mosquitto: Configure TLS listener authorization

2024-12-23 09:47:01 +00:00 · 2024-12-23 09:47:01 +00:00 · aa4b46465c
commit aa4b46465c
parent 0adad8fa18
2 changed files with 20 additions and 6 deletions
--- a/roles/mosquitto/tasks/main.yml
+++ b/roles/mosquitto/tasks/main.yml
@ -35,7 +35,7 @@
    group: _mosquitto
  notify: Restart mosquitto

- name: Copy acl file
+- name: Copy acl file for plaintext server
  ansible.builtin.copy:
    dest: /etc/mosquitto/acl.conf
    src: "{{ ansible_private }}/files/mosquitto/acl.conf"
@ -44,6 +44,15 @@
    group: _mosquitto
  notify: Restart mosquitto

+- name: Copy acl file for tls server
+  ansible.builtin.copy:
+    dest: /etc/mosquitto/acl-tls.conf
+    src: "{{ ansible_private }}/files/mosquitto/acl-tls.conf"
+    mode: "0400"
+    owner: _mosquitto
+    group: _mosquitto
+  notify: Restart mosquitto
+
 - name: Copy passwd file
  ansible.builtin.copy:
    dest: /etc/mosquitto/passwd
--- a/roles/mosquitto/templates/mosquitto.conf.j2
+++ b/roles/mosquitto/templates/mosquitto.conf.j2
@ -1,18 +1,23 @@
-# authentication
-acl_file /etc/mosquitto/acl.conf
-password_file /etc/mosquitto/passwd
-allow_anonymous false
+# use different settings for plaintext and tls listeners
+per_listener_settings true

 # listen to mqtt
 listener 1883
 protocol mqtt

+acl_file /etc/mosquitto/acl.conf
+password_file /etc/mosquitto/passwd
+allow_anonymous false
+
 # listen to mqtt over websockets
 listener 8883
 protocol mqtt

-# tls options
 certfile {{ tls_certs }}/{{ inventory_hostname }}.crt
 keyfile {{ tls_private }}/{{ inventory_hostname }}.key
 cafile {{ tls_certs }}/ca.crt
 tls_version tlsv1.3
+
+acl_file /etc/mosquitto/acl-tls.conf
+require_certificate true
+use_identity_as_username true