diff --git a/roles/mosquitto/files/mosquitto_tls.ksh b/roles/mosquitto/files/mosquitto_tls.ksh new file mode 100644 index 0000000..9481c35 --- /dev/null +++ b/roles/mosquitto/files/mosquitto_tls.ksh @@ -0,0 +1,10 @@ +#!/bin/ksh + +# shellcheck disable=SC2034 +daemon="/usr/local/sbin/mosquitto -d" +daemon_flags="-c /etc/mosquitto-tls/mosquitto.conf" + +# shellcheck source=/dev/null +. /etc/rc.d/rc.subr + +rc_cmd "$1" diff --git a/roles/mosquitto/handlers/main.yml b/roles/mosquitto/handlers/main.yml index 7e1bb2c..268abc3 100644 --- a/roles/mosquitto/handlers/main.yml +++ b/roles/mosquitto/handlers/main.yml @@ -3,3 +3,8 @@ ansible.builtin.service: name: mosquitto state: restarted + +- name: Restart mosquitto-tls + ansible.builtin.service: + name: mosquitto_tls + state: restarted diff --git a/roles/mosquitto/tasks/main.yml b/roles/mosquitto/tasks/main.yml index a4bbc4f..d405371 100644 --- a/roles/mosquitto/tasks/main.yml +++ b/roles/mosquitto/tasks/main.yml @@ -9,15 +9,21 @@ name: _mosquitto groups: hostkey append: true - notify: Restart mosquitto + notify: + - Restart mosquitto + - Restart mosquitto-tls -- name: Create include directory for config +- name: Create config directories ansible.builtin.file: - path: /etc/mosquitto/conf.d + path: "{{ item }}" state: directory mode: "0750" owner: root group: _mosquitto + with_items: + - /etc/mosquitto/conf.d + - /etc/mosquitto-tls + - /etc/mosquitto-tls/conf.d - name: Include extra configs ansible.builtin.lineinfile: @@ -26,7 +32,7 @@ regexp: "^#?include_dir( .*)?$" notify: Restart mosquitto -- name: Create custom config +- name: Create custom config for plaintext server ansible.builtin.template: dest: /etc/mosquitto/conf.d/local.conf src: mosquitto.conf.j2 @@ -44,16 +50,7 @@ group: _mosquitto notify: Restart mosquitto -- name: Copy acl file for tls server - ansible.builtin.copy: - dest: /etc/mosquitto/acl-tls.conf - src: acl-tls.conf - mode: "0400" - owner: _mosquitto - group: _mosquitto - notify: Restart mosquitto - -- name: Copy passwd file +- name: Copy passwd file for plaintext server ansible.builtin.copy: dest: /etc/mosquitto/passwd src: "{{ ansible_private }}/files/mosquitto/passwd" @@ -62,8 +59,57 @@ group: _mosquitto notify: Restart mosquitto -- name: Enable service +- name: Create default config for tls server + ansible.builtin.command: + argv: + - sed + - "s|^include_dir .*|include_dir /etc/mosquitto-tls/conf.d|" + - /etc/mosquitto/mosquitto.conf + changed_when: false + register: result + +- name: Write default config for tls server + ansible.builtin.copy: + dest: /etc/mosquitto-tls/mosquitto.conf + content: "{{ result.stdout }}\n" + mode: "0640" + owner: root + group: _mosquitto + remote_src: true + notify: Restart mosquitto-tls + +- name: Create custom config for tls server + ansible.builtin.template: + dest: /etc/mosquitto-tls/conf.d/local.conf + src: mosquitto-tls.conf.j2 + mode: "0640" + owner: root + group: _mosquitto + notify: Restart mosquitto-tls + +- name: Create acl file for tls server + ansible.builtin.template: + dest: /etc/mosquitto-tls/acl.conf + src: acl-tls.conf.j2 + mode: "0400" + owner: _mosquitto + group: _mosquitto + notify: Restart mosquitto-tls + +- name: Create mosquitto-tls control script + ansible.builtin.copy: + dest: /etc/rc.d/mosquitto_tls + src: mosquitto_tls.ksh + mode: "0755" + owner: root + group: "{{ ansible_wheel }}" + notify: Restart mosquitto-tls + +- name: Enable services ansible.builtin.service: - name: mosquitto + name: "{{ item }}" enabled: true state: started + with_items: + - mosquitto + - mosquitto_tls diff --git a/roles/mosquitto/files/acl-tls.conf b/roles/mosquitto/templates/acl-tls.conf.j2 similarity index 59% rename from roles/mosquitto/files/acl-tls.conf rename to roles/mosquitto/templates/acl-tls.conf.j2 index b41e9b2..b7eed5c 100644 --- a/roles/mosquitto/files/acl-tls.conf +++ b/roles/mosquitto/templates/acl-tls.conf.j2 @@ -1,4 +1,7 @@ pattern read # +user {{ inventory_hostname }} +topic readwrite # + user frigate*.home.foo.sh pattern readwrite frigate/%u/# diff --git a/roles/mosquitto/templates/mosquitto-tls.conf.j2 b/roles/mosquitto/templates/mosquitto-tls.conf.j2 new file mode 100644 index 0000000..7cf1712 --- /dev/null +++ b/roles/mosquitto/templates/mosquitto-tls.conf.j2 @@ -0,0 +1,11 @@ +listener 8883 +protocol mqtt + +certfile {{ tls_certs }}/{{ inventory_hostname }}.crt +keyfile {{ tls_private }}/{{ inventory_hostname }}.key +cafile {{ tls_certs }}/ca.crt +tls_version tlsv1.3 + +acl_file /etc/mosquitto-tls/acl.conf +require_certificate true +use_identity_as_username true diff --git a/roles/mosquitto/templates/mosquitto.conf.j2 b/roles/mosquitto/templates/mosquitto.conf.j2 index ffad7dd..917467e 100644 --- a/roles/mosquitto/templates/mosquitto.conf.j2 +++ b/roles/mosquitto/templates/mosquitto.conf.j2 @@ -1,7 +1,3 @@ -# use different settings for plaintext and tls listeners -per_listener_settings true - -# listen to mqtt listener 1883 protocol mqtt @@ -9,15 +5,12 @@ acl_file /etc/mosquitto/acl.conf password_file /etc/mosquitto/passwd allow_anonymous false -# listen to mqtt over websockets -listener 8883 -protocol mqtt +connection tls-bridge +address {{ inventory_hostname }}:8883 +bridge_cafile {{ tls_certs }}/ca.crt +bridge_certfile {{ tls_certs }}/{{ inventory_hostname }}.crt +bridge_keyfile {{ tls_private }}/{{ inventory_hostname }}.key -certfile {{ tls_certs }}/{{ inventory_hostname }}.crt -keyfile {{ tls_private }}/{{ inventory_hostname }}.key -cafile {{ tls_certs }}/ca.crt -tls_version tlsv1.3 - -acl_file /etc/mosquitto/acl-tls.conf -require_certificate true -use_identity_as_username true +{% for shelly in shellies %} +topic # out 0 shellies/{{ shelly['name'] }}/ home/{{ shelly['room'] }}/{{ shelly['device'] }}/ +{% endfor %}