feat(access): mosquitto

nixos/access/mosquitto.nix

@@ -0,0 +1,73 @@
+{
+  config,
+  lib,
+  inputs,
+  ...
+}:
+let
+  inherit (inputs.self.lib.lib) mkAlmostOptionDefault;
+  inherit (lib.options) mkOption mkEnableOption;
+  inherit (lib.modules) mkIf mkMerge mkOptionDefault;
+  inherit (config.services) nginx;
+  access = nginx.access.mosquitto;
+  portPlaintext = 1883;
+  portSsl = 8883;
+in {
+  options.services.nginx.access.mosquitto = with lib.types; {
+    enable = mkEnableOption "MQTT proxy";
+    host = mkOption {
+      type = str;
+    };
+    port = mkOption {
+      type = port;
+      default = portPlaintext;
+    };
+    bind = {
+      sslPort = mkOption {
+        type = port;
+        default = portSsl;
+      };
+      port = mkOption {
+        type = port;
+        default = portPlaintext;
+      };
+    };
+  };
+  config = {
+    services.nginx = {
+      stream = {
+        upstreams.mosquitto = {
+          servers.access = {
+            addr = mkAlmostOptionDefault access.host;
+            port = mkOptionDefault access.port;
+          };
+        };
+        servers.mosquitto = {
+          listen = {
+            mqtt.port = portPlaintext;
+            mqtts = {
+              ssl = true;
+              port = portSsl;
+            };
+          };
+          extraConfig = let
+            proxySsl = port: mkIf (port == portSsl) ''
+              proxy_ssl on;
+              proxy_ssl_verify off;
+            '';
+          in mkMerge [
+            "proxy_pass ${nginx.stream.upstreams.mosquitto.name};"
+            (proxySsl access.port)
+          ];
+        };
+      };
+    };
+
+    networking.firewall = {
+      allowedTCPPorts = [
+        access.bind.port
+        (mkIf nginx.stream.servers.mosquitto.listen.mqtts.enable access.bind.sslPort)
+      ];
+    };
+  };
+}

systems/hakurei/nixos.nix

@@ -11,7 +11,7 @@
   tei = access.nixosFor "tei";
   utsuho = access.nixosFor "utsuho";
   inherit (mediabox.services) plex;
-  inherit (tei.services) home-assistant zigbee2mqtt;
+  inherit (tei.services) home-assistant zigbee2mqtt mosquitto;
   inherit (utsuho.services) unifi;
   inherit (config.services) nginx;
   inherit (nginx) virtualHosts;
@@ -34,6 +34,7 @@ in {
     nixos.vouch
     nixos.access.nginx
     nixos.access.global
+    nixos.access.mosquitto
     nixos.access.gensokyo
     nixos.access.keycloak
     nixos.access.vouch
@@ -88,6 +89,15 @@ in {
         (mkIf config.services.tailscale.enable access.hostnameForNetwork.tail)
       ];
     };
+    mosquitto = {
+      inherit (nginx) group;
+      domain = "mqtt.${config.networking.domain}";
+      extraDomainNames = [
+        "mqtt.local.${config.networking.domain}"
+        "mqtt.int.${config.networking.domain}"
+        (mkIf config.services.tailscale.enable "mqtt.tail.${config.networking.domain}")
+      ];
+    };
     sso = {
       inherit (nginx) group;
       domain = virtualHosts.keycloak.serverName;
@@ -206,6 +216,9 @@ in {
     getHostnameFor = config.lib.access.getAddress4For;
   in {
     vouch.enableLocal = false;
+    access.mosquitto = assert mosquitto.enable; {
+      host = getHostnameFor "tei" "lan";
+    };
     access.plex = assert plex.enable; {
       url = "http://${getHostnameFor "mediabox" "lan"}:${toString plex.port}";
       externalPort = 41324;
@@ -220,6 +233,9 @@ in {
     access.kitchencam = {
       streamPort = 41081;
     };
+    stream.servers = {
+      mosquitto.ssl.cert.name = "mosquitto";
+    };
     virtualHosts = {
       fallback.ssl.cert.name = "hakurei";
       gensokyoZone.proxied.enable = "cloudflared";

tf/cloudflare_records.tf

@@ -34,6 +34,7 @@ module "hakurei_system_records" {
     "ldap",
     "pbx",
     "smb",
+    "mqtt",
     "kitchen",
     "yt",
   ]