diff --git a/modules/hosts/nixos/default.nix b/modules/hosts/nixos/default.nix
index 8f30cff..3ce89b9 100644
--- a/modules/hosts/nixos/default.nix
+++ b/modules/hosts/nixos/default.nix
@@ -12,6 +12,7 @@
       iftop
       inetutils
       iotop
+      mosquitto
       neofetch
       python3
       smartmontools
diff --git a/modules/hosts/nixos/hetznix01/default.nix b/modules/hosts/nixos/hetznix01/default.nix
index e47546e..3e073d8 100644
--- a/modules/hosts/nixos/hetznix01/default.nix
+++ b/modules/hosts/nixos/hetznix01/default.nix
@@ -31,8 +31,10 @@
       465  # SMTP with TLS
       587  # SMTP with STARTTLS
       993  # imaps
+      1883 # mqtt
       8333 # Bitcoin Core
       8448 # Matrix Synapse
+      8883 # mqtt over tls
       9735 # LND
     ];
     # firewall.allowedUDPPorts = [ ... ];
diff --git a/modules/hosts/nixos/hetznix01/post-install/default.nix b/modules/hosts/nixos/hetznix01/post-install/default.nix
index 8039499..0164d74 100644
--- a/modules/hosts/nixos/hetznix01/post-install/default.nix
+++ b/modules/hosts/nixos/hetznix01/post-install/default.nix
@@ -5,6 +5,7 @@ in {
     ../../../common/linux/lets-encrypt.nix
     ../../../common/linux/restic.nix
     ./matrix-synapse.nix
+    ./mosquitto.nix
     ./nginx.nix
   ];
 
@@ -76,7 +77,7 @@ in {
       extraApps = with config.services.nextcloud.package.packages.apps; {
         # List of apps we want to install and are already packaged in
         # https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/nextcloud/packages/nextcloud-apps.json
-        inherit 
+        inherit
           richdocuments # Collabora Online for Nextcloud - https://apps.nextcloud.com/apps/richdocuments
           ;
       };
diff --git a/modules/hosts/nixos/hetznix01/post-install/mosquitto.nix b/modules/hosts/nixos/hetznix01/post-install/mosquitto.nix
new file mode 100644
index 0000000..6aa8c5a
--- /dev/null
+++ b/modules/hosts/nixos/hetznix01/post-install/mosquitto.nix
@@ -0,0 +1,102 @@
+{ config, ... }: {
+  services.mosquitto = {
+    enable = true;
+    bridges = {
+      liamcottle = {
+        addresses = [{
+          address = "mqtt.meshtastic.liamcottle.net";
+          port = 1883;
+        }];
+        topics = [
+          "msh/# out 1 \"\""
+        ];
+        settings = {
+          remote_username = "uplink";
+          remote_password = "uplink";
+          cleansession = true;
+          keepalive_interval = 160;
+          notifications = false;
+          start_type = "automatic";
+        };
