From 6da64ac795c0e395c74d9da8ae21687eb6cf35a2 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Tue, 19 Dec 2023 02:24:32 +0100
Subject: add mosquitto role (WIP)

---
 roles/mosquitto/defaults/main.yml   | 31 ++++++++++++++++
 roles/mosquitto/handlers/main.yml   | 10 ++++++
 roles/mosquitto/tasks/main.yml      | 71 +++++++++++++++++++++++++++++++++++++
 roles/mosquitto/templates/config.j2 | 29 +++++++++++++++
 4 files changed, 141 insertions(+)
 create mode 100644 roles/mosquitto/defaults/main.yml
 create mode 100644 roles/mosquitto/handlers/main.yml
 create mode 100644 roles/mosquitto/tasks/main.yml
 create mode 100644 roles/mosquitto/templates/config.j2

(limited to 'roles')

diff --git a/roles/mosquitto/defaults/main.yml b/roles/mosquitto/defaults/main.yml
new file mode 100644
index 00000000..32199a50
--- /dev/null
+++ b/roles/mosquitto/defaults/main.yml
@@ -0,0 +1,31 @@
+---
+# mosquitto_global_config_options:
+#   per_listener_settings: "true"
+
+mosquitto_listeners: {}
+#   example:
+#     bind: 1883 192.0.2.1
+#     hostnames:
+#     - mqtt.example.com
+#     tls:
+#       certificate_provider: ...
+#     options:
+#       require_certificate: "true"
+#       use_identity_as_username: "true"
+#   foo:
+#     bind: 1884
+#     options:
+#       allow_anonymous: "false"
+#       acl_file: /etc/mosquitto/example.acl
+#       password_file: /etc/mosquitto/example.passwd
+
+mosquitto_prometheus_listener: false
+
+mosquitto_acl_files: {}
+#   example: |
+#     user somebody
+#     topic read example/+/foo
+
+mosquitto_password_files: {}
+#   example: |
+#     somebody:{{ 'secret' | mosquitto_passwd_hash('somebody@mqtt.example.com') }}
diff --git a/roles/mosquitto/handlers/main.yml b/roles/mosquitto/handlers/main.yml
new file mode 100644
index 00000000..c188764d
--- /dev/null
+++ b/roles/mosquitto/handlers/main.yml
@@ -0,0 +1,10 @@
+---
+- name: restart mosquitto
+  service:
+    name: mosquitto
+    state: restarted
+
+- name: reload mosquitto
+  service:
+    name: mosquitto
+    state: reloaded
diff --git a/roles/mosquitto/tasks/main.yml b/roles/mosquitto/tasks/main.yml
new file mode 100644
index 00000000..ed872789
--- /dev/null
+++ b/roles/mosquitto/tasks/main.yml
@@ -0,0 +1,71 @@
+---
+- name: install mosquitto
+  apt:
+    name:
+    - mosquitto
+    - mosquitto-clients
+    state: present
+
+- name: install mosquitto acl files
+  loop: "{{ mosquitto_acl_files | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  copy:
+    content: |
+      # Ansible managed
+      {{ item.value }}
+    dest: "/etc/mosquitto/{{ item.key }}.acl"
+  notify: reload mosquitto
+
+- name: install mosquitto password files
+  loop: "{{ mosquitto_password_files | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  copy:
+    content: |
+      {{ item.value }}
+    dest: "/etc/mosquitto/{{ item.key }}.passwd"
+    owner: root
+    group: mosquitto
+    mode: "0640"
+  notify: reload mosquitto
+
+- name: generate Diffie-Hellman parameters
+  when: (mosquitto_listeners | dict2items | selectattr('value.tls', 'defined') | length) > 0
+  openssl_dhparam:
+    path: /etc/mosquitto/certs/dhparams.pem
+    size: 2048
+  notify: reload mosquitto
+
+- name: generate/install/fetch TLS certificate
+  loop: "{{ mosquitto_listeners | dict2items | selectattr('value.tls', 'defined') }}"
+  loop_control:
+    label: "{{ item.key }}"
+  vars:
+    x509_certificate_name: "mosquitto-{{ item.key }}"
+    x509_certificate_hostnames: "{{ item.value.hostnames }}"
+    x509_certificate_config: "{{ item.value.tls.certificate_config | default({}) }}"
+    x509_certificate_renewal:
+      install:
+      - dest: "/etc/mosquitto/certs/{{ item.key }}-crt.pem"
+        src:
+        - fullchain
+        owner: root
+        group: mosquitto
+        mode: "0644"
+      - dest: "/etc/mosquitto/certs/{{ item.key }}-key.pem"
+        src:
+        - key
+        owner: root
+        group: mosquitto
+        mode: "0640"
+    x509_certificate_reload_services:
+    - mosquitto
+  include_role:
+    name: "x509/{{ item.value.tls.certificate_provider }}/cert"
+
+- name: install mosquitto config
+  template:
+    src: config.j2
+    dest: /etc/mosquitto/conf.d/main.conf
+  notify: restart mosquitto
diff --git a/roles/mosquitto/templates/config.j2 b/roles/mosquitto/templates/config.j2
new file mode 100644
index 00000000..e6fa4b52
--- /dev/null
+++ b/roles/mosquitto/templates/config.j2
@@ -0,0 +1,29 @@
+# {{ ansible_managed }}
+
+## Global
+{% if mosquitto_global_config_options is defined %}
+{%   for option, value in mosquitto_global_config_options.items() %}
+{{ option }} {{ value }}
+{%   endfor %}
+{% endif %}
+{% for name, listener in mosquitto_listeners.items() %}
+
+## Listener: {{ name }}
+listener {{ listener.bind }}
+{%   if 'tls' in listener %}
+certfile /etc/mosquitto/certs/{{ name }}-crt.pem
+keyfile /etc/mosquitto/certs/{{ name }}-key.pem
+dhparamfile /etc/mosquitto/certs/dhparams.pem
+{%   endif %}
+{%   if 'options' in listener %}
+{%     for option, value in listener.options.items() %}
+{{ option }} {{ value }}
+{%     endfor %}
+{%   endif %}
+{% endfor %}
+{% if mosquitto_prometheus_listener %}
+
+## Prometheus monitoring
+listener 0 /var/run/mosquitto/prometheus.sock
+allow_anonymous true
+{% endif %}
-- 
cgit v1.2.3