diff --git a/defaults/main.yml b/defaults/main.yml index 01d6a9f..4c460e6 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -12,5 +12,10 @@ mosquitto_persistence_path: /var/lib/mosquitto/mosquitto.db mosquitto_iptables_enabled: False +mosquitto_password_auth_enabled: False +mosquitto_password_auth_file: "{{ mosquitto_base_dir }}/passwd" +mosquitto_acl_enabled: False +mosquitto_acl_file: "{{ mosquitto_base_dir }}/aclfile" + mosquitto_tls_enabled: False mosquitto_ca_path: /etc/pki/tls/certs/ diff --git a/tasks/config.yml b/tasks/config.yml index c140f96..ac7ef3c 100644 --- a/tasks/config.yml +++ b/tasks/config.yml @@ -1,17 +1,21 @@ --- -- block: - - name: Copy passwd file to '{{ mosquitto_passwd_path }}' - template: - src: "etc/mosquitto/passwd.j2" - dest: "{{ mosquitto_passwd_path }}" - owner: root - group: root - mode: 0600 - register: __mosquitto_passwd - - - name: Hash passwd file - shell: "mosquitto_passwd -U {{ mosquitto_passwd_path }}" - notify: __mosquitto_restart - when: __mosquitto_passwd.changed +- name: Check if password file '{{ mosquitto_password_auth_file }}' exists + stat: + path: "{{ mosquitto_password_auth_file }}" + register: __mosquitto_passwd become: True become_user: root + +- name: Create password file if not exist + file: + path: "{{ mosquitto_password_auth_file }}" + mode: 0600 + state: touch + become: True + become_user: root + when: not __mosquitto_passwd.stat.exists + +- name: Add users to password file + shell: "mosquitto_passwd -b {{ mosquitto_password_auth_file }} {{ item.name }} {{ item.value.password }}" + with_dict: "{{ mosquitto_login_users | default(omit) }}" + notify: __mosquitto_restart diff --git a/templates/etc/mosquitto/mosquitto.conf.j2 b/templates/etc/mosquitto/mosquitto.conf.j2 index 679eb59..8c2f28c 100644 --- a/templates/etc/mosquitto/mosquitto.conf.j2 +++ b/templates/etc/mosquitto/mosquitto.conf.j2 @@ -534,7 +534,11 @@ persistence_location {{ mosquitto_persistence_path | dirname }} # Defaults to true if no other security options are set. If any other # authentication options are set, then allow_anonymous defaults to false. # -#allow_anonymous true +{% if not mosquitto_password_auth_enabled %} +allow_anonymous true +{% else %} +allow_anonymous false +{% endif %} # ----------------------------------------------------------------- # Default authentication and topic access control @@ -552,7 +556,9 @@ persistence_location {{ mosquitto_persistence_path | dirname }} # See the TLS client require_certificate and use_identity_as_username options # for alternative authentication options. If an auth_plugin is used as well as # password_file, the auth_plugin check will be made first. -#password_file +{% if mosquitto_password_auth_enabled %} +password_file {{ mosquitto_password_auth_file }} +{% endif %} # Access may also be controlled using a pre-shared-key file. This requires # TLS-PSK support and a listener configured to use it. The file should be text