implement tasks to setup auth

2018-11-05 20:15:12 +01:00 · 2018-11-05 20:15:12 +01:00 · 5b5b4cefa4
parent b90ef48c51
commit 5b5b4cefa4
3 changed files with 31 additions and 16 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -12,5 +12,10 @@ mosquitto_persistence_path: /var/lib/mosquitto/mosquitto.db

 mosquitto_iptables_enabled: False

+mosquitto_password_auth_enabled: False
+mosquitto_password_auth_file: "{{ mosquitto_base_dir }}/passwd"
+mosquitto_acl_enabled: False
+mosquitto_acl_file: "{{ mosquitto_base_dir }}/aclfile"
+
 mosquitto_tls_enabled: False
 mosquitto_ca_path: /etc/pki/tls/certs/
--- a/tasks/config.yml
+++ b/tasks/config.yml
@ -1,17 +1,21 @@
 ---
- block:
-    - name: Copy passwd file to '{{ mosquitto_passwd_path }}'
-      template:
-        src: "etc/mosquitto/passwd.j2"
-        dest: "{{ mosquitto_passwd_path }}"
-        owner: root
-        group: root
-        mode: 0600
-      register: __mosquitto_passwd
-
-    - name: Hash passwd file
-      shell: "mosquitto_passwd -U {{ mosquitto_passwd_path }}"
-      notify: __mosquitto_restart
-      when: __mosquitto_passwd.changed
+- name: Check if password file '{{ mosquitto_password_auth_file }}' exists
+  stat:
+    path: "{{ mosquitto_password_auth_file }}"
+  register: __mosquitto_passwd
  become: True
  become_user: root
+
+- name: Create password file if not exist
+  file:
+    path: "{{ mosquitto_password_auth_file }}"
+    mode: 0600
+    state: touch
+  become: True
+  become_user: root
+  when: not __mosquitto_passwd.stat.exists
+
+- name: Add users to password file
+  shell: "mosquitto_passwd -b {{ mosquitto_password_auth_file }} {{ item.name }} {{ item.value.password }}"
+  with_dict: "{{ mosquitto_login_users | default(omit) }}"
+  notify: __mosquitto_restart
--- a/templates/etc/mosquitto/mosquitto.conf.j2
+++ b/templates/etc/mosquitto/mosquitto.conf.j2
@ -534,7 +534,11 @@ persistence_location {{ mosquitto_persistence_path | dirname }}
 # Defaults to true if no other security options are set. If any other
 # authentication options are set, then allow_anonymous defaults to false.
 #
-#allow_anonymous true
+{% if not mosquitto_password_auth_enabled %}
+allow_anonymous true
+{% else %}
+allow_anonymous false
+{% endif %}

 # -----------------------------------------------------------------
 # Default authentication and topic access control
@ -552,7 +556,9 @@ persistence_location {{ mosquitto_persistence_path | dirname }}
 # See the TLS client require_certificate and use_identity_as_username options
 # for alternative authentication options. If an auth_plugin is used as well as
 # password_file, the auth_plugin check will be made first.
-#password_file
+{% if mosquitto_password_auth_enabled %}
+password_file {{ mosquitto_password_auth_file }}
+{% endif %}

 # Access may also be controlled using a pre-shared-key file. This requires
 # TLS-PSK support and a listener configured to use it. The file should be text