2 = {
+    deployment = {
+      server = "server10";
+      mounts = [ "etc" "var"];
+    };
+  };
+
+  microvm.mem = 1024;
+
+  networking = {
+    hostName = "broker";
+    firewall.allowedTCPPorts = [ 1883 ];
+  };
+
+  services.openssh.enable = true;
+  services.mosquitto = {
+    enable = true;
+    listeners = [
+      {
+        address = "0.0.0.0";
+        users."zentralwerk-network" = {
+          passwordFile = config.sops.secrets."mosquitto/users/zentralwerk-network".path;
+          acl = [
+            "write #"
+          ];
+        };
+        users."services" = {
+          passwordFile = config.sops.secrets."mosquitto/users/services".path;
+          acl = [
+            "write #"
+          ];
+        };
+        users."consumer" = {
+          passwordFile = config.sops.secrets."mosquitto/users/consumer".path;
+          acl = [
+            "read #"
+          ];
+        };
+      }
+    ];
+  };
+
+  sops = {
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    secrets = let
+      perms = {
+        owner = config.systemd.services.mosquitto.serviceConfig.User;
+        group = config.systemd.services.mosquitto.serviceConfig.Group;
+        mode = "0440";
+      };
+    in
+    {
+      "mosquitto/users/zentralwerk-network" = perms;
+      "mosquitto/users/services" = perms;
+      "mosquitto/users/consumer" = perms;
+    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    mqttui
+  ];
+
+  system.stateVersion = "22.05";
+}