diff options
| -rw-r--r-- | chaos-at-home/ch-testvm-phoebe.yml | 5 | ||||
| -rw-r--r-- | chaos-at-home/ch-testvm-prometheus.yml | 2 | ||||
| -rw-r--r-- | inventory/host_vars/ch-testvm-phoebe.yml | 38 | ||||
| -rw-r--r-- | inventory/host_vars/ch-testvm-prometheus.yml | 29 | ||||
| -rw-r--r-- | roles/mosquitto/broker/defaults/main.yml (renamed from roles/mosquitto/defaults/main.yml) | 10 | ||||
| -rw-r--r-- | roles/mosquitto/broker/handlers/main.yml (renamed from roles/mosquitto/handlers/main.yml) | 0 | ||||
| -rw-r--r-- | roles/mosquitto/broker/tasks/main.yml (renamed from roles/mosquitto/tasks/main.yml) | 10 | ||||
| -rw-r--r-- | roles/mosquitto/broker/templates/config.j2 (renamed from roles/mosquitto/templates/config.j2) | 8 | ||||
| -rw-r--r-- | roles/mosquitto/client/defaults/main.yml | 5 | ||||
| -rw-r--r-- | roles/mosquitto/client/tasks/main.yml | 17 |
10 files changed, 94 insertions, 30 deletions
diff --git a/chaos-at-home/ch-testvm-phoebe.yml b/chaos-at-home/ch-testvm-phoebe.yml index 29b260c0..ee1145f5 100644 --- a/chaos-at-home/ch-testvm-phoebe.yml +++ b/chaos-at-home/ch-testvm-phoebe.yml @@ -11,6 +11,5 @@ - name: Payload Setup hosts: ch-testvm-phoebe roles: - - role: apt-repo/spreadspace - - role: nginx/base - - role: monitoring/prometheus/exporter + - role: x509/managed-ca/base + - role: mosquitto/client diff --git a/chaos-at-home/ch-testvm-prometheus.yml b/chaos-at-home/ch-testvm-prometheus.yml index 0be8e001..aaae91d1 100644 --- a/chaos-at-home/ch-testvm-prometheus.yml +++ b/chaos-at-home/ch-testvm-prometheus.yml @@ -13,4 +13,4 @@ roles: - role: x509/managed-ca/base - role: x509/managed-ca/ca - - role: mosquitto + - role: mosquitto/broker diff --git a/inventory/host_vars/ch-testvm-phoebe.yml b/inventory/host_vars/ch-testvm-phoebe.yml index d15e4142..7eae49e7 100644 --- a/inventory/host_vars/ch-testvm-phoebe.yml +++ b/inventory/host_vars/ch-testvm-phoebe.yml @@ -39,3 +39,41 @@ network: address: "{{ network_zones.iot.prefix | ansible.utils.ipaddr(network_zones.iot.offsets[inventory_hostname]) }}" ntp_variant: systemd-timesyncd + + +### +mosquitto_client_tls: + foo-consumer: + certificate_provider: managed-ca + certificate_config: + ca: + host: ch-testvm-prometheus + name: foo + cert: + common_name: consumer + organization_name: "spreadspace" + organizational_unit_name: "ansible" + san_extra: + - "IP:192.168.32.43" + extended_key_usage: + - clientAuth + extended_key_usage_critical: yes + create_subject_key_identifier: yes + not_after: +100w + foo-producer: + certificate_provider: managed-ca + certificate_config: + ca: + host: ch-testvm-prometheus + name: foo + cert: + common_name: producer + organization_name: "spreadspace" + organizational_unit_name: "ansible" + san_extra: + - "IP:192.168.32.43" + extended_key_usage: + - clientAuth + extended_key_usage_critical: yes + create_subject_key_identifier: yes + not_after: +100w diff --git a/inventory/host_vars/ch-testvm-prometheus.yml b/inventory/host_vars/ch-testvm-prometheus.yml index de31921f..ff36f733 100644 --- a/inventory/host_vars/ch-testvm-prometheus.yml +++ b/inventory/host_vars/ch-testvm-prometheus.yml @@ -55,11 +55,17 @@ managed_ca_authorities: not_after: +520w -mosquitto_global_config_options: +mosquitto_broker_global_config_options: per_listener_settings: "true" -mosquitto_listeners: +mosquitto_broker_listeners: example: + bind: 1883 + options: + allow_anonymous: "false" + acl_file: /etc/mosquitto/example.acl + password_file: /etc/mosquitto/example.passwd + foo: bind: 1884 192.168.32.42 hostnames: - mqtt.example.com @@ -74,22 +80,21 @@ mosquitto_listeners: organizational_unit_name: "ansible" san_extra: - "IP:192.168.32.42" + extended_key_usage: + - serverAuth + extended_key_usage_critical: yes create_subject_key_identifier: yes not_after: +100w options: - allow_anonymous: "true" + allow_anonymous: "false" require_certificate: "true" + cafile: /etc/mosquitto/ca_certificates/foo-ca-crt.pem + use_identity_as_username: "true" acl_file: /etc/mosquitto/foo.acl - foo: - bind: 1883 - options: - allow_anonymous: "false" - acl_file: /etc/mosquitto/example.acl - password_file: /etc/mosquitto/example.passwd -mosquitto_prometheus_listener: true +mosquitto_broker_prometheus_listener: true -mosquitto_acl_files: +mosquitto_broker_acl_files: example: | user admin topic read test/+ @@ -101,7 +106,7 @@ mosquitto_acl_files: user producer topic write foo/+ -mosquitto_password_files: +mosquitto_broker_password_files: example: | admin:{{ 'admin' | mosquitto_passwd_hash('admin@mqtt.example.com') }} equinox:{{ 'secret' | mosquitto_passwd_hash('equinox@mqtt.example.com') }} diff --git a/roles/mosquitto/defaults/main.yml