nixos-config/config/service/tattler.nix

{ config, lib, pkgs, ... }:

with lib;
let
  cfg = config.fudo.services.tattler;

  hostname = config.instance.hostname;
  isSnooper = config.instance.hostname == cfg.snooper-host;
  domain-name = config.fudo.host."${hostname}".domain;

  snooper-mqtt-passwd = pkgs.lib.passwd.stablerandom-passwd-file "snooper-mqtt"
    config.instance.build-seed;

in {
  options.fudo.services.tattler = with types; {
    enable = mkEnableOption "Enable Snooper & Tattler notification system.";

    verbose = mkEnableOption "Enable verbose output and logging.";

    enable-notifications =
      mkEnableOption "Enable tattler notifications on the local host.";

    event-topics = mkOption {
      type = listOf str;
      description = "List of MQTT topics on which to listen for motion events.";
    };

    notification-topic = mkOption {
      type = str;
      description = "MQTT topic on which to publish notifications.";
      default = "fudo/notifications/objects";
    };

    snooper-host = mkOption {
      type = str;
      description = "Host on which to run the snooper service.";
    };
  };

  config = mkIf cfg.enable {
    fudo = {
      secrets.host-secrets."${hostname}" = {
        snooper-passwd = mkIf isSnooper {
          source-file = snooper-mqtt-passwd;
          target-file = "/run/snooper/mqtt.passwd";
        };
      };

      services.mqtt = mkIf isSnooper {
        enable = true;
        private = {
          enable = true;
          users.snooper = {
            password-file = snooper-mqtt-passwd;
            acl = map (topic: "read ${topic}") cfg.event-topics;
          };
        };
        public = {
          enable = true;
          acl = [ "read ${cfg.notification-topic}" ];
          users.snooper = {
            password-file = snooper-mqtt-passwd;
            acl = [ "readwrite ${cfg.notification-topic}" ];
          };
        };
      };
    };

    services = {
      snooper = mkIf isSnooper {
        enable = true;
        verbose = true;
        event-topics = cfg.event-topics;
        notification-topic = cfg.notification-topic;
        mqtt =
          let host-secrets = config.fudo.secrets.host-secrets."${hostname}";
          in {
            incoming = {
              port = config.fudo.services.mqtt.private.port;
              host = config.fudo.services.mqtt.mqtt-hostname;
              username = "snooper";
              password-file = host-secrets.snooper-passwd.target-file;
            };
            outgoing = {
              port = config.fudo.services.mqtt.public.port;
              host = config.fudo.services.mqtt.mqtt-hostname;
              username = "snooper";
              password-file = host-secrets.snooper-passwd.target-file;
            };
          };
      };
      tattler = mkIf cfg.enable-notifications {
        enable = true;
        verbose = true;
        notification-topic = cfg.notification-topic;
        mqtt = {
          inherit (config.fudo.services.mqtt.public) port;
          host = config.fudo.services.mqtt.mqtt-hostname;
        };
      };
    };
  };
}