From 51dc588864ef46e18abe64ecd7a687806200a5c1 Mon Sep 17 00:00:00 2001
From: Robert Kaussow <mail@geeklabor.de>
Date: Wed, 7 Nov 2018 20:44:06 +0100
Subject: [PATCH] add acl templating

---
 defaults/main.yml                  | 12 +++++++++
 tasks/config.yml                   | 39 +++++++++++++++++++-----------
 templates/etc/mosquitto/aclfile.j2 |  8 ++++++
 templates/etc/mosquitto/passwd.j2  |  2 --
 4 files changed, 45 insertions(+), 16 deletions(-)
 create mode 100644 templates/etc/mosquitto/aclfile.j2
 delete mode 100644 templates/etc/mosquitto/passwd.j2

diff --git a/defaults/main.yml b/defaults/main.yml
index dd1b14d..2a63cc9 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -24,6 +24,18 @@ mosquitto_password_auth_file: "{{ mosquitto_base_dir }}/passwd"
 
 mosquitto_acl_enabled: False
 mosquitto_acl_file: "{{ mosquitto_base_dir }}/aclfile"
+# mosquitto_acl: (defaults to not set)
+#   - iot:
+#       user: admin
+#       acl_base: topic # (topic|pattern, defaults to topic)
+#       acl_topic: "#"
+#       acl_policy: readwrite
+#   - readonly_iot:
+#       user: user1
+#       acl_base: topic
+#       acl_topic: my/devices
+#       acl_policy: readwrite
+
 
 mosquitto_tls_enabled: False
 mosquitto_ca_path: /etc/pki/tls/certs/
diff --git a/tasks/config.yml b/tasks/config.yml
index 5ceb32b..13e2509 100644
--- a/tasks/config.yml
+++ b/tasks/config.yml
@@ -16,20 +16,31 @@
   when: not __mosquitto_passwd.stat.exists
 
 # TODO: ugly workaround, move this to a custom module
-- name: Add users to password file
-  shell: "mosquitto_passwd -b {{ mosquitto_password_auth_file }} {{ item.key }} {{ item.value.password }}"
-  with_dict: "{{ mosquitto_password_auth_users | default('{}') }}"
-  when: item.value.state == "present"
-  changed_when: False
-  no_log: True
-  become: True
-  become_user: root
+- block:
+    - name: Add users to password file
+      shell: "mosquitto_passwd -b {{ mosquitto_password_auth_file }} {{ item.key }} {{ item.value.password }}"
+      with_dict: "{{ mosquitto_password_auth_users | default('{}') }}"
+      when: item.value.state == "present"
+      changed_when: False
+      no_log: True
+
+    - name: Remove unnecessary users from password file
+      shell: "mosquitto_passwd -D {{ mosquitto_password_auth_file }} {{ item.key }}"
+      with_dict: "{{ mosquitto_password_auth_users | default('{}') }}"
+      when: item.value.state == "absent"
+      changed_when: False
+      no_log: True
 
-- name: Remove unnecessary users from password file
-  shell: "mosquitto_passwd -D {{ mosquitto_password_auth_file }} {{ item.key }}"
-  with_dict: "{{ mosquitto_password_auth_users | default('{}') }}"
-  when: item.value.state == "absent"
-  changed_when: False
-  no_log: True
+    - name: Create acl file at '{{ mosquitto_acl_file }}'
+      template:
+        src: "etc/mosquitto/acl.j2"
+        dest: "{{ mosquitto_acl_file }}"
+        owner: root
+        group: root
+        mode: 0600
+      with_dict: "{{ mosquitto_password_auth_users | default('{}') }}"
+      when:
+        - mosquitto_acl_enabled
+        - mosquitto_acl
   become: True
   become_user: root
diff --git a/templates/etc/mosquitto/aclfile.j2 b/templates/etc/mosquitto/aclfile.j2
new file mode 100644
index 0000000..d99d017
--- /dev/null
+++ b/templates/etc/mosquitto/aclfile.j2
@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+
+{% for item in mosquitto_acl.values() %}
+{% if not item.user == "all" %}
+{{ item.user }}
+{% endif %}
+{{ item.acl_base if item.acl_base is defined else 'topic' }} {{ item.acl_policy }} {{ item.acl_topic }}
+{% endfor %}
diff --git a/templates/etc/mosquitto/passwd.j2 b/templates/etc/mosquitto/passwd.j2
deleted file mode 100644
index ae5fd06..0000000
--- a/templates/etc/mosquitto/passwd.j2
+++ /dev/null
@@ -1,2 +0,0 @@
-##{{ ansible_managed }}
-demo:test