From 0af904a9f25ebc1937327853ef62afe42118563b Mon Sep 17 00:00:00 2001 From: arcnmx Date: Sat, 30 Mar 2024 18:52:19 -0700 Subject: [PATCH] feat(access): mosquitto --- nixos/access/mosquitto.nix | 73 ++++++++++++++++++++++++++++++++++++++ systems/hakurei/nixos.nix | 18 +++++++++- tf/cloudflare_records.tf | 1 + 3 files changed, 91 insertions(+), 1 deletion(-) create mode 100644 nixos/access/mosquitto.nix diff --git a/nixos/access/mosquitto.nix b/nixos/access/mosquitto.nix new file mode 100644 index 00000000..0a2f3339 --- /dev/null +++ b/nixos/access/mosquitto.nix @@ -0,0 +1,73 @@ +{ + config, + lib, + inputs, + ... +}: +let + inherit (inputs.self.lib.lib) mkAlmostOptionDefault; + inherit (lib.options) mkOption mkEnableOption; + inherit (lib.modules) mkIf mkMerge mkOptionDefault; + inherit (config.services) nginx; + access = nginx.access.mosquitto; + portPlaintext = 1883; + portSsl = 8883; +in { + options.services.nginx.access.mosquitto = with lib.types; { + enable = mkEnableOption "MQTT proxy"; + host = mkOption { + type = str; + }; + port = mkOption { + type = port; + default = portPlaintext; + }; + bind = { + sslPort = mkOption { + type = port; + default = portSsl; + }; + port = mkOption { + type = port; + default = portPlaintext; + }; + }; + }; + config = { + services.nginx = { + stream = { + upstreams.mosquitto = { + servers.access = { + addr = mkAlmostOptionDefault access.host; + port = mkOptionDefault access.port; + }; + }; + servers.mosquitto = { + listen = { + mqtt.port = portPlaintext; + mqtts = { + ssl = true; + port = portSsl; + }; + }; + extraConfig = let + proxySsl = port: mkIf (port == portSsl) '' + proxy_ssl on; + proxy_ssl_verify off; + ''; + in mkMerge [ + "proxy_pass ${nginx.stream.upstreams.mosquitto.name};" + (proxySsl access.port) + ]; + }; + }; + }; + + networking.firewall = { + allowedTCPPorts = [ + access.bind.port + (mkIf nginx.stream.servers.mosquitto.listen.mqtts.enable access.bind.sslPort) + ]; + }; + }; +} diff --git a/systems/hakurei/nixos.nix b/systems/hakurei/nixos.nix index c1c22846..f3cb8b7a 100644 --- a/systems/hakurei/nixos.nix +++ b/systems/hakurei/nixos.nix @@ -11,7 +11,7 @@ tei = access.nixosFor "tei"; utsuho = access.nixosFor "utsuho"; inherit (mediabox.services) plex; - inherit (tei.services) home-assistant zigbee2mqtt; + inherit (tei.services) home-assistant zigbee2mqtt mosquitto; inherit (utsuho.services) unifi; inherit (config.services) nginx; inherit (nginx) virtualHosts; @@ -34,6 +34,7 @@ in { nixos.vouch nixos.access.nginx nixos.access.global + nixos.access.mosquitto nixos.access.gensokyo nixos.access.keycloak nixos.access.vouch @@ -88,6 +89,15 @@ in { (mkIf config.services.tailscale.enable access.hostnameForNetwork.tail) ]; }; + mosquitto = { + inherit (nginx) group; + domain = "mqtt.${config.networking.domain}"; + extraDomainNames = [ + "mqtt.local.${config.networking.domain}" + "mqtt.int.${config.networking.domain}" + (mkIf config.services.tailscale.enable "mqtt.tail.${config.networking.domain}") + ]; + }; sso = { inherit (nginx) group; domain = virtualHosts.keycloak.serverName; @@ -206,6 +216,9 @@ in { getHostnameFor = config.lib.access.getAddress4For; in { vouch.enableLocal = false; + access.mosquitto = assert mosquitto.enable; { + host = getHostnameFor "tei" "lan"; + }; access.plex = assert plex.enable; { url = "http://${getHostnameFor "mediabox" "lan"}:${toString plex.port}"; externalPort = 41324; @@ -220,6 +233,9 @@ in { access.kitchencam = { streamPort = 41081; }; + stream.servers = { + mosquitto.ssl.cert.name = "mosquitto"; + }; virtualHosts = { fallback.ssl.cert.name = "hakurei"; gensokyoZone.proxied.enable = "cloudflared"; diff --git a/tf/cloudflare_records.tf b/tf/cloudflare_records.tf index 024c9855..790412a2 100644 --- a/tf/cloudflare_records.tf +++ b/tf/cloudflare_records.tf @@ -34,6 +34,7 @@ module "hakurei_system_records" { "ldap", "pbx", "smb", + "mqtt", "kitchen", "yt", ]