diff --git a/modules/nixos/services/homeassistant/default.nix b/modules/nixos/services/homeassistant/default.nix
index 5d7e7a0..a57d03b 100644
--- a/modules/nixos/services/homeassistant/default.nix
+++ b/modules/nixos/services/homeassistant/default.nix
@@ -33,6 +33,8 @@ in {
       extraComponents = [
         "hue"
         "met"
+        "mqtt"
+        "octoprint"
         "tuya"
         "vizio"
         "zeroconf"
diff --git a/modules/nixos/services/mosquitto/default.nix b/modules/nixos/services/mosquitto/default.nix
new file mode 100644
index 0000000..8ef4232
--- /dev/null
+++ b/modules/nixos/services/mosquitto/default.nix
@@ -0,0 +1,45 @@
+{
+  options,
+  config,
+  lib,
+  pkgs,
+  format,
+  ...
+}:
+with lib; let
+  cfg = config.aa.services.mosquitto;
+  mosquitto_cfg = config.services.mosquitto;
+in {
+  options.aa.services.mosquitto = with types; {
+    enable = mkEnableOption "home assistant";
+  };
+  config = mkIf cfg.enable {
+    age.secrets = {
+      hass_mqtt.file = ../../../../secrets/hass_mqtt.age;
+      theengs_ble_mqtt.file = ../../../../secrets/theengs_ble_mqtt.age;
+    };
+
+    services.mosquitto = {
+      enable = true;
+      listeners = [
+        {
+          users = {
+            hass = {
+              acl = [
+                "read home/#"
+                "readwrite homeassistant/status"
+              ];
+              passwordFile = config.age.secrets.hass_mqtt.path;
+            };
+            theengs_ble_gateway = {
+              acl = ["readwrite home/#"];
+              passwordFile = config.age.secrets.theengs_ble_mqtt.path;
+            };
+          };
+        }
+      ];
+    };
+
+    networking.firewall.allowedTCPPorts = [1883];
+  };
+}
diff --git a/secrets/cf_dns_kilonull.age b/secrets/cf_dns_kilonull.age
index d9d3255..2b90162 100644
--- a/secrets/cf_dns_kilonull.age
+++ b/secrets/cf_dns_kilonull.age
@@ -1,14 +1,13 @@
 age-encryption.org/v1
--> ssh-ed25519 Yk7ehg NwKwWQiMTehA+gluPXpVyL4zyhGRheQ1hCyyjPyWNlM
-ZTD2ssehxzayPhnW+OVqXzr/fqQ7Hdm711RgZT5R4Pw
--> ssh-ed25519 SYNSNQ oEc4p7cz7u+gEYIJVW7hl+VXwXzPSpRXCL33Ij2ZIkc
-avgbK9ss20KmL1XB9Sg45bwv6BItDcMJj8/e2fXxZOE
--> ssh-ed25519 t5XIGA huqEOk8X1Z4g4pcjAc6griyt3x+hU5NWMfCUL8WoUkI
-yqJxaxWF04PzcmyFN8hq+u9DaQmbI4W3PSDC2+Rxr5I
--> piv-p256 UIEGzg AzYN661WI0nUCA4MHnSqOT0A23jbBl9Dnv5CmmJkvuSk
-BXxeYW5RdiYNwtMG+PHF5b7x2Pu129SNOeqItwfcWTs
--> X{\S-grease <0c[|Bb
-tXXujcfm/3s/TMaX5tM9TamHAEHSUCArwJCDEJ2SFKcL8FSV1N3srp4wNogtF7pO
-PjLeXFHo
---- 1VR3EGzzVvK+pbDlvomJ6cJ9wOrP2LoPsUqmh0c6bVE
-°¸>¦/Éÿ,+ðì®bÇLþjgŽfÏ<9m¿K‰ÙõT¢‚±N3òà¦wÄÍÂ¹1¸(¿&É´D¦Á	7ø2 #­.^"KWì$BªKUknDX¨î­kÂÝ7GRÚ¡d§Ìèœ^9`Ðã©Ñ”yóM-µˆçKvõO#çÑ#¤þ8_—<Êù©âu:;Ø\•A0â¬X5ø³)²Þ
