hswaw/sound: add password file to mosquitto

Change-Id: Ifda90bb0fb6be681a04381335d18d19ffab81298 Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1448 Reviewed-by: vuko <vuko@hackerspace.pl>
2022-12-20 00:00:59 +01:00 · 2022-12-20 00:00:59 +01:00 · 142c8e6504
commit 142c8e6504
parent 6204ccdf92
1 changed files with 29 additions and 1 deletions
--- a/hswaw/machines/sound.waw.hackerspace.pl/configuration.nix
+++ b/hswaw/machines/sound.waw.hackerspace.pl/configuration.nix
@ -68,13 +68,41 @@ in {

  services.acpid.enable = true;

-  # TODO copy acls and paswords from old sound
+  # nixos mosquitto service adds psk_file to its namespace mounts. Using separate service and directory other than
+  # /run/mosuitto/ seems like most reliable.
+  systemd.services."mosquitto-secrets" = pkgs.lib.mkIf config.services.mosquitto.enable (
+    let
+      user = config.systemd.services.mosquitto.serviceConfig.User;
+    in {
+      description = "Mosquitto secrets";
+      wantedBy = [ "multi-user.target" ];
+      wants = [ "mosquitto.service" ];
+      before = [ "mosquitto.service" ];
+
+      serviceConfig.Type = "oneshot";
+      serviceConfig.RemainAfterExit = "yes";
+      serviceConfig.ExecStart = [
+        ''${pkgs.coreutils}/bin/install "--owner=${user}" --mode=500 --directory /run/mosquitto-secrets''
+        ''${pkgs.coreutils}/bin/install "--owner=${user}" /root/secrets/mosquitto-pwfile /run/mosquitto-secrets/pwfile''
+      ];
+      serviceConfig.ExecStop = [
+        ''${pkgs.coreutils}/bin/rm -rf /run/mosquitto-secrets''
+      ];
+    }
+  );
+
  services.mosquitto.enable = true;
  services.mosquitto.listeners = [
    {
      settings.allow_anonymous = true;
+      settings.psk_file = "/run/mosquitto-secrets/pwfile";
+      acl = [
+        "topic read $SYS/#"
+        "topic #"
+      ];
    }
  ];
+  services.mosquitto.logType = ["all"];

  services.home-assistant = {
    enable = true;