broker: enable mqtt+tls

2022-07-17 01:48:16 +02:00 · 2022-07-17 01:48:16 +02:00 · bd0479c4b5
parent 6fed0e0bf9
commit bd0479c4b5
1 changed files with 67 additions and 22 deletions
--- a/hosts/containers/broker/default.nix
+++ b/hosts/containers/broker/default.nix
@ -6,6 +6,8 @@ let
    export MQTTUI_PASSWORD=`cat ${(builtins.head config.services.mosquitto.listeners).users.consumer.passwordFile}`
    exec ${pkgs.mqttui}/bin/mqttui
  '';
+
+  fqdn = "broker.serv.zentralwerk.org";
 in
 {
  c3d2 = {
@ -19,36 +21,79 @@ in

  networking = {
    hostName = "broker";
-    firewall.allowedTCPPorts = [ 1883 ];
+    firewall.allowedTCPPorts = [
+      # nginx
+      80 443
+      # mosquitto
+      1883 8883
+    ];
  };

  services.openssh.enable = true;
+
+  # runs mainly to obtain a TLS certificate
+  services.nginx = {
+    enable = true;
+    virtualHosts.${fqdn} = {
+      default = true;
+      enableACME = true;
+      forceSSL = true;
+      # TODO: provide websocket
+    };
+  };
+
  services.mosquitto = {
    enable = true;
-    listeners = [
-      {
-        address = "0.0.0.0";
-        users."zentralwerk-network" = {
-          passwordFile = config.sops.secrets."mosquitto/users/zentralwerk-network".path;
-          acl = [
-            "write #"
-          ];
+    listeners =
+      let
+        users = {
+          "zentralwerk-network" = {
+            passwordFile = config.sops.secrets."mosquitto/users/zentralwerk-network".path;
+            acl = [
+              "write #"
+            ];
+          };
+          "services" = {
+            passwordFile = config.sops.secrets."mosquitto/users/services".path;
+            acl = [
+              "write #"
+            ];
+          };
+          "consumer" = {
+            passwordFile = config.sops.secrets."mosquitto/users/consumer".path;
+            acl = [
+              "read #"
+            ];
+          };
        };
-        users."services" = {
-          passwordFile = config.sops.secrets."mosquitto/users/services".path;
-          acl = [
-            "write #"
-          ];
+      in
+      [ {
+        address = "::";
+        port = 1883;
+        inherit users;
+      } {
+        address = "::";
+        port = 8883;
+        settings = {
+          certfile = "/run/credentials/mosquitto.service/cert.pem";
+          keyfile = "/run/credentials/mosquitto.service/key.pem";
        };
-        users."consumer" = {
-          passwordFile = config.sops.secrets."mosquitto/users/consumer".path;
-          acl = [
-            "read #"
-          ];
-        };
-      }
-    ];
+        inherit users;
+      } ];
  };
+  systemd.services.mosquitto = {
+    requires = [ "acme-finished-${fqdn}.target" ];
+    serviceConfig.LoadCredential =
+      let
+        certDir = config.security.acme.certs.${fqdn}.directory;
+      in [
+        "cert.pem:${certDir}/fullchain.pem"
+        "key.pem:${certDir}/key.pem"
+      ];
+  };
+  security.acme.certs.${fqdn}.postRun = ''
+    systemctl restart mosquitto
+  '';

  sops = {
    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];