Configuration method / logic for mosquitto mqtt broker

I am curious as to how others are configuring Mosquitto for mqtt?

I have installed it onto my Pi (the same Pi running home assistant) and am undecided as to how I should set it up?
More specifically on users and .conf files.

Is it ‘OK’ to use the main .conf file in /etc/mosquitto/mosquitto.conf or is it better practice to use individual .conf files in /etc/mosquitto/conf.d?

If I undetrstand correct, I would set one .conf file per broker user inside the conf.d folder?
so for example:
/etc/mosquitto/conf.d/home-assistant.conf
/etc/mosquitto/conf.d/another-user.conf
But I think im a little lost at this point…why would one have multiple users?

The main .conf file tends to be updated by the installation process, so it is generally best left alone if you can. Any other organisation is entirely up to you.

This is usually to be able to restrict certain topics to certain logins. For instance, you can restrict Owntracks to only send messages specific to owntracks.

hmm, ok.
So I went ahead and created /etc/mosquito/conf.d/home-assistant.conf in a very barebones manor:

user home-assistant
listener 1883
allow_anonymous false
password_file /etc/mosquitto/passwd

I created a password using sudo mosquitto_passwd -c /etc/mosquito/passwd home-assistant
It seems to work as it should from some very quick tests using mosquito_pub and mosquito_sub

Im still unsure as to why / if I’ll ever need to create additional users.
I know im being dumb here, but I cannot get my head around it…
I have other Pis on my network running python scripts that send some basic data via mqtt, e.g. temperatures…would this be a usage case?

Not really, unless you feel those might suddenly be controlled by a party that you don’t trust. I don’t have any users or password configured, but then I don’t have access from outside my network, so it is unnecessary.

I have access into my network via PiVpn running on a separate pi (pi-hole+openvpn)

I guess it’s not necessary, more out of intrigue now!

I originally set up multiple users because I read somewhere that two clients publishing/subscribing to messages at the same time with the same credentials can cause “problems”. No idea whether this is actually true or not. However, mainly due to laziness, I now have most of my clients using the same login, and I’ve not had any problems.

Not quite right.

2 or more clients with the same client_id. Not the same user/pass

It’s good to set up different users and passwords if you have, say, multiple owntracks tracking or something similar. At some point you may have one of those devices compromised (lost/stolen) and you want to remove/change a user’s access/password

hmm, interesting.
I don’t use owntracks.

In fact, all I use MQTT for is the ‘Bruh Multisensor’ (two of them) and I run a python program I wrote as a service on some other Pis which publish basic data (memory info, cpu temp etc.) via mqtt.