mosquitto: Configure TLS listener authorization

roles/mosquitto/tasks/main.yml

@@ -35,7 +35,7 @@
     group: _mosquitto
   notify: Restart mosquitto
 
-- name: Copy acl file
+- name: Copy acl file for plaintext server
   ansible.builtin.copy:
     dest: /etc/mosquitto/acl.conf
     src: "{{ ansible_private }}/files/mosquitto/acl.conf"
@@ -44,6 +44,15 @@
     group: _mosquitto
   notify: Restart mosquitto
 
+- name: Copy acl file for tls server
+  ansible.builtin.copy:
+    dest: /etc/mosquitto/acl-tls.conf
+    src: "{{ ansible_private }}/files/mosquitto/acl-tls.conf"
+    mode: "0400"
+    owner: _mosquitto
+    group: _mosquitto
+  notify: Restart mosquitto
+
 - name: Copy passwd file
   ansible.builtin.copy:
     dest: /etc/mosquitto/passwd

roles/mosquitto/templates/mosquitto.conf.j2

@@ -1,18 +1,23 @@
-# authentication
+# use different settings for plaintext and tls listeners
-acl_file /etc/mosquitto/acl.conf
+per_listener_settings true
-password_file /etc/mosquitto/passwd
-allow_anonymous false
 
 # listen to mqtt
 listener 1883
 protocol mqtt
 
+acl_file /etc/mosquitto/acl.conf
+password_file /etc/mosquitto/passwd
+allow_anonymous false
+
 # listen to mqtt over websockets
 listener 8883
 protocol mqtt
 
-# tls options
 certfile {{ tls_certs }}/{{ inventory_hostname }}.crt
 keyfile {{ tls_private }}/{{ inventory_hostname }}.key
 cafile {{ tls_certs }}/ca.crt
 tls_version tlsv1.3
+
+acl_file /etc/mosquitto/acl-tls.conf
+require_certificate true
+use_identity_as_username true