CrOS/modules/services/mqtt/default.nix

{ inputs, config, ... }:
let
  sopsFolder = inputs.nix-secrets + "/sops";
in
{
  sops.secrets."frigate/mqtt/pass" = {
    sopsFile = "${sopsFolder}/services.yaml";
  };
  services.mosquitto = {
    enable = true;
    listeners = [
      {
        port = 1883;
        users = {
          frigate = {
            passwordFile = config.sops.secrets."frigate/mqtt/pass".path;
            acl = [
              "readwrite frigate/#"
            ];
          };
        };
      }
    ];
  };

  networking.firewall.allowedTCPPorts = [ 1883 ];
}