{ config, pkgs, lib, zentralwerk, ... }:

{
  c3d2 = {
    deployment = {
      server = "server10";
      mounts = [ "etc" "var"];
    };
  };

  microvm.mem = 1024;

  networking = {
    hostName = "broker";
    firewall.allowedTCPPorts = [ 1883 ];
  };

  services.openssh.enable = true;
  services.mosquitto = {
    enable = true;
    listeners = [
      {
        address = "0.0.0.0";
        users."zentralwerk-network" = {
          passwordFile = config.sops.secrets."mosquitto/users/zentralwerk-network".path;
          acl = [
            "write #"
          ];
        };
        users."services" = {
          passwordFile = config.sops.secrets."mosquitto/users/services".path;
          acl = [
            "write #"
          ];
        };
        users."consumer" = {
          passwordFile = config.sops.secrets."mosquitto/users/consumer".path;
          acl = [
            "read #"
          ];
        };
      }
    ];
  };

  sops = {
    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
    secrets = let
      perms = {
        owner = config.systemd.services.mosquitto.serviceConfig.User;
        group = config.systemd.services.mosquitto.serviceConfig.Group;
        mode = "0440";
      };
    in
    {
      "mosquitto/users/zentralwerk-network" = perms;
      "mosquitto/users/services" = perms;
      "mosquitto/users/consumer" = perms;
    };
  };

  environment.systemPackages = with pkgs; [
    mqttui
  ];

  system.stateVersion = "22.05";
}