+      };
+      meshtastic = {
+        addresses = [{
+          address = "mqtt.meshtastic.org";
+          port = 1883;
+        }];
+        topics = [
+          "msh/# out 1 \"\""
+        ];
+        settings = {
+          remote_username = "meshdev";
+          remote_password = "large4cats";
+          #bridge_protocol_version = "mqttv311";
+          cleansession = true;
+          keepalive_interval = 160;
+          notifications = false;
+          start_type = "automatic";
+        };
+      };
+      homeassistant = {
+        addresses = [{
+          address = "homeasistant-lc.atlas-snares.ts.net";
+          port = 1883;
+        }];
+        topics = [
+          "msh/US/2/e/LongFast/!a386c80 out 1 \"\""
+          "msh/US/2/e/LongFast/!b03bcb24 out 1 \"\""
+          "msh/US/2/e/LongFast/!b03dbe58 out 1 \"\""
+          "msh/US/2/e/LongFast/!4370b0c6 out 1 \"\""
+        ];
+        settings = {
+          remote_username = "meshtastic_user";
+          remote_password = "meshtastic_user";
+          cleansession = true;
+          keepalive_interval = 160;
+          notifications = false;
+          start_type = "automatic";
+        };
+      };
+    };
+    listeners = let
+      mqtt_users = {
+        genebean = {
+          acl = [
+            "readwrite msh/#"
+          ];
+          hashedPasswordFile = config.sops.secrets.mosquitto_genebean.path;
+        };
+        mountain_mesh = {
+          acl = [
+            "readwrite msh/#"
+          ];
+          hashedPasswordFile = config.sops.secrets.mosquitto_mountain_mesh.path;
+        };
+      };
+    in [
+      {
+        users = mqtt_users;
+        settings.allow_anonymous = false;
+      }
+      {
+        port = 8883;
+        users = mqtt_users;
+        settings = let
+           certDir = config.security.acme.certs."mqtt.technicalissues.us".directory;
+        in {
+          allow_anonymous = false;
+          keyfile = certDir + "/key.pem";
+          certfile = certDir + "/cert.pem";
+          cafile = certDir + "/chain.pem";
+        };
+      }
+    ];
+  };
+
+  sops.secrets = {
+    mosquitto_genebean.owner = config.users.users.mosquitto.name;
+    mosquitto_mountain_mesh.owner = config.users.users.mosquitto.name;
+  };
+
+  users.users.mosquitto.extraGroups = [ "nginx" ];
+}
diff --git a/modules/hosts/nixos/hetznix01/post-install/nginx.nix b/modules/hosts/nixos/hetznix01/post-install/nginx.nix
index c1ff83e..6116c40 100644
--- a/modules/hosts/nixos/hetznix01/post-install/nginx.nix
