diff options
Diffstat (limited to 'inventory')
-rw-r--r-- | inventory/host_vars/ch-iot.yml | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/inventory/host_vars/ch-iot.yml b/inventory/host_vars/ch-iot.yml index 85d3d3ec..1fb732d4 100644 --- a/inventory/host_vars/ch-iot.yml +++ b/inventory/host_vars/ch-iot.yml @@ -55,3 +55,65 @@ spreadspace_apt_repo_components: prometheus_exporters_extra: - chrony +# - mosquitto + + +managed_ca_authorities: + mqtt: + key: + type: RSA + size: 4096 + cert: + common_name: chaos-at-home CA for mqtt + not_before: +0h + not_after: +2080w # ~40 years + + +mosquitto_broker_global_config_options: + per_listener_settings: "true" + +mosquitto_broker_listeners: + iot: + bind: "1883 {{ network_zones.iot.prefix | ansible.utils.ipaddr(network_zones.iot.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}" + options: + allow_anonymous: "false" + acl_file: /etc/mosquitto/iot.acl + password_file: /etc/mosquitto/iot.passwd + svc: + bind: "1883 {{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}" + hostnames: + - mqtt.chaos-at-home.org + tls: + certificate_provider: managed-ca + certificate_config: + ca: + host: ch-iot + name: mqtt + cert: + san_extra: + - "IP:{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}" + extended_key_usage: + - serverAuth + extended_key_usage_critical: yes + create_subject_key_identifier: yes + not_after: +100w + options: + allow_anonymous: "false" + require_certificate: "true" + cafile: /etc/mosquitto/ca_certificates/svc-ca-crt.pem + use_identity_as_username: "true" + # acl_file: /etc/mosquitto/svc.acl + +mosquitto_broker_prometheus_listener: true + +mosquitto_broker_acl_files: + iot: | + user test + topic write test/+ + # svc: | + # user nodered + # topic read test/+ + +mosquitto_broker_password_files: + iot: | + test:{{ vault_mosquitto_broker_passwords.iot.test | mosquitto_passwd_hash('admin@mqtt.example.com') }} |