b/roles/mosquitto/broker/defaults/main.yml index 32199a50..bd509f9c 100644 --- a/roles/mosquitto/defaults/main.yml +++ b/roles/mosquitto/broker/defaults/main.yml @@ -1,8 +1,8 @@ --- -# mosquitto_global_config_options: +# mosquitto_broker_global_config_options: # per_listener_settings: "true" -mosquitto_listeners: {} +mosquitto_broker_listeners: {} # example: # bind: 1883 192.0.2.1 # hostnames: @@ -19,13 +19,13 @@ mosquitto_listeners: {} # acl_file: /etc/mosquitto/example.acl # password_file: /etc/mosquitto/example.passwd -mosquitto_prometheus_listener: false +mosquitto_broker_prometheus_listener: false -mosquitto_acl_files: {} +mosquitto_broker_acl_files: {} # example: | # user somebody # topic read example/+/foo -mosquitto_password_files: {} +mosquitto_broker_password_files: {} # example: | # somebody:{{ 'secret' | mosquitto_passwd_hash('somebody@mqtt.example.com') }} diff --git a/roles/mosquitto/handlers/main.yml b/roles/mosquitto/broker/handlers/main.yml index c188764d..c188764d 100644 --- a/roles/mosquitto/handlers/main.yml +++ b/roles/mosquitto/broker/handlers/main.yml diff --git a/roles/mosquitto/tasks/main.yml b/roles/mosquitto/broker/tasks/main.yml index 41b7dc7a..3afffd71 100644 --- a/roles/mosquitto/tasks/main.yml +++ b/roles/mosquitto/broker/tasks/main.yml @@ -7,7 +7,7 @@ state: present - name: install mosquitto acl files - loop: "{{ mosquitto_acl_files | dict2items }}" + loop: "{{ mosquitto_broker_acl_files | dict2items }}" loop_control: label: "{{ item.key }}" copy: @@ -18,7 +18,7 @@ notify: reload mosquitto - name: install mosquitto password files - loop: "{{ mosquitto_password_files | dict2items }}" + loop: "{{ mosquitto_broker_password_files | dict2items }}" loop_control: label: "{{ item.key }}" copy: @@ -31,18 +31,18 @@ notify: reload mosquitto - name: generate Diffie-Hellman parameters - when: (mosquitto_listeners | dict2items | selectattr('value.tls', 'defined') | length) > 0 + when: (mosquitto_broker_listeners | dict2items | selectattr('value.tls', 'defined') | length) > 0 openssl_dhparam: path: /etc/mosquitto/certs/dhparams.pem size: 2048 notify: reload mosquitto - name: generate/install/fetch TLS certificate - loop: "{{ mosquitto_listeners | dict2items | selectattr('value.tls', 'defined') }}" + loop: "{{ mosquitto_broker_listeners | dict2items | selectattr('value.tls', 'defined') }}" loop_control: label: "{{ item.key }}" vars: - x509_certificate_name: "mosquitto-{{ item.key }}" + x509_certificate_name: "mosquitto-broker-{{ item.key }}" x509_certificate_hostnames: "{{ item.value.hostnames }}" x509_certificate_config: "{{ item.value.tls.certificate_config | default({}) }}" x509_certificate_renewal: diff --git a/roles/mosquitto/templates/config.j2 b/roles/mosquitto/broker/templates/config.j2 index e6fa4b52..e042ac25 100644 --- a/roles/mosquitto/templates/config.j2 +++ b/roles/mosquitto/broker/templates/config.j2 @@ -1,12 +1,12 @@ # {{ ansible_managed }} ## Global -{% if mosquitto_global_config_options is defined %} -{% for option, value in mosquitto_global_config_options.items() %} +{% if mosquitto_broker_global_config_options is defined %} +{% for option, value in mosquitto_broker_global_config_options.items() %} {{ option }} {{ value }} {% endfor %} {% endif %} -{% for name, listener in mosquitto_listeners.items() %} +{% for name, listener in mosquitto_broker_listeners.items() %} ## Listener: {{ name }} listener {{ listener.bind }} @@ -21,7 +21,7 @@ dhparamfile /etc/mosquitto/certs/dhparams.pem {% endfor %} {% endif %} {% endfor %} -{% if mosquitto_prometheus_listener %} +{% if mosquitto_broker_prometheus_listener %} ## Prometheus monitoring listener 0 /var/run/mosquitto/prometheus.sock diff --git a/roles/mosquitto/client/defaults/main.yml b/roles/mosquitto/client/defaults/main.yml new file mode 100644 index 00000000..7485601a --- /dev/null +++ b/roles/mosquitto/client/defaults/main.yml @@ -0,0 +1,5 @@ +--- +mosquitto_client_tls: {} +# example: +# certificate_provider: ... +# certificate_config: ... diff --git a/roles/mosquitto/client/tasks/main.yml b/roles/mosquitto/client/tasks/main.yml new file mode 100644 index 00000000..f7463e2a --- /dev/null +++ b/roles/mosquitto/client/tasks/main.yml @@ -0,0 +1,17 @@ +--- +- name: install mosquitto + apt: + name: + - mosquitto-clients + state: present + +- name: generate/install/fetch TLS certificate + loop: "{{ mosquitto_client_tls | dict2items }}" + loop_control: + label: "{{ item.key }}" + vars: + x509_certificate_name: "mosquitto-client-{{ item.key }}" + x509_certificate_hostnames: [] + x509_certificate_config: "{{ item.value.certificate_config }}" + include_role: + name: "x509/{{ item.value.certificate_provider }}/cert" |