add acl templating

This commit is contained in:
Robert Kaussow 2018-11-07 20:44:06 +01:00
parent c11da09e29
commit 51dc588864
4 changed files with 45 additions and 16 deletions

View File

@ -24,6 +24,18 @@ mosquitto_password_auth_file: "{{ mosquitto_base_dir }}/passwd"
mosquitto_acl_enabled: False
mosquitto_acl_file: "{{ mosquitto_base_dir }}/aclfile"
# mosquitto_acl: (defaults to not set)
# - iot:
# user: admin
# acl_base: topic # (topic|pattern, defaults to topic)
# acl_topic: "#"
# acl_policy: readwrite
# - readonly_iot:
# user: user1
# acl_base: topic
# acl_topic: my/devices
# acl_policy: readwrite
mosquitto_tls_enabled: False
mosquitto_ca_path: /etc/pki/tls/certs/

View File

@ -16,20 +16,31 @@
when: not __mosquitto_passwd.stat.exists
# TODO: ugly workaround, move this to a custom module
- name: Add users to password file
shell: "mosquitto_passwd -b {{ mosquitto_password_auth_file }} {{ item.key }} {{ item.value.password }}"
with_dict: "{{ mosquitto_password_auth_users | default('{}') }}"
when: item.value.state == "present"
changed_when: False
no_log: True
become: True
become_user: root
- block:
- name: Add users to password file
shell: "mosquitto_passwd -b {{ mosquitto_password_auth_file }} {{ item.key }} {{ item.value.password }}"
with_dict: "{{ mosquitto_password_auth_users | default('{}') }}"
when: item.value.state == "present"
changed_when: False
no_log: True
- name: Remove unnecessary users from password file
shell: "mosquitto_passwd -D {{ mosquitto_password_auth_file }} {{ item.key }}"
with_dict: "{{ mosquitto_password_auth_users | default('{}') }}"
when: item.value.state == "absent"
changed_when: False
no_log: True
- name: Remove unnecessary users from password file
shell: "mosquitto_passwd -D {{ mosquitto_password_auth_file }} {{ item.key }}"
with_dict: "{{ mosquitto_password_auth_users | default('{}') }}"
when: item.value.state == "absent"
changed_when: False
no_log: True
- name: Create acl file at '{{ mosquitto_acl_file }}'
template:
src: "etc/mosquitto/acl.j2"
dest: "{{ mosquitto_acl_file }}"
owner: root
group: root
mode: 0600
with_dict: "{{ mosquitto_password_auth_users | default('{}') }}"
when:
- mosquitto_acl_enabled
- mosquitto_acl
become: True
become_user: root

View File

@ -0,0 +1,8 @@
# {{ ansible_managed }}
{% for item in mosquitto_acl.values() %}
{% if not item.user == "all" %}
{{ item.user }}
{% endif %}
{{ item.acl_base if item.acl_base is defined else 'topic' }} {{ item.acl_policy }} {{ item.acl_topic }}
{% endfor %}

View File

@ -1,2 +0,0 @@
##{{ ansible_managed }}
demo:test