1{
 2  libx,
 3  globals,
 4  config,
 5  ...
 6}:
 7{
 8  imports = [
 9    ../common/services/bind.nix
10    ../common/services/prometheus-exporters-node.nix
11    ../common/services/prometheus-exporters-bind.nix
12  ];
13
14  networking.firewall.enable = false;
15
16  # TODO make it an option ? (otherwise I'll add it for all)
17  users.users.vincent.linger = true;
18  services = {
19    mosquitto = {
20      enable = true;
21      listeners = [
22        {
23          address = "0.0.0.0";
24          port = 1883;
25          omitPasswordAuth = false;
26          settings = {
27            allow_anonymous = false;
28          };
29          acl = [ "topic readwrite #" ];
30          users = {
31            homeassistant = {
32              acl = [ "readwrite #" ];
33              hashedPasswordFile = config.age.secrets."mosquitto-homeassistant-password".path;
34            };
35          };
36        }
37      ];
38    };
39
40    # MQTT exporter disabled due to broken package in nixpkgs
41    # ImportError: cannot import name 'main' from 'mqtt_exporter.main'
42    # prometheus.exporters.mqtt = {
43    #   enable = true;
44    #   port = 9234;
45    #   mqttAddress = "127.0.0.1";
46    #   mqttPort = 1883;
47    #   mqttTopic = "#"; # Subscribe to all topics
48    #   mqttUsername = "homeassistant";
49    #   environmentFile = config.age.secrets."mosquitto-homeassistant-password".path;
50    #   logLevel = "INFO";
51    # };
52
53    wireguard = {
54      enable = true;
55      ips = libx.wg-ips globals.machines.demeter.net.vpn.ips;
56      endpoint = "${globals.net.vpn.endpoint}";
57      endpointPublicKey = "${globals.machines.kerkouane.net.vpn.pubkey}";
58    };
59  };
60
61  age.secrets."mosquitto-homeassistant-password" = {
62    file = ../../secrets/demeter/mosquitto-homeassistant-password.age;
63    mode = "400";
64    owner = "mosquitto";
65    group = "mosquitto";
66  };
67}