Set up MQTT broker

configuration.nix

@@ -151,6 +151,16 @@ with pkgs;
       owner = "matrix-as-telegram";
       group = "matrix-as-telegram";
     };
+    secrets.mqtt-sender = {
+      file = secrets/mqtt-sender.age;
+      owner = "mosquitto";
+      group = "mosquitto";
+    };
+    secrets.mqtt-receiver = {
+      file = secrets/mqtt-receiver.age;
+      owner = "mosquitto";
+      group = "mosquitto";
+    };
     identityPaths = [ "/etc/ssh/id_ed25519" ];
   };
 

modules/communication.nix

@@ -127,4 +127,22 @@ in {
   # Enable voice messages for facebook
   systemd.services.matrix-as-facebook.path = [ ffmpeg ];
 
+  # MQTT configuration
+  services.mosquitto = {
+    enable = true;
+    dataDir = "/vault/mosquitto";
+    logType = [ "websockets" "error" "warning" "notice" "information" ];
+    logDest = [ "syslog" ];
+    listeners = [{
+      users.homeostasis = {
+        acl = [ "write #" ];
+        hashedPasswordFile = config.age.secrets.mqtt-sender.path;
+      };
+      users.prometheus = {
+        acl = [ "read #" ];
+        hashedPasswordFile = config.age.secrets.mqtt-receiver.path;
+      };
+    }];
+  };
+
 }

modules/hardware-configuration.nix

@@ -4,89 +4,98 @@
 { config, lib, pkgs, modulesPath, ... }:
 
 {
-  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
-    ];
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
 
   boot.initrd.availableKernelModules = [ "xhci_pci" ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ ];
   boot.extraModulePackages = [ ];
 
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
-      fsType = "ext4";
-    };
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
+    fsType = "ext4";
+  };
 
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/2178-694E";
-      fsType = "vfat";
-    };
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/2178-694E";
+    fsType = "vfat";
+  };
 
-  fileSystems."/var/lib/matrix-as-facebook" =
-    { device = "vault/state_directories/matrix-as-facebook";
-      fsType = "zfs";
-    };
+  fileSystems."/var/lib/gitea" = {
+    device = "vault/state_directories/gitea";
+    fsType = "zfs";
+  };
 
-  fileSystems."/var/lib/matrix-as-signal" =
-    { device = "vault/state_directories/matrix-as-signal";
-      fsType = "zfs";
-    };
+  fileSystems."/var/lib/wallabag" = {
+    device = "vault/state_directories/wallabag";
+    fsType = "zfs";
+  };
 
-  fileSystems."/var/lib/signald" =
-    { device = "vault/state_directories/signald";
-      fsType = "zfs";
-    };
+  fileSystems."/var/lib/matrix-as-facebook" = {
+    device = "vault/state_directories/matrix-as-facebook";
+    fsType = "zfs";
+  };
 
-  fileSystems."/var/lib/gitea" =
-    { device = "vault/state_directories/gitea";
-      fsType = "zfs";
-    };
+  fileSystems."/var/lib/signald" = {
+    device = "vault/state_directories/signald";
+    fsType = "zfs";
+  };
 
-  fileSystems."/var/lib/matrix-as-telegram" =
-    { device = "vault/state_directories/matrix-as-telegram";
-      fsType = "zfs";
-    };
+  fileSystems."/var/lib/matrix-as-signal" = {
+    device = "vault/state_directories/matrix-as-signal";
+    fsType = "zfs";
+  };
 
-  fileSystems."/vault" =
-    { device = "vault";
-      fsType = "zfs";
-    };
+  fileSystems."/vault" = {
+    device = "vault";
+    fsType = "zfs";
+  };
 
-  fileSystems."/var/lib/wallabag" =
-    { device = "vault/state_directories/wallabag";
-      fsType = "zfs";
-    };
+  fileSystems."/vault/backups" = {
+    device = "vault/backups";
+    fsType = "zfs";
+  };
 
-  fileSystems."/vault/git" =
-    { device = "vault/git";
-      fsType = "zfs";
-    };
+  fileSystems."/vault/git" = {
+    device = "vault/git";
+    fsType = "zfs";
+  };
 
