hivemq setup
This commit is contained in:
@@ -17,6 +17,45 @@ let
|
||||
];
|
||||
ingesterKeys = [ "ingester_postgres_password" ];
|
||||
postgresAdminKeys = [ "postgres_admin_password" ];
|
||||
hivemqKeys = [ "hivemq_ingester_password" "hivemq_admin_password" ];
|
||||
|
||||
# HiveMQ file-RBAC credentials.xml. Only the passwords are secret; the role/
|
||||
# topic policy is structural. `ingester` may subscribe to the whole telemetry
|
||||
# tree (t/<tenant>/d/<device>/<metric>); `admin` is an operational superuser.
|
||||
hivemqCredentialsXml = ingesterPassword: adminPassword: ''
|
||||
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
|
||||
<file-rbac>
|
||||
<users>
|
||||
<user>
|
||||
<name>ingester</name>
|
||||
<password>${ingesterPassword}</password>
|
||||
<roles><id>ingest</id></roles>
|
||||
</user>
|
||||
<user>
|
||||
<name>admin</name>
|
||||
<password>${adminPassword}</password>
|
||||
<roles><id>superuser</id></roles>
|
||||
</user>
|
||||
</users>
|
||||
<roles>
|
||||
<role>
|
||||
<id>ingest</id>
|
||||
<permissions>
|
||||
<permission>
|
||||
<topic>t/#</topic>
|
||||
<activity>SUBSCRIBE</activity>
|
||||
</permission>
|
||||
</permissions>
|
||||
</role>
|
||||
<role>
|
||||
<id>superuser</id>
|
||||
<permissions>
|
||||
<permission><topic>#</topic></permission>
|
||||
</permissions>
|
||||
</role>
|
||||
</roles>
|
||||
</file-rbac>
|
||||
'';
|
||||
|
||||
# Render an env file body from a list of (key, envVarName) pairs.
|
||||
envBody = pairs: lib.concatStringsSep "\n" (map
|
||||
@@ -41,7 +80,8 @@ let
|
||||
enabledKeys =
|
||||
lib.optionals cfg.supabase supabaseKeys
|
||||
++ lib.optionals cfg.ingester ingesterKeys
|
||||
++ lib.optionals cfg.postgresAdmin postgresAdminKeys;
|
||||
++ lib.optionals cfg.postgresAdmin postgresAdminKeys
|
||||
++ lib.optionals cfg.hivemq hivemqKeys;
|
||||
in
|
||||
{
|
||||
options.services.gebos.secrets = {
|
||||
@@ -55,6 +95,26 @@ in
|
||||
postgresAdmin = lib.mkEnableOption ''
|
||||
Postgres bootstrap admin password applied via a one-shot ALTER ROLE unit.'';
|
||||
|
||||
hivemq = lib.mkEnableOption ''
|
||||
HiveMQ file-RBAC credentials.xml (ingester + admin MQTT users), rendered
|
||||
0400/gebos-hivemq for the broker's file-RBAC extension.'';
|
||||
|
||||
hivemqCredentialsFile = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
readOnly = true;
|
||||
description = ''
|
||||
Path of the rendered HiveMQ file-RBAC credentials.xml consumed by the
|
||||
gebos-hivemq broker. Resolves to the sops-templated secret when sops
|
||||
material is present and the hivemq toggle is on, else to a baked-in
|
||||
dev-defaults file (so first-boot eval and local VMs work).
|
||||
'';
|
||||
default =
|
||||
if hasSecrets && cfg.hivemq
|
||||
then config.sops.templates."hivemq-credentials".path
|
||||
else "${pkgs.writeText "hivemq-credentials-dev.xml"
|
||||
(hivemqCredentialsXml "dev-ingester" "dev-admin")}";
|
||||
};
|
||||
|
||||
envFile = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
readOnly = true;
|
||||
@@ -90,6 +150,17 @@ in
|
||||
mode = "0400";
|
||||
owner = "root";
|
||||
};
|
||||
|
||||
# Rendered as a standalone file (not env) — the file-RBAC extension reads
|
||||
# credentials.xml directly. Owned by the broker user so preStart can link
|
||||
# it into the extension's conf/ dir.
|
||||
templates."hivemq-credentials" = lib.mkIf cfg.hivemq {
|
||||
content = hivemqCredentialsXml
|
||||
config.sops.placeholder.hivemq_ingester_password
|
||||
config.sops.placeholder.hivemq_admin_password;
|
||||
mode = "0400";
|
||||
owner = "gebos-hivemq";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user