diff options
| author | Christian Pointner <equinox@spreadspace.org> | 2023-12-20 16:26:28 +0100 |
|---|---|---|
| committer | Christian Pointner <equinox@spreadspace.org> | 2023-12-20 16:26:28 +0100 |
| commit | bc001d962bccf2faff6eecfbbace44cc6d6e7a27 (patch) | |
| tree | 3e6b8484493df8d62ad4785da3e629a838086707 /inventory | |
| parent | x509: make ca-certificates accessable for role users (diff) | |
mosqitto: rename to mosquitto/broker and add mosquitto/client
Diffstat (limited to 'inventory')
| -rw-r--r-- | inventory/host_vars/ch-testvm-phoebe.yml | 38 | ||||
| -rw-r--r-- | inventory/host_vars/ch-testvm-prometheus.yml | 29 |
2 files changed, 55 insertions, 12 deletions
diff --git a/inventory/host_vars/ch-testvm-phoebe.yml b/inventory/host_vars/ch-testvm-phoebe.yml index d15e4142..7eae49e7 100644 --- a/inventory/host_vars/ch-testvm-phoebe.yml +++ b/inventory/host_vars/ch-testvm-phoebe.yml @@ -39,3 +39,41 @@ network: address: "{{ network_zones.iot.prefix | ansible.utils.ipaddr(network_zones.iot.offsets[inventory_hostname]) }}" ntp_variant: systemd-timesyncd + + +### +mosquitto_client_tls: + foo-consumer: + certificate_provider: managed-ca + certificate_config: + ca: + host: ch-testvm-prometheus + name: foo + cert: + common_name: consumer + organization_name: "spreadspace" + organizational_unit_name: "ansible" + san_extra: + - "IP:192.168.32.43" + extended_key_usage: + - clientAuth + extended_key_usage_critical: yes + create_subject_key_identifier: yes + not_after: +100w + foo-producer: + certificate_provider: managed-ca + certificate_config: + ca: + host: ch-testvm-prometheus + name: foo + cert: + common_name: producer + organization_name: "spreadspace" + organizational_unit_name: "ansible" + san_extra: + - "IP:192.168.32.43" + extended_key_usage: + - clientAuth + extended_key_usage_critical: yes + create_subject_key_identifier: yes + not_after: +100w diff --git a/inventory/host_vars/ch-testvm-prometheus.yml b/inventory/host_vars/ch-testvm-prometheus.yml index de31921f..ff36f733 100644 --- a/inventory/host_vars/ch-testvm-prometheus.yml +++ b/inventory/host_vars/ch-testvm-prometheus.yml @@ -55,11 +55,17 @@ managed_ca_authorities: not_after: +520w -mosquitto_global_config_options: +mosquitto_broker_global_config_options: per_listener_settings: "true" -mosquitto_listeners: +mosquitto_broker_listeners: example: + bind: 1883 + options: + allow_anonymous: "false" + acl_file: /etc/mosquitto/example.acl + password_file: /etc/mosquitto/example.passwd + foo: bind: 1884 192.168.32.42 hostnames: - mqtt.example.com @@ -74,22 +80,21 @@ mosquitto_listeners: organizational_unit_name: "ansible" san_extra: - "IP:192.168.32.42" + extended_key_usage: + - serverAuth + extended_key_usage_critical: yes create_subject_key_identifier: yes not_after: +100w options: - allow_anonymous: "true" + allow_anonymous: "false" require_certificate: "true" + cafile: /etc/mosquitto/ca_certificates/foo-ca-crt.pem + use_identity_as_username: "true" acl_file: /etc/mosquitto/foo.acl - foo: - bind: 1883 - options: - allow_anonymous: "false" - acl_file: /etc/mosquitto/example.acl - password_file: /etc/mosquitto/example.passwd -mosquitto_prometheus_listener: true +mosquitto_broker_prometheus_listener: true -mosquitto_acl_files: +mosquitto_broker_acl_files: example: | user admin topic read test/+ @@ -101,7 +106,7 @@ mosquitto_acl_files: user producer topic write foo/+ -mosquitto_password_files: +mosquitto_broker_password_files: example: | admin:{{ 'admin' | mosquitto_passwd_hash('admin@mqtt.example.com') }} equinox:{{ 'secret' | mosquitto_passwd_hash('equinox@mqtt.example.com') }} |