add acl templating

2018-11-07 20:44:06 +01:00 · 2018-11-07 20:44:06 +01:00 · 51dc588864
parent c11da09e29
commit 51dc588864
4 changed files with 45 additions and 16 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -24,6 +24,18 @@ mosquitto_password_auth_file: "{{ mosquitto_base_dir }}/passwd"

 mosquitto_acl_enabled: False
 mosquitto_acl_file: "{{ mosquitto_base_dir }}/aclfile"
+# mosquitto_acl: (defaults to not set)
+#   - iot:
+#       user: admin
+#       acl_base: topic # (topic|pattern, defaults to topic)
+#       acl_topic: "#"
+#       acl_policy: readwrite
+#   - readonly_iot:
+#       user: user1
+#       acl_base: topic
+#       acl_topic: my/devices
+#       acl_policy: readwrite
+

 mosquitto_tls_enabled: False
 mosquitto_ca_path: /etc/pki/tls/certs/
--- a/tasks/config.yml
+++ b/tasks/config.yml
@ -16,20 +16,31 @@
  when: not __mosquitto_passwd.stat.exists

 # TODO: ugly workaround, move this to a custom module
- name: Add users to password file
-  shell: "mosquitto_passwd -b {{ mosquitto_password_auth_file }} {{ item.key }} {{ item.value.password }}"
-  with_dict: "{{ mosquitto_password_auth_users | default('{}') }}"
-  when: item.value.state == "present"
-  changed_when: False
-  no_log: True
-  become: True
-  become_user: root
+- block:
+    - name: Add users to password file
+      shell: "mosquitto_passwd -b {{ mosquitto_password_auth_file }} {{ item.key }} {{ item.value.password }}"
+      with_dict: "{{ mosquitto_password_auth_users | default('{}') }}"
+      when: item.value.state == "present"
+      changed_when: False
+      no_log: True

- name: Remove unnecessary users from password file
-  shell: "mosquitto_passwd -D {{ mosquitto_password_auth_file }} {{ item.key }}"
-  with_dict: "{{ mosquitto_password_auth_users | default('{}') }}"
-  when: item.value.state == "absent"
-  changed_when: False
-  no_log: True
+    - name: Remove unnecessary users from password file
+      shell: "mosquitto_passwd -D {{ mosquitto_password_auth_file }} {{ item.key }}"
+      with_dict: "{{ mosquitto_password_auth_users | default('{}') }}"
+      when: item.value.state == "absent"
+      changed_when: False
+      no_log: True
+
+    - name: Create acl file at '{{ mosquitto_acl_file }}'
+      template:
+        src: "etc/mosquitto/acl.j2"
+        dest: "{{ mosquitto_acl_file }}"
+        owner: root
+        group: root
+        mode: 0600
+      with_dict: "{{ mosquitto_password_auth_users | default('{}') }}"
+      when:
+        - mosquitto_acl_enabled
+        - mosquitto_acl
  become: True
  become_user: root
--- a/templates/etc/mosquitto/aclfile.j2
+++ b/templates/etc/mosquitto/aclfile.j2
@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+
+{% for item in mosquitto_acl.values() %}
+{% if not item.user == "all" %}
+{{ item.user }}
+{% endif %}
+{{ item.acl_base if item.acl_base is defined else 'topic' }} {{ item.acl_policy }} {{ item.acl_topic }}
+{% endfor %}
--- a/templates/etc/mosquitto/passwd.j2
+++ b/templates/etc/mosquitto/passwd.j2
@ -1,2 +0,0 @@
-##{{ ansible_managed }}
-demo:test