1{
 2  libx,
 3  globals,
 4  config,
 5  ...
 6}:
 7{
 8  imports = [
 9    ../common/services/bind.nix
10    ../common/services/prometheus-exporters-node.nix
11    ../common/services/prometheus-exporters-bind.nix
12  ];
13
14  networking.firewall.enable = false;
15
16  # TODO make it an option ? (otherwise I'll add it for all)
17  users.users.vincent.linger = true;
18  services = {
19    mosquitto = {
20      enable = true;
21      listeners = [
22        {
23          address = "0.0.0.0";
24          port = 1883;
25          omitPasswordAuth = false;
26          settings = {
27            allow_anonymous = false;
28          };
29          acl = [ "topic readwrite #" ];
30          users = {
31            homeassistant = {
32              acl = [ "readwrite #" ];
33              hashedPasswordFile = config.age.secrets."mosquitto-homeassistant-password".path;
34            };
35          };
36        }
37      ];
38    };
39
40    wireguard = {
41      enable = true;
42      ips = libx.wg-ips globals.machines.demeter.net.vpn.ips;
43      endpoint = "${globals.net.vpn.endpoint}";
44      endpointPublicKey = "${globals.machines.kerkouane.net.vpn.pubkey}";
45    };
46  };
47
48  age.secrets."mosquitto-homeassistant-password" = {
49    file = ../../secrets/demeter/mosquitto-homeassistant-password.age;
50    mode = "400";
51    owner = "mosquitto";
52    group = "mosquitto";
53  };
54}