I managed to install the MQTT broker on my Synology NAS. I run LetsEncrypt for a valid certificate. For those that like to know: Control Panel -> Security -> Go to certificate tab -> add the letsencrypt certificate for your public hostname that is pointing to your NAS. That certificate can be used in the mosquitto configuration as well. For those trying to figure that out, the relevant settings are:
You also need to add read rights to these files (chmod a+r fullchain.pem privkey.pem). I can live with the fact that this means my private certificate is readable for everyone with an account on this NAS. A more elegant way would be to add access to just the mosquitto daemon.
The documentation is stressing left and right to set “use_identity_as_username false”, but you don’t want that for a situation where you have a valid certificate. It is intended for a situation where you have a manually installed certificate on your phone that is also providing ‘credentials’, i.e.: having (and using) that particular certificate allows a valid TLS encrypted login. If you make the mistake to set this use_identity_as_username to false, you will get CONNACK errors telling your username or password is not correct. Which is a valid error message, albeit not very helpful remedying the error.
My only worry is that my Synology autoupdates the certificate every 3 months so I keep a valid shortlived LetsEncrypt certificate. I reckon I will run into problems since I expect the broker will not pick up on the on the fly updates to that certificate. So, I think I need to work out a script that is restarting the mosquitto service after an automated certificate update.
My next step would be to actually use the owntrack updates in flows. I disallowed the homey app access to Location data on my phone (and save battery that way) but I obviously would like to update the presence awareness in the Homey sphere (pun intended). What would be an appropriate way to do that? Should I update the status of the already available (but flakey) Presence facility from homey with ‘mark user as away’ leaving a geofence, or should I run flows with a dedicated variable ignoring this build in facility?