Make root user & group configurable

README.md

@@ -5,6 +5,7 @@ Ansible Role: Mosquitto
 [![Ansible Galaxy](https://img.shields.io/badge/galaxy-lnovara.mosquitto-blue.svg)](https://galaxy.ansible.com/lnovara/mosquitto)
 
 Install and configure [Mosquitto](https://mosquitto.org/) MQTT message broker.
+Forked from [lnovara/ansible-mosquitto](https://github.com/lnovara/ansible-mosquitto).
 
 Requirements
 ------------
@@ -71,6 +72,9 @@ Example:
     mosquitto_bridges:
       - connection: bridge_name
         address: exmaple.com:1883
+        topics:
+          - "topic foobar/# in"
+          - "topic baz/# out"'
 
 List holding Mosquitto bridges configuration.
 
@@ -98,6 +102,38 @@ Examples:
 
 Lists holding Mosquitto ACLs.
 
+    mosquitto_certificates: {}
+
+Dictionary holding certificate configuration.
+
+Example:
+
+    mosquitto_certificates:
+     - name: "cert"
+       path: "/etc/mosquitto/certs/mosquitto.crt"
+       content: |
+         -----BEGIN CERTIFICATE-----
+         -----END CERTIFICATE-----
+
+     - name: "key"
+       path: "/etc/mosquitto/certs/mosquitto.key"
+       content: |
+         -----BEGIN PRIVATE KEY-----
+         -----END CERTIFICATE-----
+
+     - name: "ca"
+       path: "/etc/mosquitto/certs/ca.crt"
+       content: |
+         -----BEGIN CERTIFICATE-----
+         -----END CERTIFICATE-----
+
+Configuration for a custom dhparam file for mosquitto, will be
+generated if it doesn't exist.
+
+    mosquitto_dhparam_file: /etc/mosquitto/dhparam.pem
+    mosquitto_dhparam_keysize: 2048
+
+
 Dependencies
 ------------
 

defaults/main.yml

@@ -3,6 +3,7 @@
 mosquitto_packages:
   - mosquitto
   - mosquitto-clients
+  - openssl
 
 mosquitto_python_packages:
   - paho-mqtt
@@ -15,8 +16,29 @@ mosquitto_home: /var/lib/mosquitto
 
 mosquitto_add_groups: []
 
+mosquitto_run_folder: "/run/mosquitto"
+
+mosquitto_bin: "/usr/sbin/mosquitto"
+
+mosquitto_systemd_restart: "on-failure"
+
+mosquitto_systemd_restartsec: 2
+
+mosquitto_systemd_after: "network-online.target"
+
+mosquitto_systemd_wants: "network-online.target systemd-networkd-wait-online.service"
+
+mosquitto_systemd_private_settings: true
+
+mosquitto_systemd_run_folder_workaround: true
+
 mosquitto_config_file: /etc/mosquitto/mosquitto.conf
 
+# { name: "certfile", path: "/etc/mosquitto/certs/test.crt", content: "foo" }
+mosquitto_certificates: {}
+mosquitto_dhparam_file: /etc/mosquitto/dhparam.pem
+mosquitto_dhparam_keysize: 2048
+
 mosquitto_config: {}
 
 mosquitto_listeners: {}
@@ -28,3 +50,6 @@ mosquitto_auth_anonymous: []
 mosquitto_auth_users: []
 
 mosquitto_auth_patterns: []
+
+mosquitto_config_user: root
+mosquitto_config_group: root

handlers/main.yml

@@ -1,14 +1,17 @@
 ---
-
 - name: Restart Mosquitto
-  service:
+  ansible.builtin.service:
     name: mosquitto
     state: restarted
 
 - name: Reload systemd and restart Mosquitto
-  command:
-    systemctl daemon-reload
+  ansible.builtin.systemd:
+    daemon_reload: true
   notify:
     - Restart Mosquitto
-  tags:
-    - skip_ansible_lint
+
+- name: Enable and start Mosquitto service
+  ansible.builtin.service:
+    name: mosquitto
+    state: started
+    enabled: true

meta/main.yml

@@ -1,21 +1,22 @@
 ---
 galaxy_info:
-  author: Luca Novara
+  author: Oscar Carlsson
   description: Install and configure Mosquitto MQTT message broker.
   company:
   license: MIT
   min_ansible_version: 1.2
-  issue_tracker_url: https://github.com/lnovara/ansible-mosquitto/issues
+  issue_tracker_url: https://github.com/monotux/ansible-role-mosquitto/issues
 
   platforms:
     - name: Debian
       versions:
         - stretch
+        - buster
+        - bullseye
 
   galaxy_tags:
     - mosquitto
     - mqtt
     - debian
-    - system
 
 dependencies: []

tasks/main.yml

@@ -1,25 +1,25 @@
 ---
 
 - name: Install Mosquitto packages
-  package:
+  ansible.builtin.package:
     name: "{{ item }}"
     state: present
   with_items: "{{ mosquitto_packages }}"
 
