From 8fad8eacb967088d9840d6466e81abcdb414d086 Mon Sep 17 00:00:00 2001
From: Gene Liverman <gene@technicalissues.us>
Date: Mon, 29 Sep 2025 20:06:31 -0400
Subject: [PATCH 1/2] Switch to EMQX

This is needed so that I can remap topics
---
 .../post-install/containers/emqx.nix          | 36 +++++++++++++++++++
 .../nixos/hetznix01/post-install/default.nix  |  3 +-
 modules/hosts/nixos/hetznix01/secrets.yaml    | 12 +++----
 3 files changed, 42 insertions(+), 9 deletions(-)
 create mode 100644 modules/hosts/nixos/hetznix01/post-install/containers/emqx.nix

diff --git a/modules/hosts/nixos/hetznix01/post-install/containers/emqx.nix b/modules/hosts/nixos/hetznix01/post-install/containers/emqx.nix
new file mode 100644
index 0000000..33188e9
--- /dev/null
+++ b/modules/hosts/nixos/hetznix01/post-install/containers/emqx.nix
@@ -0,0 +1,36 @@
+{ config, username, ... }: let
+  volume_base = "/var/lib/emqx";
+in {
+  # Based on docs at https://docs.emqx.com/en/emqx/latest/deploy/install-docker.html
+  virtualisation.oci-containers.containers = {
+    "emqx" = {
+      autoStart = true;
+      image = "docker.io/emqx/emqx-enterprise:5.10.0";
+      environment = {
+        EMQX_NODE_NAME = "emqx@emqx1.hetznix01.technicalissues.us";
+      };
+      environmentFiles = [
+        "${volume_base}/.env"
+      ];
+      hostname = "emqx1.hetznix01.technicalissues.us";
+      ports = [
+        "1883:1883"
+        #"8083:8083"
+        #"8084:8084"
+        "18083:18083"
+      ];
+      volumes = [
+        "${volume_base}/data:/opt/emqx/data"
+        "${volume_base}/log:/opt/emqx/log"
+      ];
+    };
+  };
+
+  services.restic.backups.daily.paths = [ "${volume_base}/data" ];
+
+  sops.secrets.emqx_env = {
+    path = "${volume_base}/.env";
+    owner = username;
+    restartUnits = [ "${config.virtualisation.oci-containers.containers.emqx.serviceName}" ];
+  };
+}
diff --git a/modules/hosts/nixos/hetznix01/post-install/default.nix b/modules/hosts/nixos/hetznix01/post-install/default.nix
index eff2077..144c024 100644
--- a/modules/hosts/nixos/hetznix01/post-install/default.nix
+++ b/modules/hosts/nixos/hetznix01/post-install/default.nix
@@ -5,8 +5,9 @@ in {
   imports = [
     ../../../common/linux/lets-encrypt.nix
     ../../../common/linux/restic.nix
+    ./containers/emqx.nix
     ./matrix-synapse.nix
-    ./mosquitto.nix
+    #./mosquitto.nix
     ./nginx.nix
   ];
 
