summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--chaos-at-home/ch-iot.yml3
-rw-r--r--chaos-at-home/host_vars/ch-iot.yml9
-rw-r--r--inventory/host_vars/ch-iot.yml62
3 files changed, 74 insertions, 0 deletions
diff --git a/chaos-at-home/ch-iot.yml b/chaos-at-home/ch-iot.yml
index a849939e..1cc18e76 100644
--- a/chaos-at-home/ch-iot.yml
+++ b/chaos-at-home/ch-iot.yml
@@ -12,5 +12,8 @@
hosts: ch-iot
roles:
- role: apt-repo/spreadspace
+ - role: x509/managed-ca/base
+ - role: x509/managed-ca/ca
+ - role: mosquitto/broker
- role: nginx/base
- role: monitoring/prometheus/exporter
diff --git a/chaos-at-home/host_vars/ch-iot.yml b/chaos-at-home/host_vars/ch-iot.yml
new file mode 100644
index 00000000..c5573943
--- /dev/null
+++ b/chaos-at-home/host_vars/ch-iot.yml
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.2;AES256;chaos-at-home
+63633063396137353238336164383530323265383661353137366661343534386334396530336536
+3662343662396531336539373234663866326466303262300a363432323366343231333264306233
+65643966303335643137653036343838366361646437613566356130323965303566646539616236
+3539343636303362640a303330343861356461326139373163323134653161636237316436373037
+65393339346533373065316162383664626231346462353933343931616231373938633162393535
+33313230306661663764336130663064333134386432656535666131623635353639636634383961
+64323638343231616138373031663363623333333962363464653938396534303166633536333539
+64633962363338636337
diff --git a/inventory/host_vars/ch-iot.yml b/inventory/host_vars/ch-iot.yml
index 85d3d3ec..1fb732d4 100644
--- a/inventory/host_vars/ch-iot.yml
+++ b/inventory/host_vars/ch-iot.yml
@@ -55,3 +55,65 @@ spreadspace_apt_repo_components:
prometheus_exporters_extra:
- chrony
+# - mosquitto
+
+
+managed_ca_authorities:
+ mqtt:
+ key:
+ type: RSA
+ size: 4096
+ cert:
+ common_name: chaos-at-home CA for mqtt
+ not_before: +0h
+ not_after: +2080w # ~40 years
+
+
+mosquitto_broker_global_config_options:
+ per_listener_settings: "true"
+
+mosquitto_broker_listeners:
+ iot:
+ bind: "1883 {{ network_zones.iot.prefix | ansible.utils.ipaddr(network_zones.iot.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}"
+ options:
+ allow_anonymous: "false"
+ acl_file: /etc/mosquitto/iot.acl
+ password_file: /etc/mosquitto/iot.passwd
+ svc:
+ bind: "1883 {{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}"
+ hostnames:
+ - mqtt.chaos-at-home.org
+ tls:
+ certificate_provider: managed-ca
+ certificate_config:
+ ca:
+ host: ch-iot
+ name: mqtt
+ cert:
+ san_extra:
+ - "IP:{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}"
+ extended_key_usage:
+ - serverAuth
+ extended_key_usage_critical: yes
+ create_subject_key_identifier: yes
+ not_after: +100w
+ options:
+ allow_anonymous: "false"
+ require_certificate: "true"
+ cafile: /etc/mosquitto/ca_certificates/svc-ca-crt.pem
+ use_identity_as_username: "true"
+ # acl_file: /etc/mosquitto/svc.acl
+
+mosquitto_broker_prometheus_listener: true
+
+mosquitto_broker_acl_files:
+ iot: |
+ user test
+ topic write test/+
+ # svc: |
+ # user nodered
+ # topic read test/+
+
+mosquitto_broker_password_files:
+ iot: |
+ test:{{ vault_mosquitto_broker_passwords.iot.test | mosquitto_passwd_hash('admin@mqtt.example.com') }}