foo.sh/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

mosquitto: Refactor mqtt infra

Browse source
This commit is contained in:
Timo Makinen 2024-12-27 15:10:40 +00:00
parent a8841252d1
commit 7ee2572e04
6 changed files with 99 additions and 31 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
roles/mosquitto/files/mosquitto_tls.ksh Normal file
View file

@ -0,0 +1,10 @@
#!/bin/ksh
# shellcheck disable=SC2034
daemon="/usr/local/sbin/mosquitto -d"
daemon_flags="-c /etc/mosquitto-tls/mosquitto.conf"
# shellcheck source=/dev/null
. /etc/rc.d/rc.subr
rc_cmd "$1"

5
roles/mosquitto/handlers/main.yml
View file

@ -3,3 +3,8 @@
ansible.builtin.service: ansible.builtin.service:
name: mosquitto name: mosquitto
state: restarted state: restarted
- name: Restart mosquitto-tls
ansible.builtin.service:
name: mosquitto_tls
state: restarted

78
roles/mosquitto/tasks/main.yml
View file

@ -9,15 +9,21 @@
name: _mosquitto name: _mosquitto
groups: hostkey groups: hostkey
append: true append: true
notify: Restart mosquitto notify:
- Restart mosquitto
- Restart mosquitto-tls
- name: Create include directory for config - name: Create config directories
ansible.builtin.file: ansible.builtin.file:
path: /etc/mosquitto/conf.d path: "{{ item }}"
state: directory state: directory
mode: "0750" mode: "0750"
owner: root owner: root
group: _mosquitto group: _mosquitto
with_items:
- /etc/mosquitto/conf.d
- /etc/mosquitto-tls
- /etc/mosquitto-tls/conf.d
- name: Include extra configs - name: Include extra configs
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
@ -26,7 +32,7 @@
regexp: "^#?include_dir( .*)?$" regexp: "^#?include_dir( .*)?$"
notify: Restart mosquitto notify: Restart mosquitto
- name: Create custom config - name: Create custom config for plaintext server
ansible.builtin.template: ansible.builtin.template:
dest: /etc/mosquitto/conf.d/local.conf dest: /etc/mosquitto/conf.d/local.conf
src: mosquitto.conf.j2 src: mosquitto.conf.j2
@ -44,16 +50,7 @@
group: _mosquitto group: _mosquitto
notify: Restart mosquitto notify: Restart mosquitto
- name: Copy acl file for tls server - name: Copy passwd file for plaintext server
ansible.builtin.copy:
dest: /etc/mosquitto/acl-tls.conf
src: acl-tls.conf
mode: "0400"
owner: _mosquitto
group: _mosquitto
notify: Restart mosquitto
- name: Copy passwd file
ansible.builtin.copy: ansible.builtin.copy:
dest: /etc/mosquitto/passwd dest: /etc/mosquitto/passwd
src: "{{ ansible_private }}/files/mosquitto/passwd" src: "{{ ansible_private }}/files/mosquitto/passwd"
@ -62,8 +59,57 @@
group: _mosquitto group: _mosquitto
notify: Restart mosquitto notify: Restart mosquitto
- name: Enable service - name: Create default config for tls server
ansible.builtin.command:
argv:
- sed
- "s|^include_dir .*|include_dir /etc/mosquitto-tls/conf.d|"
- /etc/mosquitto/mosquitto.conf
changed_when: false
register: result
- name: Write default config for tls server
ansible.builtin.copy:
dest: /etc/mosquitto-tls/mosquitto.conf
content: "{{ result.stdout }}\n"
mode: "0640"
owner: root
group: _mosquitto
remote_src: true
notify: Restart mosquitto-tls
- name: Create custom config for tls server
ansible.builtin.template:
dest: /etc/mosquitto-tls/conf.d/local.conf
src: mosquitto-tls.conf.j2
mode: "0640"
owner: root
group: _mosquitto
notify: Restart mosquitto-tls
- name: Create acl file for tls server
ansible.builtin.template:
dest: /etc/mosquitto-tls/acl.conf
src: acl-tls.conf.j2
mode: "0400"
owner: _mosquitto
group: _mosquitto
notify: Restart mosquitto-tls
- name: Create mosquitto-tls control script
ansible.builtin.copy:
dest: /etc/rc.d/mosquitto_tls
src: mosquitto_tls.ksh
mode: "0755"
owner: root
group: "{{ ansible_wheel }}"
notify: Restart mosquitto-tls
- name: Enable services
ansible.builtin.service: ansible.builtin.service:
name: mosquitto name: "{{ item }}"
enabled: true enabled: true
state: started state: started
with_items:
- mosquitto
- mosquitto_tls

3
roles/mosquitto/files/acl-tls.conf → roles/mosquitto/templates/acl-tls.conf.j2
View file

@ -1,4 +1,7 @@
pattern read # pattern read #
user {{ inventory_hostname }}
topic readwrite #
user frigate*.home.foo.sh user frigate*.home.foo.sh
pattern readwrite frigate/%u/# pattern readwrite frigate/%u/#

11
roles/mosquitto/templates/mosquitto-tls.conf.j2 Normal file
View file

@ -0,0 +1,11 @@
listener 8883
protocol mqtt
certfile {{ tls_certs }}/{{ inventory_hostname }}.crt
keyfile {{ tls_private }}/{{ inventory_hostname }}.key
cafile {{ tls_certs }}/ca.crt
tls_version tlsv1.3
acl_file /etc/mosquitto-tls/acl.conf
require_certificate true
use_identity_as_username true

23
roles/mosquitto/templates/mosquitto.conf.j2
View file

@ -1,7 +1,3 @@
# use different settings for plaintext and tls listeners
per_listener_settings true
# listen to mqtt
listener 1883 listener 1883
protocol mqtt protocol mqtt
@ -9,15 +5,12 @@ acl_file /etc/mosquitto/acl.conf
password_file /etc/mosquitto/passwd password_file /etc/mosquitto/passwd
allow_anonymous false allow_anonymous false
# listen to mqtt over websockets connection tls-bridge
listener 8883 address {{ inventory_hostname }}:8883
protocol mqtt bridge_cafile {{ tls_certs }}/ca.crt
bridge_certfile {{ tls_certs }}/{{ inventory_hostname }}.crt
bridge_keyfile {{ tls_private }}/{{ inventory_hostname }}.key
certfile {{ tls_certs }}/{{ inventory_hostname }}.crt {% for shelly in shellies %}
keyfile {{ tls_private }}/{{ inventory_hostname }}.key topic # out 0 shellies/{{ shelly['name'] }}/ home/{{ shelly['room'] }}/{{ shelly['device'] }}/
cafile {{ tls_certs }}/ca.crt {% endfor %}
tls_version tlsv1.3
acl_file /etc/mosquitto/acl-tls.conf
require_certificate true
use_identity_as_username true