mosquitto: Configure TLS listener authorization

roles/mosquitto/templates/mosquitto.conf.j2

@@ -1,18 +1,23 @@
-# authentication
-acl_file /etc/mosquitto/acl.conf
-password_file /etc/mosquitto/passwd
-allow_anonymous false
+# use different settings for plaintext and tls listeners
+per_listener_settings true
 
 # listen to mqtt
 listener 1883
 protocol mqtt
 
+acl_file /etc/mosquitto/acl.conf
+password_file /etc/mosquitto/passwd
+allow_anonymous false
+
 # listen to mqtt over websockets
 listener 8883
 protocol mqtt
 
-# tls options
 certfile {{ tls_certs }}/{{ inventory_hostname }}.crt
 keyfile {{ tls_private }}/{{ inventory_hostname }}.key
 cafile {{ tls_certs }}/ca.crt
 tls_version tlsv1.3
+
+acl_file /etc/mosquitto/acl-tls.conf
+require_certificate true
+use_identity_as_username true