From bd0479c4b5724497df9ab9c40d86608d28f328e6 Mon Sep 17 00:00:00 2001
From: Astro <astro@spaceboyz.net>
Date: Sun, 17 Jul 2022 01:48:16 +0200
Subject: [PATCH] broker: enable mqtt+tls

---
 hosts/containers/broker/default.nix | 89 ++++++++++++++++++++++-------
 1 file changed, 67 insertions(+), 22 deletions(-)

diff --git a/hosts/containers/broker/default.nix b/hosts/containers/broker/default.nix
index 74a29ee6..e1f88b34 100644
--- a/hosts/containers/broker/default.nix
+++ b/hosts/containers/broker/default.nix
@@ -6,6 +6,8 @@ let
     export MQTTUI_PASSWORD=`cat ${(builtins.head config.services.mosquitto.listeners).users.consumer.passwordFile}`
     exec ${pkgs.mqttui}/bin/mqttui
   '';
+
+  fqdn = "broker.serv.zentralwerk.org";
 in
 {
   c3d2 = {
@@ -19,36 +21,79 @@ in
 
   networking = {
     hostName = "broker";
-    firewall.allowedTCPPorts = [ 1883 ];
+    firewall.allowedTCPPorts = [
+      # nginx
+      80 443
+      # mosquitto
+      1883 8883
+    ];
   };
 
   services.openssh.enable = true;
+
+  # runs mainly to obtain a TLS certificate
+  services.nginx = {
+    enable = true;
+    virtualHosts.${fqdn} = {
+      default = true;
+      enableACME = true;
+      forceSSL = true;
+      # TODO: provide websocket
+    };
+  };
+
   services.mosquitto = {
     enable = true;
-    listeners = [
-      {
-        address = "0.0.0.0";
-        users."zentralwerk-network" = {
-          passwordFile = config.sops.secrets."mosquitto/users/zentralwerk-network".path;
-          acl = [
-            "write #"
-          ];
+    listeners =
+      let
+        users = {
+          "zentralwerk-network" = {
+            passwordFile = config.sops.secrets."mosquitto/users/zentralwerk-network".path;
+            acl = [
+              "write #"
+            ];
+          };
+          "services" = {
+            passwordFile = config.sops.secrets."mosquitto/users/services".path;
+            acl = [
+              "write #"
+            ];
+          };
+          "consumer" = {
+            passwordFile = config.sops.secrets."mosquitto/users/consumer".path;
+            acl = [
+              "read #"
+            ];
+          };
         };
-        users."services" = {
-          passwordFile = config.sops.secrets."mosquitto/users/services".path;
-          acl = [
-            "write #"
-          ];
+      in
+      [ {
+        address = "::";
+        port = 1883;
+        inherit users;
+      } {
+        address = "::";
+        port = 8883;
+        settings = {
+          certfile = "/run/credentials/mosquitto.service/cert.pem";
+          keyfile = "/run/credentials/mosquitto.service/key.pem";
         };
-        users."consumer" = {
-          passwordFile = config.sops.secrets."mosquitto/users/consumer".path;
-          acl = [
-            "read #"
-          ];
-        };
-      }
-    ];
+        inherit users;
+      } ];
   };
+  systemd.services.mosquitto = {
+    requires = [ "acme-finished-${fqdn}.target" ];
+    serviceConfig.LoadCredential =
+      let
+        certDir = config.security.acme.certs.${fqdn}.directory;
+      in [
+        "cert.pem:${certDir}/fullchain.pem"
+        "key.pem:${certDir}/key.pem"
+      ];
+  };
+  security.acme.certs.${fqdn}.postRun = ''
+    systemctl restart mosquitto
+  '';
 
   sops = {
     age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];