diff --git a/modules/hosts/nixos/hetznix01/secrets.yaml b/modules/hosts/nixos/hetznix01/secrets.yaml
index e82940e..e1117b6 100644
--- a/modules/hosts/nixos/hetznix01/secrets.yaml
+++ b/modules/hosts/nixos/hetznix01/secrets.yaml
@@ -1,5 +1,6 @@
 local_git_config: ENC[AES256_GCM,data:BulcGoJ85+BA3maqbMewUdaNOl3feaJMq/4yZL8Y8SLOHqzmA/DUO7k=,iv:V7wpSiEQpt7AhKd+MUyGqTsO6YZovpkj+AaqpLnfRM0=,tag:7f3fFzQX3bpjokVPnUKDPQ==,type:str]
 local_private_env: ENC[AES256_GCM,data:OFcCaE9/hpd6JIoUTTxg0pEFL3rkUE3G+JzP/wjFXpa/AJa2Rr0Kv42Pu+iwgPMWgcpp50ChjVxGvbceNQ==,iv:I2LyWwvdMdE4wKLb3udLVMu3jFsvYR1ruZvaVt9GG7c=,tag:tBPmlNr0iNdLRU1GIRV2mg==,type:str]
+emqx_env: ENC[AES256_GCM,data:NGGMGAtY1s8ojVjMYahS80ichwBFGWrQI3qn2zc3bKr3wdQrcx5p9O0fMPqff6rH3w==,iv:OFEkDybGFnUQXzVJAJ3tTAShfeUvzwE4bLecUQ/YPjQ=,tag:XynNkgXxdga8DmiXZ7Sy9Q==,type:str]
 matrix_secrets_yaml: ENC[AES256_GCM,data:6DLtAZIYBlL7iQVS/FBeUEhHyAOFZ5JRNqFBqi59GVh7cP0Hp8RBWxKpWAH2eUPYqUqUGCKrSSH3sJqzV+vasSR62tcltV7+13+q+rZVCZNCEf21EwQ5aaxgR3yG4n3YUPqLsCQB6UnWn0tF5HO0ofjYkya0pQ/nX9TBiiqIcPcd4NovbTtf+S0G0VptqyXAuRvJoKCx42ft9IBfV9tF1QsXLemKYlI10hN5l/MgJHwVbwH5xXR2kLKvnlpAyIoST/uJhswQV9DyK9cnl09ZM9ztcXhveBzv6uDW+pme8lFL99SMtMJcbSzxYW/pt+GJgYd1NiaoPbayWM72jdpH0hf2zWchxnIJIyL3H6EzIjD8BE9GnMP7ujQwBZGNZITRSg==,iv:cDtuOhv2v6CZcwiMM3oqjmajIl7D8Im+LkfarcjTM/w=,tag:e7zRQBYslJqESOGN3c4/aw==,type:str]
 matrix_homeserver_signing_key: ENC[AES256_GCM,data:+RflNxFfS2w9LbavT7YnCQIhJWI49kN7pOa9/dH0BpDWxKQaLE4ZYBYq0ikAgcHaF3+rBL3f6KxUacw=,iv:6+nZzuxBUwjM74XHCD89YWfyuMRcoIwQlHLiNN4NWdc=,tag:91yigynRz6QdEd4rF7d/9g==,type:str]
 mosquitto_mountain_mesh: ENC[AES256_GCM,data:LczPsPtAgkTTGcG3KYXMkfeA67e81Q5zJ5Nb8JcSosvvUwJRUi6yDcV/0wsYbMxeWDMrE/p+2KFRI48BVcUbY/LXqyFu5iNbX5IJXxzrexXXSTnOLa2PEamESzQlWI0ZS+K0Q48/5v9ekNVOkPgNQQ==,iv:jfa0QKOp8fyieUYTbMnBJ18VZwPO2CVnYQECHLNCyPI=,tag:9YZU82XQUmLJAFK+AiZ/Vw==,type:str]
@@ -14,10 +15,6 @@ plausible_admin_pass: ENC[AES256_GCM,data:nMGHMTp3YsDGP3YA9qmZqRCBA5BonS7SaLo=,i
 plausible_secret_key_base: ENC[AES256_GCM,data:6Co3VO9Ocmd6cppRpm763jjpRE9yCb75FnrrvCD5XtQPoq6c7ZnCPfSPzWF7jOv6e0g+ghao015myEe3pmNlPcx55KE4LpPwNGHdGbFHmNsGiIDrDUC3Hw==,iv:0FXSF//7FAGrQKiMOfHFoWE539MzCnz7xUTHxxatTCI=,tag:cKMFwyLYScKVM3v+6hvwzg==,type:str]
 tailscale_key: ENC[AES256_GCM,data:Bl00WuIrLvxmt7aNsoXC6G7XFls7waZMzdfo/MsEOZl/i3wHwrjrmgwd3V4GkaJ42UjrC1OLobrkuLves4w=,iv:tlCu0EWgvhvs1ANdtQr7KWHJ2RjpHniUm/rFC4L/MHs=,tag:+8eov9w+SPGZPnjMdrN8gA==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age1rd55wsu0hhvxk25tm69d9h57z0z0u6556x4ypg09muj3vh4yqs5qaw23nu
           enc: |
@@ -28,8 +25,7 @@ sops:
             WkI4ejBaODI0d0tjWHpTT3VWTXNyaXcKMDtvHN4gcZqBNslyC+NwYW05zgs8QuPV
             W6EktAz+xu6kx5BJbli5GkUFmj52AtEGIqZ1Sr4a0pKQACC87XcTQA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-06-09T00:02:18Z"
-    mac: ENC[AES256_GCM,data:/gbUCnVDQ9FSpm/nwqM/b9DfQ5hCcsTG5DEHF9dKYRQq64rOrCTfusrbCj89WAbabJVHWijDWrI/al5ZtHz1q/i3QXSP81cjabugtGcwdtrl6vpQn+K/Uf6t8N65fIvJG1JcepR4CgguVdTmVU5aOCWnB+Ai9PlbPa6p2OE32k8=,iv:E2YXecvKQ6qsezSyKi4771UqqVsQ2buN+4wzT2hAyO8=,tag:ajCENU3pJEmWa7k93vixvQ==,type:str]
-    pgp: []
+    lastmodified: "2025-09-30T01:05:21Z"
+    mac: ENC[AES256_GCM,data:JqLWrABSqRI5c2h0IE8G5+w7qBBOMflE2zVkcxPaZ8HgtjcStJFtrJu4p4PDkro/PCZ5fh1CgWteRw225xlTIGH9IN7Y+PV4tkgRM1r33ZolnFIfZZEKnEN1+Fyb6F70tfWgsj6lhxZvPUfoVHIOGXGYGTMEncT1VtH9mRghCRA=,iv:MbLd64qHie/8c5h03s3PPVLhJTpP3ZToRGxgsxErPOk=,tag:29oL10fXCvrUl7Myd48diA==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.9.4
+    version: 3.10.2