+++ b/modules/hosts/nixos/hetznix01/post-install/nginx.nix
@@ -152,6 +152,12 @@ in {
           "/_synapse/client".proxyPass = "http://[::1]:8008";
         };
       };
+      "mqtt.${domain}" = {
+        enableACME = true;
+        acmeRoot = null;
+        forceSSL = true;
+        locations."/".return = "301 https://beanbag.technicalissues.us";
+      };
       "ot.${domain}" = {
         enableACME = true;
         acmeRoot = null;
diff --git a/modules/hosts/nixos/hetznix01/secrets.yaml b/modules/hosts/nixos/hetznix01/secrets.yaml
index a640089..e82940e 100644
--- a/modules/hosts/nixos/hetznix01/secrets.yaml
+++ b/modules/hosts/nixos/hetznix01/secrets.yaml
@@ -2,9 +2,14 @@ local_git_config: ENC[AES256_GCM,data:BulcGoJ85+BA3maqbMewUdaNOl3feaJMq/4yZL8Y8S
 local_private_env: ENC[AES256_GCM,data:OFcCaE9/hpd6JIoUTTxg0pEFL3rkUE3G+JzP/wjFXpa/AJa2Rr0Kv42Pu+iwgPMWgcpp50ChjVxGvbceNQ==,iv:I2LyWwvdMdE4wKLb3udLVMu3jFsvYR1ruZvaVt9GG7c=,tag:tBPmlNr0iNdLRU1GIRV2mg==,type:str]
 matrix_secrets_yaml: ENC[AES256_GCM,data:6DLtAZIYBlL7iQVS/FBeUEhHyAOFZ5JRNqFBqi59GVh7cP0Hp8RBWxKpWAH2eUPYqUqUGCKrSSH3sJqzV+vasSR62tcltV7+13+q+rZVCZNCEf21EwQ5aaxgR3yG4n3YUPqLsCQB6UnWn0tF5HO0ofjYkya0pQ/nX9TBiiqIcPcd4NovbTtf+S0G0VptqyXAuRvJoKCx42ft9IBfV9tF1QsXLemKYlI10hN5l/MgJHwVbwH5xXR2kLKvnlpAyIoST/uJhswQV9DyK9cnl09ZM9ztcXhveBzv6uDW+pme8lFL99SMtMJcbSzxYW/pt+GJgYd1NiaoPbayWM72jdpH0hf2zWchxnIJIyL3H6EzIjD8BE9GnMP7ujQwBZGNZITRSg==,iv:cDtuOhv2v6CZcwiMM3oqjmajIl7D8Im+LkfarcjTM/w=,tag:e7zRQBYslJqESOGN3c4/aw==,type:str]
 matrix_homeserver_signing_key: ENC[AES256_GCM,data:+RflNxFfS2w9LbavT7YnCQIhJWI49kN7pOa9/dH0BpDWxKQaLE4ZYBYq0ikAgcHaF3+rBL3f6KxUacw=,iv:6+nZzuxBUwjM74XHCD89YWfyuMRcoIwQlHLiNN4NWdc=,tag:91yigynRz6QdEd4rF7d/9g==,type:str]
+mosquitto_mountain_mesh: ENC[AES256_GCM,data:LczPsPtAgkTTGcG3KYXMkfeA67e81Q5zJ5Nb8JcSosvvUwJRUi6yDcV/0wsYbMxeWDMrE/p+2KFRI48BVcUbY/LXqyFu5iNbX5IJXxzrexXXSTnOLa2PEamESzQlWI0ZS+K0Q48/5v9ekNVOkPgNQQ==,iv:jfa0QKOp8fyieUYTbMnBJ18VZwPO2CVnYQECHLNCyPI=,tag:9YZU82XQUmLJAFK+AiZ/Vw==,type:str]
+mosquitto_genebean: ENC[AES256_GCM,data:QzLpyXST+hlmCq7SIpkxra5jiA3JTWPgGV/NPBoeC+yESpiXQOnWzzSiNS09l3xGmjvTLR4dGUeTD1CUl4FwUsMT15MWjWHYNAfuoywy50i7xCCKPwERDxniar7Ykq7o0rz2UkNlW0X7uLQar+rn6g==,iv:ECt5oAh2R1a+RFEk5lEsDFEj2+4Z/D4Q7ezK1iTsS6k=,tag:4tLFjqezUFW8hA8udyPkiw==,type:str]
 mqtt_recorder_pass: ENC[AES256_GCM,data:N44nv2mk5zguWXNHdKsxhoKUjiduD1hzsAb6,iv:aLudKuUBTPXgtAF33exELH/PESD0CqoDaydeqdhcmbA=,tag:3lhrqO8jxJiRHWZjWSRa0g==,type:str]
