{ config, pkgs, ... }:

rec {
   networking.firewall.allowedTCPPorts = [1883];

#   security.acme.certs."mqtt.stubbe.rocks" = {
#	  email = "mqqt@stubbe.rocks";
#	  webroot = "/var/www/challenges/";
#	  allowKeysForGroup = true;
#	  group = "mosquitto";
#	  postRun = ''
#		chmod g+rw -R /var/lib/acme/mqtt.stubbe.rocks    
#		chown mosquitto:root -R /var/lib/acme/mqtt.stubbe.rocks
#	  '';
#          directory = "/var/lib/acme/mqtt.stubbe.rocks"; 	
#  };

  services.mosquitto = rec {
        enable = true;
#	ssl = {
#		enable = true;
#		cafile = "/var/lib/acme/mqtt.stubbe.rocks/full.pem";
#		certfile = "/var/lib/acme/mqtt.stubbe.rocks/cert.pem";
#		keyfile = "/var/lib/acme/mqtt.stubbe.rocks/key.pem";
#	};
	host = "0.0.0.0";
	checkPasswords = true;
	users."eeN!ei2eilo1aiT6" = {
		acl = [ "topic readwrite myink/#" ]; 
		password = "AS5hoh5ug(ei8eer";
	};
  };
}