nixos/mosquitto: Add checkPasswords option

Related to https://github.com/NixOS/nixpkgs/issues/27130. Adds an option to NixOS configuration option to have Mosquitto use the password file that it generates. When this option is false the Mosquitto server will accept login attempts with any username and any password. This option defaults to false because this matches the behavior of the service prior to the introduction of this option. When the `services.mosquitto.checkPasswords` is true, the server will only accept valid usernames and passwords.
7 years ago · 66b07e41e6
parent 638b67146d
commit 66b07e41e6
1 changed files with 14 additions and 0 deletions
--- a/nixos/modules/services/networking/mosquitto.nix
+++ b/nixos/modules/services/networking/mosquitto.nix
@ -12,6 +12,10 @@ let
    keyfile ${cfg.ssl.keyfile}
  '';

+  passwordConf = optionalString cfg.checkPasswords ''
+    password_file ${cfg.dataDir}/passwd
+  '';
+
  mosquittoConf = pkgs.writeText "mosquitto.conf" ''
    pid_file /run/mosquitto/pid
    acl_file ${aclFile}
@ -19,6 +23,7 @@ let
    allow_anonymous ${boolToString cfg.allowAnonymous}
    bind_address ${cfg.host}
    port ${toString cfg.port}
+    ${passwordConf}
    ${listenerConf}
    ${cfg.extraConf}
  '';
@ -153,6 +158,15 @@ in
        '';
      };

+      checkPasswords = mkOption {
+        default = false;
+        example = true;
+        type = types.bool;
+        description = ''
+          Refuse connection when clients provide incorrect passwords.
+        '';
+      };
+
      extraConf = mkOption {
        default = "";
        type = types.lines;