-  fileSystems."/vault/backups" =
-    { device = "vault/backups";
-      fsType = "zfs";
-    };
+  fileSystems."/vault/syncthing" = {
+    device = "vault/syncthing";
+    fsType = "zfs";
+  };
 
-  fileSystems."/vault/radicale" =
-    { device = "vault/radicale";
-      fsType = "zfs";
-    };
+  fileSystems."/vault/backups/zion" = {
+    device = "vault/backups/zion";
+    fsType = "zfs";
+  };
 
-  fileSystems."/vault/backups/zion" =
-    { device = "vault/backups/zion";
-      fsType = "zfs";
-    };
+  fileSystems."/vault/radicale" = {
+    device = "vault/radicale";
+    fsType = "zfs";
+  };
 
-  fileSystems."/vault/syncthing" =
-    { device = "vault/syncthing";
-      fsType = "zfs";
-    };
+  fileSystems."/vault/backups/monolith" = {
+    device = "vault/backups/monolith";
+    fsType = "zfs";
+  };
 
-  fileSystems."/vault/backups/monolith" =
-    { device = "vault/backups/monolith";
-      fsType = "zfs";
-    };
+  fileSystems."/var/lib/matrix-as-telegram" = {
+    device = "vault/state_directories/matrix-as-telegram";
+    fsType = "zfs";
+  };
+
+  fileSystems."/var/lib/containers/storage/overlay" = {
+    device = "/var/lib/containers/storage/overlay";
+    fsType = "none";
+    options = [ "bind" ];
+  };
+
+  fileSystems."/vault/mosquitto" = {
+    device = "vault/mosquitto";
+    fsType = "zfs";
+  };
 
   swapDevices = [ ];
 
@@ -95,7 +104,9 @@
   # still possible to use this option, but it's recommended to use it in conjunction
   # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
   networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.cni-podman0.useDHCP = lib.mkDefault true;
   # networking.interfaces.eth0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.veth2e6ad4e4.useDHCP = lib.mkDefault true;
   # networking.interfaces.wg0.useDHCP = lib.mkDefault true;
   # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
 

modules/networking.nix

@@ -50,6 +50,7 @@ in {
       443 # HTTPS
       53 # DNS
       8448 # Matrix
+      1883 # MQTT
     ];
     allowedUDPPorts = [
       wireguard_port # Wireguard

scripts/motd.sh

@@ -33,6 +33,7 @@ services=(
 	"nginx.service"
 	"dnsmasq.service"
 	"podman-openbooks.service"
+	"mosquitto.service"
 )
 
 for var in "${services[@]}"; do

secrets/mqtt-receiver.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 iUaRGg JT+as1Cl66qOy5yY3WJNs0bh51DWaCe/+XZLR8m1L0A
+/6CyRX6Ks7Wr/ySlJhdfkabcy4N5rQ0VzGtlbxL8RCs
+-> L$l;-grease uU_g`a
+N00Z5C8AKzdnGZuFUHqY6uZBiMryyT3IXkdNlYW2fVJLOSfkfFdXssIK9hcMObyi
+sQENGphUf1Sk16Vo9p4emOL5mtzU
+--- flb9q0/Q608TJ6K9fsGULVwi2Pk860Cz750d5DBSfMM
+1é%ÐÃ=ÍLÚ®¶‡sôc/ˆIy“ñoT!¤Ú<C2A4>´&X×ÄÑWÕ’ZÌ‹¿<E280B9> 8Zö‡¹¢¡Ã¦¦­¯ô¯	—±tw€'ç² i‰eÂ’Ž_Õ}-ÒVÛ$ºS¶¯<C2B6>õîØ®AëÞîh¦è®¡²!‡¯9ZîÉå¥hqÑ–Ia¡ô,
§•p0}g	³:D

secrets/secrets.nix

@@ -12,4 +12,6 @@ in {
   "dendrite.age".publicKeys = [ zion ];
   "dendrite-postgres.age".publicKeys = [ zion ];
   "telegram.age".publicKeys = [ zion ];
+  "mqtt-sender.age".publicKeys = [ zion ];
+  "mqtt-receiver.age".publicKeys = [ zion ];
 }