diff --git a/README.md b/README.md index 5e507f4..a4e06ff 100644 --- a/README.md +++ b/README.md @@ -5,6 +5,7 @@ Ansible Role: Mosquitto [![Ansible Galaxy](https://img.shields.io/badge/galaxy-lnovara.mosquitto-blue.svg)](https://galaxy.ansible.com/lnovara/mosquitto) Install and configure [Mosquitto](https://mosquitto.org/) MQTT message broker. +Forked from [lnovara/ansible-mosquitto](https://github.com/lnovara/ansible-mosquitto). Requirements ------------ @@ -71,6 +72,9 @@ Example: mosquitto_bridges: - connection: bridge_name address: exmaple.com:1883 + topics: + - "topic foobar/# in" + - "topic baz/# out"' List holding Mosquitto bridges configuration. @@ -98,6 +102,38 @@ Examples: Lists holding Mosquitto ACLs. + mosquitto_certificates: {} + +Dictionary holding certificate configuration. + +Example: + + mosquitto_certificates: + - name: "cert" + path: "/etc/mosquitto/certs/mosquitto.crt" + content: | + -----BEGIN CERTIFICATE----- + -----END CERTIFICATE----- + + - name: "key" + path: "/etc/mosquitto/certs/mosquitto.key" + content: | + -----BEGIN PRIVATE KEY----- + -----END CERTIFICATE----- + + - name: "ca" + path: "/etc/mosquitto/certs/ca.crt" + content: | + -----BEGIN CERTIFICATE----- + -----END CERTIFICATE----- + +Configuration for a custom dhparam file for mosquitto, will be +generated if it doesn't exist. + + mosquitto_dhparam_file: /etc/mosquitto/dhparam.pem + mosquitto_dhparam_keysize: 2048 + + Dependencies ------------ diff --git a/defaults/main.yml b/defaults/main.yml index bf17efd..c5289a7 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -3,6 +3,7 @@ mosquitto_packages: - mosquitto - mosquitto-clients + - openssl mosquitto_python_packages: - paho-mqtt @@ -15,8 +16,29 @@ mosquitto_home: /var/lib/mosquitto mosquitto_add_groups: [] +mosquitto_run_folder: "/run/mosquitto" + +mosquitto_bin: "/usr/sbin/mosquitto" + +mosquitto_systemd_restart: "on-failure" + +mosquitto_systemd_restartsec: 2 + +mosquitto_systemd_after: "network-online.target" + +mosquitto_systemd_wants: "network-online.target systemd-networkd-wait-online.service" + +mosquitto_systemd_private_settings: true + +mosquitto_systemd_run_folder_workaround: true + mosquitto_config_file: /etc/mosquitto/mosquitto.conf +# { name: "certfile", path: "/etc/mosquitto/certs/test.crt", content: "foo" } +mosquitto_certificates: {} +mosquitto_dhparam_file: /etc/mosquitto/dhparam.pem +mosquitto_dhparam_keysize: 2048 + mosquitto_config: {} mosquitto_listeners: {} @@ -28,3 +50,6 @@ mosquitto_auth_anonymous: [] mosquitto_auth_users: [] mosquitto_auth_patterns: [] + +mosquitto_config_user: root +mosquitto_config_group: root diff --git a/handlers/main.yml b/handlers/main.yml index 73005b1..e14d64e 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,14 +1,17 @@ --- - - name: Restart Mosquitto - service: + ansible.builtin.service: name: mosquitto state: restarted - name: Reload systemd and restart Mosquitto - command: - systemctl daemon-reload + ansible.builtin.systemd: + daemon_reload: true notify: - Restart Mosquitto - tags: - - skip_ansible_lint + +- name: Enable and start Mosquitto service + ansible.builtin.service: + name: mosquitto + state: started + enabled: true diff --git a/meta/main.yml b/meta/main.yml index ad75773..3a61ce4 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,21 +1,22 @@ --- galaxy_info: - author: Luca Novara + author: Oscar Carlsson description: Install and configure Mosquitto MQTT message broker. company: license: MIT min_ansible_version: 1.2 - issue_tracker_url: https://github.com/lnovara/ansible-mosquitto/issues + issue_tracker_url: https://github.com/monotux/ansible-role-mosquitto/issues platforms: - name: Debian versions: - stretch + - buster + - bullseye galaxy_tags: - mosquitto - mqtt - debian - - system dependencies: [] diff --git a/tasks/main.yml b/tasks/main.yml index 08df1cb..bddee63 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,25 +1,25 @@ --- - name: Install Mosquitto packages - package: + ansible.builtin.package: name: "{{ item }}" state: present with_items: "{{ mosquitto_packages }}" - name: Install Mosquitto Python modules - pip: + ansible.builtin.pip: name: "{{ item }}" state: present with_items: "{{ mosquitto_python_packages }}" - name: Create Mosquitto group - group: + ansible.builtin.group: name: "{{ mosquitto_group }}" system: true state: present - name: Create Mosquitto user - user: + ansible.builtin.user: name: "{{ mosquitto_user }}" group: "{{ mosquitto_group }}" groups: "{{ mosquitto_add_groups | join(',') }}" @@ -32,15 +32,22 @@ - Restart Mosquitto - name: Merge default and custom Mosquitto config - set_fact: + ansible.builtin.set_fact: mosquitto_config: "{{ _mosquitto_default_config | combine(mosquitto_config, recursive = True) }}" +- name: Create mosquitto/conf.d directory + ansible.builtin.file: + path: "{{ mosquitto_config.include_dir }}" + state: directory + owner: "{{ mosquitto_config_user }}" + group: "{{ mosquitto_config_group }}" + - name: Create Mosquitto ACL file - template: + ansible.builtin.template: src: acl.j2 dest: "{{ mosquitto_config.acl_file }}" - owner: root - group: root + owner: "{{ mosquitto_config_user }}" + group: "{{ mosquitto_config_group }}" mode: 0644 when: mosquitto_config.acl_file is defined notify: @@ -49,26 +56,26 @@ - block: - name: Check Mosquitto password file existence - stat: + ansible.builtin.stat: path: "{{ mosquitto_config.password_file }}" register: mosquitto_password_file_st - name: Create Mosquitto password file - file: + ansible.builtin.file: path: "{{ mosquitto_config.password_file }}" - owner: root + owner: "{{ mosquitto_config_user }}" group: "{{ mosquitto_group }}" mode: 0640 state: touch when: not mosquitto_password_file_st.stat.exists - name: Get Mosquitto user entries - command: + ansible.builtin.command: cut -d ':' -f 1 "{{ mosquitto_config.password_file }}" register: mosquitto_users_list - name: Remove Mosquitto user/password entries - command: + ansible.builtin.command: mosquitto_passwd -D "{{ mosquitto_config.password_file }}" "{{ item.name }}" when: - item.state | default("present") == "absent" @@ -79,7 +86,7 @@ - Restart Mosquitto - name: Add Mosquitto user/password entries - command: + ansible.builtin.command: mosquitto_passwd -b "{{ mosquitto_config.password_file }}" "{{ item.name }}" "{{ item.password }}" when: - item.state | default("present") == "present" @@ -92,50 +99,60 @@ when: mosquitto_config.password_file is defined - name: Create Mosquitto PSK file - template: + ansible.builtin.template: src: psk.j2 dest: "{{ mosquitto_config.psk_file }}" - owner: root + owner: "{{ mosquitto_config_user }}" group: "{{ mosquitto_group }}" mode: 0640 when: mosquitto_config.psk_file is defined notify: - Restart Mosquitto +- name: Install mosquitto certificates + ansible.builtin.template: + src: "certificate.j2" + dest: "{{ item.path }}" + owner: "{{ mosquitto_user }}" + group: "{{ mosquitto_group }}" + mode: "0440" + loop: "{{ mosquitto_certificates }}" + no_log: true + notify: + - Restart Mosquitto + +- name: Make sure dhparam file exists + command: "openssl dhparam -out {{ mosquitto_dhparam_file }} {{ mosquitto_dhparam_keysize }}" + args: + creates: "{{ mosquitto_dhparam_file }}" + when: mosquitto_certificates + +- name: Ensure correct ownership of dhparam + ansible.builtin.file: + path: "{{ mosquitto_dhparam_file }}" + state: file + owner: "{{ mosquitto_user }}" + group: "{{ mosquitto_group }}" + mode: "0700" + when: mosquitto_certificates + - name: Configure Mosquitto - template: + ansible.builtin.template: src: mosquitto.conf.j2 dest: "{{ mosquitto_config_file }}" - owner: root - group: root + owner: "{{ mosquitto_config_user }}" + group: "{{ mosquitto_config_group }}" mode: 0644 notify: - Restart Mosquitto - name: Create Mosquitto systemd service - template: + ansible.builtin.template: src: mosquitto.systemd.j2 dest: /etc/systemd/system/mosquitto.service owner: root - group: root mode: 0640 when: ansible_service_mgr == "systemd" - notify: - - Restart Mosquitto - -- name: Create Mosquitto upstart job - template: - src: mosquitto.upstart.j2 - dest: /etc/init/mosquitto.conf - owner: root - group: root - mode: 0640 - when: ansible_service_mgr == "upstart" notify: - Reload systemd and restart Mosquitto - -- name: Enable and start Mosquitto service - service: - name: mosquitto - state: started - enabled: true + - Enable and start Mosquitto service diff --git a/templates/certificate.j2 b/templates/certificate.j2 new file mode 100644 index 0000000..37774b9 --- /dev/null +++ b/templates/certificate.j2 @@ -0,0 +1 @@ +{{ item.content }} diff --git a/templates/mosquitto.conf.j2 b/templates/mosquitto.conf.j2 index 3cab990..e977840 100644 --- a/templates/mosquitto.conf.j2 +++ b/templates/mosquitto.conf.j2 @@ -22,10 +22,14 @@ listener {{ elem.listener }} {% endfor %} {% for elem in mosquitto_bridges %} -connection {{ elem.connection }} -{% for key, value in elem | dictsort %} -{% if key != "connection" %} -{{ key }} {{ value }} -{% endif %} -{% endfor %} + connection {{ elem.connection }} + {% for key, value in elem | dictsort %} + {% if key != "connection" and key != "topics" %} + {{ key }} {{ value }} + {% elif key == "topics" %} + {% for topic in elem.topics %} + {{ topic }} + {% endfor %} + {% endif %} + {% endfor %} {% endfor %} diff --git a/templates/mosquitto.systemd.j2 b/templates/mosquitto.systemd.j2 index eaba470..46c0540 100644 --- a/templates/mosquitto.systemd.j2 +++ b/templates/mosquitto.systemd.j2 @@ -1,23 +1,32 @@ [Unit] Description=Mosquitto MQTT message broker Documentation=https://mosquitto.org/man/mosquitto-8.html -After=network-online.target -Wants=network-online.target systemd-networkd-wait-online.service +After={{ mosquitto_systemd_after }} +Wants={{ mosquitto_systemd_wants }} [Service] -Restart=on-failure -RestartSec=2 +Restart={{ mosquitto_systemd_restart }} +RestartSec={{ mosquitto_systemd_restartsec }} User={{ mosquitto_user }} Group={{ mosquitto_group }} -ExecStart=/usr/sbin/mosquitto --config-file {{ mosquitto_config_file }} +ExecStart={{ mosquitto_bin }} --config-file {{ mosquitto_config_file }} ExecReload=/bin/kill -HUP $MAINPID +{% if mosquitto_systemd_run_folder_workaround %} +ExecStartPre=+/bin/mkdir -m 740 -p /var/log/mosquitto +ExecStartPre=+/bin/chown {{ mosquitto_user }}: /var/log/mosquitto +ExecStartPre=+/bin/mkdir -m 740 -p /run/mosquitto +ExecStartPre=+/bin/chown {{ mosquitto_user }}: {{ mosquitto_run_folder }} +{% endif %} + +{% if mosquitto_systemd_private_settings %} PrivateTmp=true PrivateDevices=true ProtectHome=true ProtectSystem=full +{% endif %} [Install] WantedBy=multi-user.target diff --git a/vars/main.yml b/vars/main.yml index 8a9f2e2..4b5576b 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -17,4 +17,4 @@ _mosquitto_default_config: log_dest: file /var/log/mosquitto/mosquitto.log persistence: 'true' persistence_location: "{{ mosquitto_home }}" - pid_file: /var/run/mosquitto.pid + pid_file: "{{ mosquitto_run_folder }}/mosquitto.pid"