 - name: Install Mosquitto Python modules
-  pip:
+  ansible.builtin.pip:
     name: "{{ item }}"
     state: present
   with_items: "{{ mosquitto_python_packages }}"
 
 - name: Create Mosquitto group
-  group:
+  ansible.builtin.group:
     name: "{{ mosquitto_group }}"
     system: true
     state: present
 
 - name: Create Mosquitto user
-  user:
+  ansible.builtin.user:
     name: "{{ mosquitto_user }}"
     group: "{{ mosquitto_group }}"
     groups: "{{ mosquitto_add_groups | join(',') }}"
@@ -32,15 +32,22 @@
     - Restart Mosquitto
 
 - name: Merge default and custom Mosquitto config
-  set_fact:
+  ansible.builtin.set_fact:
     mosquitto_config: "{{ _mosquitto_default_config | combine(mosquitto_config, recursive = True) }}"
 
+- name: Create mosquitto/conf.d directory
+  ansible.builtin.file:
+    path: "{{ mosquitto_config.include_dir }}"
+    state: directory
+    owner: "{{ mosquitto_config_user }}"
+    group: "{{ mosquitto_config_group }}"
+
 - name: Create Mosquitto ACL file
-  template:
+  ansible.builtin.template:
     src: acl.j2
     dest: "{{ mosquitto_config.acl_file }}"
-    owner: root
-    group: root
+    owner: "{{ mosquitto_config_user }}"
+    group: "{{ mosquitto_config_group }}"
     mode: 0644
   when: mosquitto_config.acl_file is defined
   notify:
@@ -49,26 +56,26 @@
 - block:
 
     - name: Check Mosquitto password file existence
-      stat:
+      ansible.builtin.stat:
         path: "{{ mosquitto_config.password_file }}"
       register: mosquitto_password_file_st
 
     - name: Create Mosquitto password file
-      file:
+      ansible.builtin.file:
         path: "{{ mosquitto_config.password_file }}"
-        owner: root
+        owner: "{{ mosquitto_config_user }}"
         group: "{{ mosquitto_group }}"
         mode: 0640
         state: touch
       when: not mosquitto_password_file_st.stat.exists
 
     - name: Get Mosquitto user entries
-      command:
+      ansible.builtin.command:
         cut -d ':' -f 1 "{{ mosquitto_config.password_file }}"
       register: mosquitto_users_list
 
     - name: Remove Mosquitto user/password entries
-      command:
+      ansible.builtin.command:
         mosquitto_passwd -D "{{ mosquitto_config.password_file }}" "{{ item.name }}"
       when:
         - item.state | default("present") == "absent"
@@ -79,7 +86,7 @@
         - Restart Mosquitto
 
     - name: Add Mosquitto user/password entries
-      command:
+      ansible.builtin.command:
         mosquitto_passwd -b "{{ mosquitto_config.password_file }}" "{{ item.name }}" "{{ item.password }}"
       when:
         - item.state | default("present") == "present"
@@ -92,50 +99,60 @@
   when: mosquitto_config.password_file is defined
 
 - name: Create Mosquitto PSK file
-  template:
+  ansible.builtin.template:
     src: psk.j2
     dest: "{{ mosquitto_config.psk_file }}"
-    owner: root
+    owner: "{{ mosquitto_config_user }}"
     group: "{{ mosquitto_group }}"
     mode: 0640
   when: mosquitto_config.psk_file is defined
   notify:
     - Restart Mosquitto
 