From a8a508bc8a0fef0264ece28800ba0d96dd399dff Mon Sep 17 00:00:00 2001
From: Gene Liverman <gene.liverman@ltnglobal.com>
Date: Thu, 9 Oct 2025 17:16:09 -0400
Subject: [PATCH 2/2] Setup TLS

---
 .../nixos/hetznix01/post-install/nginx.nix      | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/modules/hosts/nixos/hetznix01/post-install/nginx.nix b/modules/hosts/nixos/hetznix01/post-install/nginx.nix
index 83e2b6a..3927f29 100644
--- a/modules/hosts/nixos/hetznix01/post-install/nginx.nix
+++ b/modules/hosts/nixos/hetznix01/post-install/nginx.nix
@@ -21,6 +21,23 @@ in {
       add_header Strict-Transport-Security $hsts_header;
     '';
     streamConfig = ''
+      server {
+        # https://docs.emqx.com/en/emqx/latest/deploy/cluster/lb-nginx.html
+        listen 8883 ssl;
+        ssl_session_timeout 10m;
+        ssl_certificate ${config.security.acme.certs."mqtt.${domain}".directory}/fullchain.pem;
+        ssl_certificate_key ${config.security.acme.certs."mqtt.${domain}".directory}/key.pem;
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
+        proxy_pass 127.0.0.0:1883;
+        proxy_protocol on;
+        proxy_connect_timeout 10s;
+        # Default keep-alive time is 10 minutes
+        proxy_timeout 1800s;
+        proxy_buffer_size 3M;
+        tcp_nodelay on;
+      }
+
       server {
         listen 0.0.0.0:8333;
         listen 0.0.0.0:9333;