hswaw/sound: add password file to mosquitto
Change-Id: Ifda90bb0fb6be681a04381335d18d19ffab81298
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1448
Reviewed-by: vuko <vuko@hackerspace.pl>
diff --git a/hswaw/machines/sound.waw.hackerspace.pl/configuration.nix b/hswaw/machines/sound.waw.hackerspace.pl/configuration.nix
index 8397cae..12ecc83 100644
--- a/hswaw/machines/sound.waw.hackerspace.pl/configuration.nix
+++ b/hswaw/machines/sound.waw.hackerspace.pl/configuration.nix
@@ -68,13 +68,41 @@
services.acpid.enable = true;
- # TODO copy acls and paswords from old sound
+ # nixos mosquitto service adds psk_file to its namespace mounts. Using separate service and directory other than
+ # /run/mosuitto/ seems like most reliable.
+ systemd.services."mosquitto-secrets" = pkgs.lib.mkIf config.services.mosquitto.enable (
+ let
+ user = config.systemd.services.mosquitto.serviceConfig.User;
+ in {
+ description = "Mosquitto secrets";
+ wantedBy = [ "multi-user.target" ];
+ wants = [ "mosquitto.service" ];
+ before = [ "mosquitto.service" ];
+
+ serviceConfig.Type = "oneshot";
+ serviceConfig.RemainAfterExit = "yes";
+ serviceConfig.ExecStart = [
+ ''${pkgs.coreutils}/bin/install "--owner=${user}" --mode=500 --directory /run/mosquitto-secrets''
+ ''${pkgs.coreutils}/bin/install "--owner=${user}" /root/secrets/mosquitto-pwfile /run/mosquitto-secrets/pwfile''
+ ];
+ serviceConfig.ExecStop = [
+ ''${pkgs.coreutils}/bin/rm -rf /run/mosquitto-secrets''
+ ];
+ }
+ );
+
services.mosquitto.enable = true;
services.mosquitto.listeners = [
{
settings.allow_anonymous = true;
+ settings.psk_file = "/run/mosquitto-secrets/pwfile";
+ acl = [
+ "topic read $SYS/#"
+ "topic #"
+ ];
}
];
+ services.mosquitto.logType = ["all"];
services.home-assistant = {
enable = true;