From 431a6421fe4a08c0e2826d171e6c8dd60efb2d3b Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Wed, 20 Dec 2023 18:11:16 +0100
Subject: ch-iot: add mosquitto

---
 inventory/host_vars/ch-iot.yml | 62 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 62 insertions(+)

(limited to 'inventory/host_vars')

diff --git a/inventory/host_vars/ch-iot.yml b/inventory/host_vars/ch-iot.yml
index 85d3d3ec..1fb732d4 100644
--- a/inventory/host_vars/ch-iot.yml
+++ b/inventory/host_vars/ch-iot.yml
@@ -55,3 +55,65 @@ spreadspace_apt_repo_components:
 
 prometheus_exporters_extra:
   - chrony
+#  - mosquitto
+
+
+managed_ca_authorities:
+  mqtt:
+    key:
+      type: RSA
+      size: 4096
+    cert:
+      common_name: chaos-at-home CA for mqtt
+      not_before: +0h
+      not_after: +2080w # ~40 years
+
+
+mosquitto_broker_global_config_options:
+  per_listener_settings: "true"
+
+mosquitto_broker_listeners:
+  iot:
+    bind: "1883 {{ network_zones.iot.prefix | ansible.utils.ipaddr(network_zones.iot.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}"
+    options:
+      allow_anonymous: "false"
+      acl_file: /etc/mosquitto/iot.acl
+      password_file: /etc/mosquitto/iot.passwd
+  svc:
+    bind: "1883 {{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}"
+    hostnames:
+    - mqtt.chaos-at-home.org
+    tls:
+      certificate_provider: managed-ca
+      certificate_config:
+        ca:
+          host: ch-iot
+          name: mqtt
+        cert:
+          san_extra:
+          - "IP:{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) | ansible.utils.ipaddr('address') }}"
+          extended_key_usage:
+          - serverAuth
+          extended_key_usage_critical: yes
+          create_subject_key_identifier: yes
+          not_after: +100w
+    options:
+      allow_anonymous: "false"
+      require_certificate: "true"
+      cafile: /etc/mosquitto/ca_certificates/svc-ca-crt.pem
+      use_identity_as_username: "true"
+      # acl_file: /etc/mosquitto/svc.acl
+
+mosquitto_broker_prometheus_listener: true
+
+mosquitto_broker_acl_files:
+  iot: |
+    user test
+    topic write test/+
+  # svc: |
+  #   user nodered
+  #   topic read test/+
+
+mosquitto_broker_password_files:
+  iot: |
+    test:{{ vault_mosquitto_broker_passwords.iot.test | mosquitto_passwd_hash('admin@mqtt.example.com') }}
-- 
cgit v1.2.3