From aa4b46465c1d93cc598486ab5b7753ccd672216b Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Mon, 23 Dec 2024 09:47:01 +0000
Subject: [PATCH] mosquitto: Configure TLS listener authorization

---
 roles/mosquitto/tasks/main.yml              | 11 ++++++++++-
 roles/mosquitto/templates/mosquitto.conf.j2 | 15 ++++++++++-----
 2 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/roles/mosquitto/tasks/main.yml b/roles/mosquitto/tasks/main.yml
index 2d09f14..6343432 100644
--- a/roles/mosquitto/tasks/main.yml
+++ b/roles/mosquitto/tasks/main.yml
@@ -35,7 +35,7 @@
     group: _mosquitto
   notify: Restart mosquitto
 
-- name: Copy acl file
+- name: Copy acl file for plaintext server
   ansible.builtin.copy:
     dest: /etc/mosquitto/acl.conf
     src: "{{ ansible_private }}/files/mosquitto/acl.conf"
@@ -44,6 +44,15 @@
     group: _mosquitto
   notify: Restart mosquitto
 
+- name: Copy acl file for tls server
+  ansible.builtin.copy:
+    dest: /etc/mosquitto/acl-tls.conf
+    src: "{{ ansible_private }}/files/mosquitto/acl-tls.conf"
+    mode: "0400"
+    owner: _mosquitto
+    group: _mosquitto
+  notify: Restart mosquitto
+
 - name: Copy passwd file
   ansible.builtin.copy:
     dest: /etc/mosquitto/passwd
diff --git a/roles/mosquitto/templates/mosquitto.conf.j2 b/roles/mosquitto/templates/mosquitto.conf.j2
index e228124..ffad7dd 100644
--- a/roles/mosquitto/templates/mosquitto.conf.j2
+++ b/roles/mosquitto/templates/mosquitto.conf.j2
@@ -1,18 +1,23 @@
-# authentication
-acl_file /etc/mosquitto/acl.conf
-password_file /etc/mosquitto/passwd
-allow_anonymous false
+# use different settings for plaintext and tls listeners
+per_listener_settings true
 
 # listen to mqtt
 listener 1883
 protocol mqtt
 
+acl_file /etc/mosquitto/acl.conf
+password_file /etc/mosquitto/passwd
+allow_anonymous false
+
 # listen to mqtt over websockets
 listener 8883
 protocol mqtt
 
-# tls options
 certfile {{ tls_certs }}/{{ inventory_hostname }}.crt
 keyfile {{ tls_private }}/{{ inventory_hostname }}.key
 cafile {{ tls_certs }}/ca.crt
 tls_version tlsv1.3
+
+acl_file /etc/mosquitto/acl-tls.conf
+require_certificate true
+use_identity_as_username true