\ No newline at end of file
+-> ssh-ed25519 Yk7ehg YW+VO4Mb5SxfM9mxXRvYKC2kJVZeULkllzvUbo0VShM
+yOts+jZvdreDDC13fT/4BdF7d/B03RaGlDzSwBGa6Q8
+-> ssh-ed25519 SYNSNQ tdbAwQABaA+r2Kkm7d9UIsVC7J/LtmlI1rnbQOlkYQU
+sJfnI9RdEoYaI7+rlrG+N4cTxdWRX2XDDzjuql5CYhI
+-> ssh-ed25519 t5XIGA 61XjTYo7NAeORxGErzRef/qluiux1GiOKbTUoetarzE
+JZYJQRs6jDPubIVAxbvDK3wGUcydLs8mbj+s/gYannk
+-> piv-p256 UIEGzg A+RKB16kMJniwsfCfG5apfAXcoYFyo+7NAIp0PRcEyeZ
+aWL7CzAm9iEFyoeaK7fWSiV8zVYv9FZr0JV5sgD1r/k
+-> X-:^I-grease )G"sj("
+jVX1VFRb4ltX1a+uPuXUtXycWEMUY0RRqC9IRJ7KDMQk39Rt
+--- gT6dA9SwnjRXm0xmHuVZcjmPyk4Awg7EOJGEsiVRbjQ
+ÚPˆTŸ¬é›pô¡E«[T`˜Ã­›ê|³¯<èGCû‹ï#´šŸH‡9ª‹^ÀÞ›¡#3!åÕ'Ú£Æ&è¦›hó”pZøŽcKÀ3À4S0‡”€g@,æZúÌ†òyÇï¨i ©8I"{€&áèö‡TÞÇÐ‰l#PKœoyÔh8Ù]êi²Ø	äøÛ7¼~Ú|Ògz¤Â‘~6
\ No newline at end of file
diff --git a/secrets/hass_mqtt.age b/secrets/hass_mqtt.age
new file mode 100644
index 0000000..7777288
Binary files /dev/null and b/secrets/hass_mqtt.age differ
diff --git a/secrets/nextcloud_admin.age b/secrets/nextcloud_admin.age
index d1ee0db..c418050 100644
Binary files a/secrets/nextcloud_admin.age and b/secrets/nextcloud_admin.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 79edeb1..70bbea6 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -10,4 +10,6 @@ let
 in {
   "cf_dns_kilonull.age".publicKeys = [users.me machines.node machines.gospel machines.pi4];
   "nextcloud_admin.age".publicKeys = [users.me machines.node];
+  "theengs_ble_mqtt.age".publicKeys = [users.me machines.pi4];
+  "hass_mqtt.age".publicKeys = [users.me machines.pi4 machines.node];
 }
diff --git a/secrets/theengs_ble_mqtt.age b/secrets/theengs_ble_mqtt.age
new file mode 100644
index 0000000..0f59fc6
--- /dev/null
+++ b/secrets/theengs_ble_mqtt.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 t5XIGA VI8M2lKHFTlmy8SztjfCE5sGTZEtk11OvYKOHVsYbFM
+BKBGSSpbl0D64mtyfKBkapjyn3G4U7DLPDu0Xb7T0sM
+-> piv-p256 UIEGzg A4nB8kjBm06K2nVBkHANTzBZcflssYIyA4fKgxtNmnMF
+8dFmHQjiJ9bDDC7zcVjoiDtv8aHLZUdYZwp/YCL6Lmo
+-> "DI?cD^G-grease sK5f 3_ <Zq
+lPu7GtAC0D0wNw0lBLB9MTpMFnU
+--- a3oVDb9D/2tKnYpZ0HIrTPdOJsHKudZEOkmSqD5l05E
+|ï½îsˆÈ%7‘RWÇêÉ9ÊÈgY:ä/R9Ü¤ÁMƒT· £Z‚Ú5.TîkËßçèüË“¨E:
\ No newline at end of file
diff --git a/systems/aarch64-linux/pi4/default.nix b/systems/aarch64-linux/pi4/default.nix
index 77f1330..d0f0e3d 100644
--- a/systems/aarch64-linux/pi4/default.nix
+++ b/systems/aarch64-linux/pi4/default.nix
@@ -43,6 +43,7 @@
     };
     services.prometheus.enable = true;
     services.promtail.enable = true;
+    services.mosquitto.enable = true;
 
     security.acme = {
       enable = true;