dots/modules/hosts/nixos/hetznix01/post-install/mosquitto.nix

{ config, ... }: {
  services.mosquitto = {
    enable = true;
    bridges = {
      liamcottle = {
        addresses = [{
          address = "mqtt.meshtastic.liamcottle.net";
          port = 1883;
        }];
        topics = [
          "msh/# out 1 \"\""
        ];
        settings = {
          remote_username = "uplink";
          remote_password = "uplink";
          cleansession = true;
          keepalive_interval = 160;
          notifications = false;
          start_type = "automatic";
        };
      };
      meshtastic = {
        addresses = [{
          address = "mqtt.meshtastic.org";
          port = 1883;
        }];
        topics = [
          "msh/# out 1 \"\""
        ];
        settings = {
          remote_username = "meshdev";
          remote_password = "large4cats";
          #bridge_protocol_version = "mqttv311";
          cleansession = true;
          keepalive_interval = 160;
          notifications = false;
          start_type = "automatic";
        };
      };
      homeassistant = {
        addresses = [{
          address = "homeasistant-lc.atlas-snares.ts.net";
          port = 1883;
        }];
        topics = [
          "msh/US/2/e/LongFast/!a386c80 out 1 \"\""
          "msh/US/2/e/LongFast/!b03bcb24 out 1 \"\""
          "msh/US/2/e/LongFast/!b03dbe58 out 1 \"\""
          "msh/US/2/e/LongFast/!4370b0c6 out 1 \"\""
        ];
        settings = {
          remote_username = "meshtastic_user";
          remote_password = "meshtastic_user";
          cleansession = true;
          keepalive_interval = 160;
          notifications = false;
          start_type = "automatic";
        };
      };
    };
    listeners = let
      mqtt_users = {
        genebean = {
          acl = [
            "readwrite msh/#"
          ];
          hashedPasswordFile = config.sops.secrets.mosquitto_genebean.path;
        };
        mountain_mesh = {
          acl = [
            "readwrite msh/#"
          ];
          hashedPasswordFile = config.sops.secrets.mosquitto_mountain_mesh.path;
        };
      };
    in [
      {
        users = mqtt_users;
        settings.allow_anonymous = false;
      }
      {
        port = 8883;
        users = mqtt_users;
        settings = let
           certDir = config.security.acme.certs."mqtt.technicalissues.us".directory;
        in {
          allow_anonymous = false;
          keyfile = certDir + "/key.pem";
          certfile = certDir + "/cert.pem";
          cafile = certDir + "/chain.pem";
        };
      }
    ];
  };

  sops.secrets = {
    mosquitto_genebean.owner = config.users.users.mosquitto.name;
    mosquitto_mountain_mesh.owner = config.users.users.mosquitto.name;
  };

  users.users.mosquitto.extraGroups = [ "nginx" ];
}