+- name: Install mosquitto certificates
+  ansible.builtin.template:
+    src: "certificate.j2"
+    dest: "{{ item.path }}"
+    owner: "{{ mosquitto_user }}"
+    group: "{{ mosquitto_group }}"
+    mode: "0440"
+  loop: "{{ mosquitto_certificates }}"
+  no_log: true
+  notify:
+    - Restart Mosquitto
+
+- name: Make sure dhparam file exists
+  command: "openssl dhparam -out {{ mosquitto_dhparam_file }} {{ mosquitto_dhparam_keysize }}"
+  args:
+    creates: "{{ mosquitto_dhparam_file }}"
+  when: mosquitto_certificates
+
+- name: Ensure correct ownership of dhparam
+  ansible.builtin.file:
+    path: "{{ mosquitto_dhparam_file }}"
+    state: file
+    owner: "{{ mosquitto_user }}"
+    group: "{{ mosquitto_group }}"
+    mode: "0700"
+  when: mosquitto_certificates
+
 - name: Configure Mosquitto
-  template:
+  ansible.builtin.template:
     src: mosquitto.conf.j2
     dest: "{{ mosquitto_config_file }}"
-    owner: root
-    group: root
+    owner: "{{ mosquitto_config_user }}"
+    group: "{{ mosquitto_config_group }}"
     mode: 0644
   notify:
     - Restart Mosquitto
 
 - name: Create Mosquitto systemd service
-  template:
+  ansible.builtin.template:
     src: mosquitto.systemd.j2
     dest: /etc/systemd/system/mosquitto.service
     owner: root
-    group: root
     mode: 0640
   when: ansible_service_mgr == "systemd"
-  notify:
-    - Restart Mosquitto
-
-- name: Create Mosquitto upstart job
-  template:
-    src: mosquitto.upstart.j2
-    dest: /etc/init/mosquitto.conf
-    owner: root
-    group: root
-    mode: 0640
-  when: ansible_service_mgr == "upstart"
   notify:
     - Reload systemd and restart Mosquitto
-
-- name: Enable and start Mosquitto service
-  service:
-    name: mosquitto
-    state: started
-    enabled: true
+    - Enable and start Mosquitto service

templates/certificate.j2

@@ -0,0 +1 @@
+{{ item.content }}

templates/mosquitto.conf.j2

@@ -22,10 +22,14 @@ listener {{ elem.listener }}
 {% endfor %}
 
 {% for elem in mosquitto_bridges %}
-connection {{ elem.connection }}
-{% for key, value in elem | dictsort %}
-{% if key != "connection" %}
-{{ key }} {{ value }}
-{% endif %}
-{% endfor %}
+  connection {{ elem.connection }}
+  {% for key, value in elem | dictsort %}
+    {% if key != "connection" and key != "topics" %}
+      {{ key }} {{ value }}
+    {% elif key == "topics" %}
+      {% for topic in elem.topics %}
+        {{ topic }}
+      {% endfor %}
+    {% endif %}
+  {% endfor %}
 {% endfor %}

templates/mosquitto.systemd.j2

@@ -1,23 +1,32 @@
 [Unit]
 Description=Mosquitto MQTT message broker
 Documentation=https://mosquitto.org/man/mosquitto-8.html
-After=network-online.target
-Wants=network-online.target systemd-networkd-wait-online.service
+After={{ mosquitto_systemd_after }}
+Wants={{ mosquitto_systemd_wants }}
 
 [Service]
-Restart=on-failure
-RestartSec=2
+Restart={{ mosquitto_systemd_restart }}
+RestartSec={{ mosquitto_systemd_restartsec }}
 
 User={{ mosquitto_user }}
 Group={{ mosquitto_group }}
 
-ExecStart=/usr/sbin/mosquitto --config-file {{ mosquitto_config_file }}
+ExecStart={{ mosquitto_bin }} --config-file {{ mosquitto_config_file }}
 ExecReload=/bin/kill -HUP $MAINPID
 
+{% if mosquitto_systemd_run_folder_workaround %}
+ExecStartPre=+/bin/mkdir -m 740 -p /var/log/mosquitto
+ExecStartPre=+/bin/chown {{ mosquitto_user }}: /var/log/mosquitto
+ExecStartPre=+/bin/mkdir -m 740 -p /run/mosquitto
+ExecStartPre=+/bin/chown {{ mosquitto_user }}: {{ mosquitto_run_folder }}
+{% endif %}
+
+{% if mosquitto_systemd_private_settings %}
 PrivateTmp=true
 PrivateDevices=true
 ProtectHome=true
 ProtectSystem=full
+{% endif %}
 
 [Install]
 WantedBy=multi-user.target