 nextcloud_admin_pass: ENC[AES256_GCM,data:dite1z9lAQg4geuoDvXnveJP0iI/ouEe,iv:VT17WjQdS8T1qIxwyjdLy2VNpP5tv7KXhY+twpotiaQ=,tag:5DQLvRI87BamUutSUnvncA==,type:str]
 owntracks_basic_auth: ENC[AES256_GCM,data:GX1U1uf7+erE+g9GzhXK5ED2QicfcbpRCwpJDw6Zr9X2FtdMYleH5mhLxw==,iv:PflRq+P50+oFf4wv5wwlY6V9bApGuJ3tlYTvJZ5mg0E=,tag:VHBY5qv7rX74DGURsYaWpw==,type:str]
+pack1828_gene_liverman_pass: ENC[AES256_GCM,data:f1sO6ZKbg6wsPtAE0X5g0vqvEToBG4Ps+f0GiAK7ThDHna4UDHc0MlEbLsRb+C/WtKfDMFm2EfbfFIks,iv:jy7gt4mGXjsUXbuW8ml/tkc6AEOnkfflP7rtD6pU4JU=,tag:ccS0VfRd5yT/i+ic/N2Suw==,type:str]
+pack1828_dawn_liverman_pass: ENC[AES256_GCM,data:reJDYGed0VBGoZ48FMPhWFBn7zM42uFcMaBy2569JS4kKZ9AqFFVJKstmyj3U81hE7aG2hxaLOT0sGQA,iv:tfXu7jCuuAcR7kxVb8Lfj/tKhwpZ/gTY9xwmWOy/kPA=,tag:qHOdjvz8yGChumP5D7q25w==,type:str]
+pack1828_steve_mclendon_pass: ENC[AES256_GCM,data:js6im7Uobhgh8TM/R6pAQeBOWbqMmmVu+y+0yG/W0QRAtjxqy2gwYdtu0PBf7ZbXoDvqLWBj9tYiH5T2,iv:dmGmkNrkcWfGv/bgpf/TowDVb7sG3Oqq26iJqfMfE74=,tag:W7TmUvOM+ApkJ4EXDqmRLw==,type:str]
 plausible_admin_pass: ENC[AES256_GCM,data:nMGHMTp3YsDGP3YA9qmZqRCBA5BonS7SaLo=,iv:gN9qu+35DHiJVKh8vHF6KAwrFqgfdNNCC0+q3L/mBGg=,tag:XKlzT4Bp9IIKTSAmjDhd1Q==,type:str]
 plausible_secret_key_base: ENC[AES256_GCM,data:6Co3VO9Ocmd6cppRpm763jjpRE9yCb75FnrrvCD5XtQPoq6c7ZnCPfSPzWF7jOv6e0g+ghao015myEe3pmNlPcx55KE4LpPwNGHdGbFHmNsGiIDrDUC3Hw==,iv:0FXSF//7FAGrQKiMOfHFoWE539MzCnz7xUTHxxatTCI=,tag:cKMFwyLYScKVM3v+6hvwzg==,type:str]
 tailscale_key: ENC[AES256_GCM,data:Bl00WuIrLvxmt7aNsoXC6G7XFls7waZMzdfo/MsEOZl/i3wHwrjrmgwd3V4GkaJ42UjrC1OLobrkuLves4w=,iv:tlCu0EWgvhvs1ANdtQr7KWHJ2RjpHniUm/rFC4L/MHs=,tag:+8eov9w+SPGZPnjMdrN8gA==,type:str]
@@ -23,8 +28,8 @@ sops:
             WkI4ejBaODI0d0tjWHpTT3VWTXNyaXcKMDtvHN4gcZqBNslyC+NwYW05zgs8QuPV
             W6EktAz+xu6kx5BJbli5GkUFmj52AtEGIqZ1Sr4a0pKQACC87XcTQA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-21T02:47:26Z"
-    mac: ENC[AES256_GCM,data:j8SrPIwZCVS+YrJOZt/S/UfiYKMFEYdjy5aNlJbmq+wK6OBoyRnOsuIbD+lSERhru47k4sSd+3g6r+ygSuF9vXz+sqvuizkqLM39k0+zz771UaBiYTy/06mwIBsHVh99TskWH2ByKSQ47vyzkLPi26YAUmom6omX4Asplizhu9w=,iv:6ryKJnRJXlW6cyBj+Aseno636dAWESG8ImFL3KwKApM=,tag:KymKRDQv0kfzJdv/0xvDHQ==,type:str]
+    lastmodified: "2025-06-09T00:02:18Z"
+    mac: ENC[AES256_GCM,data:/gbUCnVDQ9FSpm/nwqM/b9DfQ5hCcsTG5DEHF9dKYRQq64rOrCTfusrbCj89WAbabJVHWijDWrI/al5ZtHz1q/i3QXSP81cjabugtGcwdtrl6vpQn+K/Uf6t8N65fIvJG1JcepR4CgguVdTmVU5aOCWnB+Ai9PlbPa6p2OE32k8=,iv:E2YXecvKQ6qsezSyKi4771UqqVsQ2buN+4wzT2hAyO8=,tag:ajCENU3pJEmWa7k93vixvQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.4