mosquitto: Refactor mqtt infra

2024-12-27 15:10:40 +00:00 · 2024-12-27 15:10:40 +00:00 · 7ee2572e04
commit 7ee2572e04
parent a8841252d1
6 changed files with 99 additions and 31 deletions
--- a/roles/mosquitto/files/mosquitto_tls.ksh
+++ b/roles/mosquitto/files/mosquitto_tls.ksh
@ -0,0 +1,10 @@
+#!/bin/ksh
+
+# shellcheck disable=SC2034
+daemon="/usr/local/sbin/mosquitto -d"
+daemon_flags="-c /etc/mosquitto-tls/mosquitto.conf"
+
+# shellcheck source=/dev/null
+. /etc/rc.d/rc.subr
+
+rc_cmd "$1"
--- a/roles/mosquitto/handlers/main.yml
+++ b/roles/mosquitto/handlers/main.yml
@ -3,3 +3,8 @@
  ansible.builtin.service:
    name: mosquitto
    state: restarted
+
+- name: Restart mosquitto-tls
+  ansible.builtin.service:
+    name: mosquitto_tls
+    state: restarted
--- a/roles/mosquitto/tasks/main.yml
+++ b/roles/mosquitto/tasks/main.yml
@ -9,15 +9,21 @@
    name: _mosquitto
    groups: hostkey
    append: true
-  notify: Restart mosquitto
+  notify:
+    - Restart mosquitto
+    - Restart mosquitto-tls

- name: Create include directory for config
+- name: Create config directories
  ansible.builtin.file:
-    path: /etc/mosquitto/conf.d
+    path: "{{ item }}"
    state: directory
    mode: "0750"
    owner: root
    group: _mosquitto
+  with_items:
+    - /etc/mosquitto/conf.d
+    - /etc/mosquitto-tls
+    - /etc/mosquitto-tls/conf.d

 - name: Include extra configs
  ansible.builtin.lineinfile:
@ -26,7 +32,7 @@
    regexp: "^#?include_dir( .*)?$"
  notify: Restart mosquitto

- name: Create custom config
+- name: Create custom config for plaintext server
  ansible.builtin.template:
    dest: /etc/mosquitto/conf.d/local.conf
    src: mosquitto.conf.j2
@ -44,16 +50,7 @@
    group: _mosquitto
  notify: Restart mosquitto

- name: Copy acl file for tls server
-  ansible.builtin.copy:
-    dest: /etc/mosquitto/acl-tls.conf
-    src: acl-tls.conf
-    mode: "0400"
-    owner: _mosquitto
-    group: _mosquitto
-  notify: Restart mosquitto
-
- name: Copy passwd file
+- name: Copy passwd file for plaintext server
  ansible.builtin.copy:
    dest: /etc/mosquitto/passwd
    src: "{{ ansible_private }}/files/mosquitto/passwd"
@ -62,8 +59,57 @@
    group: _mosquitto
  notify: Restart mosquitto

- name: Enable service
+- name: Create default config for tls server
+  ansible.builtin.command:
+    argv:
+      - sed
+      - "s|^include_dir .*|include_dir /etc/mosquitto-tls/conf.d|"
+      - /etc/mosquitto/mosquitto.conf
+  changed_when: false
+  register: result
+
+- name: Write default config for tls server
+  ansible.builtin.copy:
+    dest: /etc/mosquitto-tls/mosquitto.conf
+    content: "{{ result.stdout }}\n"
+    mode: "0640"
+    owner: root
+    group: _mosquitto
+    remote_src: true
+  notify: Restart mosquitto-tls
+
+- name: Create custom config for tls server
+  ansible.builtin.template:
+    dest: /etc/mosquitto-tls/conf.d/local.conf
+    src: mosquitto-tls.conf.j2
+    mode: "0640"
+    owner: root
+    group: _mosquitto
+  notify: Restart mosquitto-tls
+
+- name: Create acl file for tls server
+  ansible.builtin.template:
+    dest: /etc/mosquitto-tls/acl.conf
+    src: acl-tls.conf.j2
+    mode: "0400"
+    owner: _mosquitto
+    group: _mosquitto
+  notify: Restart mosquitto-tls
+
+- name: Create mosquitto-tls control script
+  ansible.builtin.copy:
+    dest: /etc/rc.d/mosquitto_tls
+    src: mosquitto_tls.ksh
+    mode: "0755"
+    owner: root
+    group: "{{ ansible_wheel }}"
+  notify: Restart mosquitto-tls
+
+- name: Enable services
  ansible.builtin.service:
-    name: mosquitto
+    name: "{{ item }}"
    enabled: true
    state: started
+  with_items:
+    - mosquitto
+    - mosquitto_tls
--- a/roles/mosquitto/templates/acl-tls.conf.j2
+++ b/roles/mosquitto/templates/acl-tls.conf.j2
@ -1,4 +1,7 @@
 pattern read #

+user {{ inventory_hostname }}
+topic readwrite #
+
 user frigate*.home.foo.sh
 pattern readwrite frigate/%u/#
--- a/roles/mosquitto/templates/mosquitto-tls.conf.j2
+++ b/roles/mosquitto/templates/mosquitto-tls.conf.j2
@ -0,0 +1,11 @@
+listener 8883
+protocol mqtt
+
+certfile {{ tls_certs }}/{{ inventory_hostname }}.crt
+keyfile {{ tls_private }}/{{ inventory_hostname }}.key
+cafile {{ tls_certs }}/ca.crt
+tls_version tlsv1.3
+
+acl_file /etc/mosquitto-tls/acl.conf
+require_certificate true
+use_identity_as_username true
--- a/roles/mosquitto/templates/mosquitto.conf.j2
+++ b/roles/mosquitto/templates/mosquitto.conf.j2
@ -1,7 +1,3 @@
-# use different settings for plaintext and tls listeners
-per_listener_settings true
-
-# listen to mqtt
 listener 1883
 protocol mqtt

@ -9,15 +5,12 @@ acl_file /etc/mosquitto/acl.conf
 password_file /etc/mosquitto/passwd
 allow_anonymous false

-# listen to mqtt over websockets
-listener 8883
-protocol mqtt
+connection tls-bridge
+address {{ inventory_hostname }}:8883
+bridge_cafile {{ tls_certs }}/ca.crt
+bridge_certfile {{ tls_certs }}/{{ inventory_hostname }}.crt
+bridge_keyfile {{ tls_private }}/{{ inventory_hostname }}.key

-certfile {{ tls_certs }}/{{ inventory_hostname }}.crt
-keyfile {{ tls_private }}/{{ inventory_hostname }}.key
-cafile {{ tls_certs }}/ca.crt
-tls_version tlsv1.3
-
-acl_file /etc/mosquitto/acl-tls.conf
-require_certificate true
-use_identity_as_username true
+{% for shelly in shellies %}
+topic # out 0 shellies/{{ shelly['name'] }}/ home/{{ shelly['room'] }}/{{ shelly['device'] }}/
+{% endfor %}