{
  sops,
  lib,
  config,
  ...
}:
{
  config = lib.mkIf config.server.home-assistant.enable {

    sops.secrets."home-assistant/mosquitto/hass" = {
      sopsFile = ./hosts/lilith-lab/secrets/default.yaml;
    };

    services.mosquitto = {
      enable = true;
      listeners = [
        {
          address = "192.168.178.111";
          port = 1883;
          users.hass = {
            acl = [ "readwrite #" ];
            hashedPasswordFile = config.sops.secrets."home-assistant/mosquitto/hass".path;
          };
        }
      ];
    };

    networking.firewall.allowedTCPPorts = [ 1883 ];
  };
}