Mosquitto bridge config

Help
1

Hello Nixers,
I’m trying to configure a simple bridge from an MQTT broker (embedded in a Victron GX device) to a NixOS homeserver since Home Assistant support a single MQTT broker configured and I need another to manage some Shelly Flood devices (where HA integration fails to remain connected), merging topics between the Victron broker and mine with the Shelly’s.

From the wiki I see how to configure the broker/listener part, nixos-rebuild succeed, but I can’t understand how to configure the bridge. In mosquitto terms the config is a very simple

connection bridge-hsrv-victron
address 192.168.1.50:1883
topic # both 0

but I fails to understand how to write in nix langue the same. From NixOS option mosquitto.bridges is an attribute set of (submodule) so I understand it should be declared like

mosquitto = {
  bridges = {
  };  # bridges
}; # mosquitto

then I need a bridge <name> so I suppose something like

bridges = {
  "bridge-hsrv-victron" = ...
};  # bridges

or

bridges.bridge-hsrv-victron = {
};  # bridges.bridge-hsrv-victron

imaging it map to the connection mosquitto config directive but I can’t understand the meaning of addresses.*.address, I know I can have many bridges, but if I’m declare one, anything should be in that scope, so I’ve blindly try

addresses.victron = [
  address = "192.168.1.101";
  port = "1883";
]; # addresses

but nixos-rebuild fails with error: syntax error, unexpected '=' on

address = "192.168.1.101";
              ^

And… Well… I can’t understand the logic. Can anyone address me?

2

I know it’s been a while, so maybe you’ve gotten this but in case not or if others find this - I too struggled to get this working, but now have a working configuration I can share.

The format of the addresses bit is similar to how you can configure 1 or more addresses on a system network interface (see Networking - NixOS Wiki), so we can use a block like this:

    bridges."bridge_connection_name" = {
      addresses = [{
        address = "remote-mqtt-broker.example.com"
        port = 1883;
      }];

For me, I needed a local MQTT broker that listened over plaintext MQTT and bridged to an AWS IoT Core MQTT broker using Mutual TLS. In case it’s helpful to you or others, here’s my full (with creds/endpoints redacted) service configuration:

  # Local plaintext MQTT Broker + Bridge to AWS IoT over TLS
  services.mosquitto = {
    enable = true;
    logType = [ "all" ];
    listeners = [{
      address = "192.168.0.1";
      port = 1883;
      users.iotdevice = {
        acl = [
          "read IoT/device/action"
          "write IoT/device/observations"
          "write IoT/device/LW"
        ];
        password = "mysweetpassword-or-use-hashedPassword";
      };
      settings = {
        bind_interface = "eth0";
      };
    }];
    bridges."aws_iot_core" = {
      addresses = [{
        address = "foobar.iot.us-west-2.amazonaws.com";
        port = 8883;
      }];
      topics = [
        "IoT/device/action in 1 \"\""
        "IoT/device/observations out 1 \"\""
        "IoT/device/LW out 0 \"\""
      ];
      settings = {
        local_clientid = "iotdevice-pi";
        remote_clientid = "IoT-Mosquitto";
        cleansession = true;
        notifications = false;
        start_type = "automatic";
        bridge_protocol_version = "mqttv311";
        bridge_outgoing_retain = false;
        bridge_insecure = false;
        bridge_cafile = "/persist/etc/mosquitto/AmazonRootCA1-RSA.pem";
        bridge_certfile = "/persist/etc/mosquitto/client.pem";
        bridge_keyfile = "/persist/etc/mosquitto/c_key.pem";
      };
    };
  };

Remember to open up any firewall ports you need for the listener, e.g. for my example above TCP port 1883.

And here’s a bunch of resources that I used in making it (in no particular order, just a dump of my open tabs):