nix-config/hosts/containers/broker/default.nix

{ config, pkgs, lib, zentralwerk, ... }:

let
  mymqttui = pkgs.writeScriptBin "mqttui" ''
    export MQTTUI_USERNAME=consumer
    export MQTTUI_PASSWORD=`cat ${(builtins.head config.services.mosquitto.listeners).users.consumer.passwordFile}`
    exec ${pkgs.mqttui}/bin/mqttui
  '';
in
{
  c3d2 = {
    deployment = {
      server = "server10";
      mounts = [ "etc" "var"];
    };
  };

  microvm.mem = 1024;

  networking = {
    hostName = "broker";
    firewall.allowedTCPPorts = [ 1883 ];
  };

  services.openssh.enable = true;
  services.mosquitto = {
    enable = true;
    listeners = [
      {
        address = "0.0.0.0";
        users."zentralwerk-network" = {
          passwordFile = config.sops.secrets."mosquitto/users/zentralwerk-network".path;
          acl = [
            "write #"
          ];
        };
        users."services" = {
          passwordFile = config.sops.secrets."mosquitto/users/services".path;
          acl = [
            "write #"
          ];
        };
        users."consumer" = {
          passwordFile = config.sops.secrets."mosquitto/users/consumer".path;
          acl = [
            "read #"
          ];
        };
      }
    ];
  };

  sops = {
    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
    secrets = let
      perms = {
        owner = config.systemd.services.mosquitto.serviceConfig.User;
        group = config.systemd.services.mosquitto.serviceConfig.Group;
        mode = "0440";
      };
    in
    {
      "mosquitto/users/zentralwerk-network" = perms;
      "mosquitto/users/services" = perms;
      "mosquitto/users/consumer" = perms;
    };
  };

  environment.systemPackages = with pkgs; [
    mymqttui
  ];

  users.motd = ''
    C3D2 MQTT Broker
    ================

    Use `mqttui` to inspect the data in mosquitto.

  '';

  system.stateVersion = "22.05";
}