{
  pkgs,
  config,
  tools,
  ...
}:
{
  services.mosquitto = {
    enable = true;
    logType = [
      "error"
      "warning"
      "subscribe"
      "unsubscribe"
      "websockets"
    ];
    settings = {
      # ???
    };
    listeners = [
      {
        acl = [ "pattern readwrite #" ];
        port = 1883;
        omitPasswordAuth = false;
        users = {
          mqtt.passwordFile = config.age.secrets.mqtt-password-mqtt.path;
          ha.passwordFile = config.age.secrets.mqtt-password-ha.path;
          z2m.passwordFile = config.age.secrets.mqtt-password-z2m.path;
          frigate.passwordFile = config.age.secrets.mqtt-password-frigate.path;
        };
        settings = {
          allow_anonymous = false;
          require_certificate = true;
          use_identity_as_username = true;
        };
      }
      {
        acl = [ "pattern readwrite #" ];
        port = 9001;
        omitPasswordAuth = false;
        users = {
          mqtt.passwordFile = config.age.secrets.mqtt-password-mqtt.path;
          ha.passwordFile = config.age.secrets.mqtt-password-ha.path;
          z2m.passwordFile = config.age.secrets.mqtt-password-z2m.path;
          frigate.passwordFile = config.age.secrets.mqtt-password-frigate.path;
        };
        settings = {
          protocol = "websockets";
          allow_anonymous = false;
          require_certificate = true;
          use_identity_as_username = true;
        };
      }
    ];
  };
  services.prometheus.exporters.mqtt = {
    enable = true;
    mqttUsername = "mqtt";
    environmentFile = config.age.secrets.mqtt-exporter-environment.path;
    openFirewall = true;
    port = 9000;
    zigbee2MqttAvailability = true;
  };
}