1 files changed, 77 insertions, 0 deletions
diff --git a/roles/mosquitto/broker/tasks/main.yml b/roles/mosquitto/broker/tasks/main.yml
new file mode 100644
index 00000000..3afffd71
--- /dev/null
+++ b/roles/mosquitto/broker/tasks/main.yml
@@ -0,0 +1,77 @@
+---
+- name: install mosquitto
+  apt:
+    name:
+    - mosquitto
+    - mosquitto-clients
+    state: present
+
+- name: install mosquitto acl files
+  loop: "{{ mosquitto_broker_acl_files | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  copy:
+    content: |
+      # Ansible managed
+      {{ item.value }}
+    dest: "/etc/mosquitto/{{ item.key }}.acl"
+  notify: reload mosquitto
+
+- name: install mosquitto password files
+  loop: "{{ mosquitto_broker_password_files | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  copy:
+    content: |
+      {{ item.value }}
+    dest: "/etc/mosquitto/{{ item.key }}.passwd"
+    owner: root
+    group: mosquitto
+    mode: "0640"
+  notify: reload mosquitto
+
+- name: generate Diffie-Hellman parameters
+  when: (mosquitto_broker_listeners | dict2items | selectattr('value.tls', 'defined') | length) > 0
+  openssl_dhparam:
+    path: /etc/mosquitto/certs/dhparams.pem
+    size: 2048
+  notify: reload mosquitto
+
+- name: generate/install/fetch TLS certificate
+  loop: "{{ mosquitto_broker_listeners | dict2items | selectattr('value.tls', 'defined') }}"
+  loop_control:
+    label: "{{ item.key }}"
+  vars:
+    x509_certificate_name: "mosquitto-broker-{{ item.key }}"
+    x509_certificate_hostnames: "{{ item.value.hostnames }}"
+    x509_certificate_config: "{{ item.value.tls.certificate_config | default({}) }}"
+    x509_certificate_renewal:
+      install:
+      - dest: "/etc/mosquitto/certs/{{ item.key }}-crt.pem"
+        src:
+        - fullchain
+        owner: root
+        group: mosquitto
+        mode: "0644"
+      - dest: "/etc/mosquitto/certs/{{ item.key }}-key.pem"
+        src:
+        - key
+        owner: root
+        group: mosquitto
+        mode: "0640"
+      - dest: "/etc/mosquitto/ca_certificates/{{ item.key }}-ca-crt.pem"
+        src:
+        - ca_cert
+        owner: root
+        group: mosquitto
+        mode: "0644"
+    x509_certificate_reload_services:
+    - mosquitto
+  include_role:
+    name: "x509/{{ item.value.tls.certificate_provider }}/cert"
+
+- name: install mosquitto config
+  template:
+    src: config.j2
+    dest: /etc/mosquitto/conf.d/main.conf
+  notify: restart mosquitto