diff options
-rw-r--r-- | chaos-at-home/ch-iot.yml | 3 | ||||
-rw-r--r-- | chaos-at-home/host_vars/ch-iot.yml | 9 | ||||
-rw-r--r-- | inventory/host_vars/ch-iot.yml | 62 |
3 files changed, 74 insertions, 0 deletions
diff --git a/chaos-at-home/ch-iot.yml b/chaos-at-home/ch-iot.yml index a849939e..1cc18e76 100644 --- a/chaos-at-home/ch-iot.yml +++ b/chaos-at-home/ch-iot.yml @@ -12,5 +12,8 @@ hosts: ch-iot roles: - role: apt-repo/spreadspace + - role: x509/managed-ca/base + - role: x509/managed-ca/ca + - role: mosquitto/broker - role: nginx/base - role: monitoring/prometheus/exporter diff --git a/chaos-at-home/host_vars/ch-iot.yml b/chaos-at-home/host_vars/ch-iot.yml new file mode 100644 index 00000000..c5573943 --- /dev/null +++ b/chaos-at-home/host_vars/ch-iot.yml @@ -0,0 +1,9 @@ +$ANSIBLE_VAULT;1.2;AES256;chaos-at-home +63633063396137353238336164383530323265383661353137366661343534386334396530336536 +3662343662396531336539373234663866326466303262300a363432323366343231333264306233 +65643966303335643137653036343838366361646437613566356130323965303566646539616236 +3539343636303362640a303330343861356461326139373163323134653161636237316436373037 +65393339346533373065316162383664626231346462353933343931616231373938633162393535 +33313230306661663764336130663064333134386432656535666131623635353639636634383961 +64323638343231616138373031663363623333333962363464653938396534303166633536333539 +64633962363338636337 diff --git a/inventory/host_vars/ch-iot.yml b/inventory/host_vars/ch-iot.yml index 85d3d3ec..1fb732d4 100644 --- a/inventory/host_vars/ch-iot.yml +++ b/inventory/host_vars/ch-iot.yml @@ -55,3 +55,65 @@ spreadspace_apt_repo_components: prometheus_exporters_extra: - chrony +# - mosquitto + + +managed_ca_authorities: + mqtt: + key: + type: RSA + size: 4096 + cert: + common_name: chaos-at-home CA for mqtt + not_before: +0h + not_after: +2080w # ~40 years + + +mosquitto_broker_global_config_options: + per_listener_settings: "true" + +mosquitto_broker_listeners: + iot: + bind: "1883 {{ network_zones.iot.prefix | ansible.utils.ipaddr(network_zones.iot.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}" + options: + allow_anonymous: "false" + acl_file: /etc/mosquitto/iot.acl + password_file: /etc/mosquitto/iot.passwd + svc: + bind: "1883 {{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}" + hostnames: + - mqtt.chaos-at-home.org + tls: + certificate_provider: managed-ca + certificate_config: + ca: + host: ch-iot + name: mqtt + cert: + san_extra: + - "IP:{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}" + extended_key_usage: + - serverAuth + extended_key_usage_critical: yes + create_subject_key_identifier: yes + not_after: +100w + options: + allow_anonymous: "false" + require_certificate: "true" + cafile: /etc/mosquitto/ca_certificates/svc-ca-crt.pem + use_identity_as_username: "true" + # acl_file: /etc/mosquitto/svc.acl + +mosquitto_broker_prometheus_listener: true + +mosquitto_broker_acl_files: + iot: | + user test + topic write test/+ + # svc: | + # user nodered + # topic read test/+ + +mosquitto_broker_password_files: + iot: | + test:{{ vault_mosquitto_broker_passwords.iot.test | mosquitto_passwd_hash('admin@mqtt.example.com') }} |