{ sops, config, ...}: {

  sops.secrets."home-assistant/mosquitto/hass" = {};

  services.mosquitto = {
    enable = true;
    listeners = [
      {
        address = "192.168.178.111";
        port = 1883;
        users.hass = {
          acl = [ "readwrite #" ];
          hashedPasswordFile = config.sops.secrets."home-assistant/mosquitto/hass".path;
        };
      }
    ];
  };

  networking.firewall.allowedTCPPorts = [ 1883 ];
}