summaryrefslogtreecommitdiff
path: root/roles
diff options
context:
space:
mode:
Diffstat (limited to 'roles')
-rw-r--r--roles/mosquitto/defaults/main.yml31
-rw-r--r--roles/mosquitto/handlers/main.yml10
-rw-r--r--roles/mosquitto/tasks/main.yml71
-rw-r--r--roles/mosquitto/templates/config.j229
4 files changed, 141 insertions, 0 deletions
diff --git a/roles/mosquitto/defaults/main.yml b/roles/mosquitto/defaults/main.yml
new file mode 100644
index 00000000..32199a50
--- /dev/null
+++ b/roles/mosquitto/defaults/main.yml
@@ -0,0 +1,31 @@
+---
+# mosquitto_global_config_options:
+# per_listener_settings: "true"
+
+mosquitto_listeners: {}
+# example:
+# bind: 1883 192.0.2.1
+# hostnames:
+# - mqtt.example.com
+# tls:
+# certificate_provider: ...
+# options:
+# require_certificate: "true"
+# use_identity_as_username: "true"
+# foo:
+# bind: 1884
+# options:
+# allow_anonymous: "false"
+# acl_file: /etc/mosquitto/example.acl
+# password_file: /etc/mosquitto/example.passwd
+
+mosquitto_prometheus_listener: false
+
+mosquitto_acl_files: {}
+# example: |
+# user somebody
+# topic read example/+/foo
+
+mosquitto_password_files: {}
+# example: |
+# somebody:{{ 'secret' | mosquitto_passwd_hash('somebody@mqtt.example.com') }}
diff --git a/roles/mosquitto/handlers/main.yml b/roles/mosquitto/handlers/main.yml
new file mode 100644
index 00000000..c188764d
--- /dev/null
+++ b/roles/mosquitto/handlers/main.yml
@@ -0,0 +1,10 @@
+---
+- name: restart mosquitto
+ service:
+ name: mosquitto
+ state: restarted
+
+- name: reload mosquitto
+ service:
+ name: mosquitto
+ state: reloaded
diff --git a/roles/mosquitto/tasks/main.yml b/roles/mosquitto/tasks/main.yml
new file mode 100644
index 00000000..ed872789
--- /dev/null
+++ b/roles/mosquitto/tasks/main.yml
@@ -0,0 +1,71 @@
+---
+- name: install mosquitto
+ apt:
+ name:
+ - mosquitto
+ - mosquitto-clients
+ state: present
+
+- name: install mosquitto acl files
+ loop: "{{ mosquitto_acl_files | dict2items }}"
+ loop_control:
+ label: "{{ item.key }}"
+ copy:
+ content: |
+ # Ansible managed
+ {{ item.value }}
+ dest: "/etc/mosquitto/{{ item.key }}.acl"
+ notify: reload mosquitto
+
+- name: install mosquitto password files
+ loop: "{{ mosquitto_password_files | dict2items }}"
+ loop_control:
+ label: "{{ item.key }}"
+ copy:
+ content: |
+ {{ item.value }}
+ dest: "/etc/mosquitto/{{ item.key }}.passwd"
+ owner: root
+ group: mosquitto
+ mode: "0640"
+ notify: reload mosquitto
+
+- name: generate Diffie-Hellman parameters
+ when: (mosquitto_listeners | dict2items | selectattr('value.tls', 'defined') | length) > 0
+ openssl_dhparam:
+ path: /etc/mosquitto/certs/dhparams.pem
+ size: 2048
+ notify: reload mosquitto
+
+- name: generate/install/fetch TLS certificate
+ loop: "{{ mosquitto_listeners | dict2items | selectattr('value.tls', 'defined') }}"
+ loop_control:
+ label: "{{ item.key }}"
+ vars:
+ x509_certificate_name: "mosquitto-{{ item.key }}"
+ x509_certificate_hostnames: "{{ item.value.hostnames }}"
+ x509_certificate_config: "{{ item.value.tls.certificate_config | default({}) }}"
+ x509_certificate_renewal:
+ install:
+ - dest: "/etc/mosquitto/certs/{{ item.key }}-crt.pem"
+ src:
+ - fullchain
+ owner: root
+ group: mosquitto
+ mode: "0644"
+ - dest: "/etc/mosquitto/certs/{{ item.key }}-key.pem"
+ src:
+ - key
+ owner: root
+ group: mosquitto
+ mode: "0640"
+ x509_certificate_reload_services:
+ - mosquitto
+ include_role:
+ name: "x509/{{ item.value.tls.certificate_provider }}/cert"
+
+- name: install mosquitto config
+ template:
+ src: config.j2
+ dest: /etc/mosquitto/conf.d/main.conf
+ notify: restart mosquitto
diff --git a/roles/mosquitto/templates/config.j2 b/roles/mosquitto/templates/config.j2
new file mode 100644
index 00000000..e6fa4b52
--- /dev/null
+++ b/roles/mosquitto/templates/config.j2
@@ -0,0 +1,29 @@
+# {{ ansible_managed }}
+
+## Global
+{% if mosquitto_global_config_options is defined %}
+{% for option, value in mosquitto_global_config_options.items() %}
+{{ option }} {{ value }}
+{% endfor %}
+{% endif %}
+{% for name, listener in mosquitto_listeners.items() %}
+
+## Listener: {{ name }}
+listener {{ listener.bind }}
+{% if 'tls' in listener %}
+certfile /etc/mosquitto/certs/{{ name }}-crt.pem
+keyfile /etc/mosquitto/certs/{{ name }}-key.pem
+dhparamfile /etc/mosquitto/certs/dhparams.pem
+{% endif %}
+{% if 'options' in listener %}
+{% for option, value in listener.options.items() %}
+{{ option }} {{ value }}
+{% endfor %}
+{% endif %}
+{% endfor %}
+{% if mosquitto_prometheus_listener %}
+
+## Prometheus monitoring
+listener 0 /var/run/mosquitto/prometheus.sock
+allow_anonymous true
+{% endif %}
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-01 05:11:24 +0000