From 66b07e41e633bb6df1f1a57aa46856e7248da0da Mon Sep 17 00:00:00 2001
From: Richard Larocque <richard.larocque@gmail.com>
Date: Sun, 6 Aug 2017 15:21:01 -0700
Subject: nixos/mosquitto: Add checkPasswords option

Related to https://github.com/NixOS/nixpkgs/issues/27130.

Adds an option to NixOS configuration option to have Mosquitto use the
password file that it generates.  When this option is false the
Mosquitto server will accept login attempts with any username and any
password.  This option defaults to false because this matches the
behavior of the service prior to the introduction of this option.

When the `services.mosquitto.checkPasswords` is true, the server will
only accept valid usernames and passwords.
---
 nixos/modules/services/networking/mosquitto.nix | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'nixos/modules/services/networking/mosquitto.nix')

diff --git a/nixos/modules/services/networking/mosquitto.nix b/nixos/modules/services/networking/mosquitto.nix
index 5451500b56f..9aef726b268 100644
--- a/nixos/modules/services/networking/mosquitto.nix
+++ b/nixos/modules/services/networking/mosquitto.nix
@@ -12,6 +12,10 @@ let
     keyfile ${cfg.ssl.keyfile}
   '';
 
+  passwordConf = optionalString cfg.checkPasswords ''
+    password_file ${cfg.dataDir}/passwd
+  '';
+
   mosquittoConf = pkgs.writeText "mosquitto.conf" ''
     pid_file /run/mosquitto/pid
     acl_file ${aclFile}
@@ -19,6 +23,7 @@ let
     allow_anonymous ${boolToString cfg.allowAnonymous}
     bind_address ${cfg.host}
     port ${toString cfg.port}
+    ${passwordConf}
     ${listenerConf}
     ${cfg.extraConf}
   '';
@@ -153,6 +158,15 @@ in
         '';
       };
 
+      checkPasswords = mkOption {
+        default = false;
+        example = true;
+        type = types.bool;
+        description = ''
+          Refuse connection when clients provide incorrect passwords.
+        '';
+      };
+
       extraConf = mkOption {
         default = "";
         type = types.lines;
-- 
cgit 1.4.1