broker: enable mqtt+tls
This commit is contained in:
parent
6fed0e0bf9
commit
bd0479c4b5
|
@ -6,6 +6,8 @@ let
|
|||
export MQTTUI_PASSWORD=`cat ${(builtins.head config.services.mosquitto.listeners).users.consumer.passwordFile}`
|
||||
exec ${pkgs.mqttui}/bin/mqttui
|
||||
'';
|
||||
|
||||
fqdn = "broker.serv.zentralwerk.org";
|
||||
in
|
||||
{
|
||||
c3d2 = {
|
||||
|
@ -19,36 +21,79 @@ in
|
|||
|
||||
networking = {
|
||||
hostName = "broker";
|
||||
firewall.allowedTCPPorts = [ 1883 ];
|
||||
firewall.allowedTCPPorts = [
|
||||
# nginx
|
||||
80 443
|
||||
# mosquitto
|
||||
1883 8883
|
||||
];
|
||||
};
|
||||
|
||||
services.openssh.enable = true;
|
||||
|
||||
# runs mainly to obtain a TLS certificate
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts.${fqdn} = {
|
||||
default = true;
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
# TODO: provide websocket
|
||||
};
|
||||
};
|
||||
|
||||
services.mosquitto = {
|
||||
enable = true;
|
||||
listeners = [
|
||||
{
|
||||
address = "0.0.0.0";
|
||||
users."zentralwerk-network" = {
|
||||
passwordFile = config.sops.secrets."mosquitto/users/zentralwerk-network".path;
|
||||
acl = [
|
||||
"write #"
|
||||
];
|
||||
listeners =
|
||||
let
|
||||
users = {
|
||||
"zentralwerk-network" = {
|
||||
passwordFile = config.sops.secrets."mosquitto/users/zentralwerk-network".path;
|
||||
acl = [
|
||||
"write #"
|
||||
];
|
||||
};
|
||||
"services" = {
|
||||
passwordFile = config.sops.secrets."mosquitto/users/services".path;
|
||||
acl = [
|
||||
"write #"
|
||||
];
|
||||
};
|
||||
"consumer" = {
|
||||
passwordFile = config.sops.secrets."mosquitto/users/consumer".path;
|
||||
acl = [
|
||||
"read #"
|
||||
];
|
||||
};
|
||||
};
|
||||
users."services" = {
|
||||
passwordFile = config.sops.secrets."mosquitto/users/services".path;
|
||||
acl = [
|
||||
"write #"
|
||||
];
|
||||
in
|
||||
[ {
|
||||
address = "::";
|
||||
port = 1883;
|
||||
inherit users;
|
||||
} {
|
||||
address = "::";
|
||||
port = 8883;
|
||||
settings = {
|
||||
certfile = "/run/credentials/mosquitto.service/cert.pem";
|
||||
keyfile = "/run/credentials/mosquitto.service/key.pem";
|
||||
};
|
||||
users."consumer" = {
|
||||
passwordFile = config.sops.secrets."mosquitto/users/consumer".path;
|
||||
acl = [
|
||||
"read #"
|
||||
];
|
||||
};
|
||||
}
|
||||
];
|
||||
inherit users;
|
||||
} ];
|
||||
};
|
||||
systemd.services.mosquitto = {
|
||||
requires = [ "acme-finished-${fqdn}.target" ];
|
||||
serviceConfig.LoadCredential =
|
||||
let
|
||||
certDir = config.security.acme.certs.${fqdn}.directory;
|
||||
in [
|
||||
"cert.pem:${certDir}/fullchain.pem"
|
||||
"key.pem:${certDir}/key.pem"
|
||||
];
|
||||
};
|
||||
security.acme.certs.${fqdn}.postRun = ''
|
||||
systemctl restart mosquitto
|
||||
'';
|
||||
|
||||
sops = {
|
||||
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
|
|
Loading…
Reference in New Issue