From 5b5b4cefa458ae473a557de365d105eb9d74af7f Mon Sep 17 00:00:00 2001
From: Robert Kaussow <mail@geeklabor.de>
Date: Mon, 5 Nov 2018 20:15:12 +0100
Subject: [PATCH] implement tasks to setup auth

---
 defaults/main.yml                         |  5 ++++
 tasks/config.yml                          | 30 +++++++++++++----------
 templates/etc/mosquitto/mosquitto.conf.j2 | 10 ++++++--
 3 files changed, 30 insertions(+), 15 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 01d6a9f..4c460e6 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -12,5 +12,10 @@ mosquitto_persistence_path: /var/lib/mosquitto/mosquitto.db
 
 mosquitto_iptables_enabled: False
 
+mosquitto_password_auth_enabled: False
+mosquitto_password_auth_file: "{{ mosquitto_base_dir }}/passwd"
+mosquitto_acl_enabled: False
+mosquitto_acl_file: "{{ mosquitto_base_dir }}/aclfile"
+
 mosquitto_tls_enabled: False
 mosquitto_ca_path: /etc/pki/tls/certs/
diff --git a/tasks/config.yml b/tasks/config.yml
index c140f96..ac7ef3c 100644
--- a/tasks/config.yml
+++ b/tasks/config.yml
@@ -1,17 +1,21 @@
 ---
-- block:
-    - name: Copy passwd file to '{{ mosquitto_passwd_path }}'
-      template:
-        src: "etc/mosquitto/passwd.j2"
-        dest: "{{ mosquitto_passwd_path }}"
-        owner: root
-        group: root
-        mode: 0600
-      register: __mosquitto_passwd
+- name: Check if password file '{{ mosquitto_password_auth_file }}' exists
+  stat:
+    path: "{{ mosquitto_password_auth_file }}"
+  register: __mosquitto_passwd
+  become: True
+  become_user: root
 
-    - name: Hash passwd file
-      shell: "mosquitto_passwd -U {{ mosquitto_passwd_path }}"
-      notify: __mosquitto_restart
-      when: __mosquitto_passwd.changed
+- name: Create password file if not exist
+  file:
+    path: "{{ mosquitto_password_auth_file }}"
+    mode: 0600
+    state: touch
   become: True
   become_user: root
+  when: not __mosquitto_passwd.stat.exists
+
+- name: Add users to password file
+  shell: "mosquitto_passwd -b {{ mosquitto_password_auth_file }} {{ item.name }} {{ item.value.password }}"
+  with_dict: "{{ mosquitto_login_users | default(omit) }}"
+  notify: __mosquitto_restart
diff --git a/templates/etc/mosquitto/mosquitto.conf.j2 b/templates/etc/mosquitto/mosquitto.conf.j2
index 679eb59..8c2f28c 100644
--- a/templates/etc/mosquitto/mosquitto.conf.j2
+++ b/templates/etc/mosquitto/mosquitto.conf.j2
@@ -534,7 +534,11 @@ persistence_location {{ mosquitto_persistence_path | dirname }}
 # Defaults to true if no other security options are set. If any other
 # authentication options are set, then allow_anonymous defaults to false.
 #
-#allow_anonymous true
+{% if not mosquitto_password_auth_enabled %}
+allow_anonymous true
+{% else %}
+allow_anonymous false
+{% endif %}
 
 # -----------------------------------------------------------------
 # Default authentication and topic access control
@@ -552,7 +556,9 @@ persistence_location {{ mosquitto_persistence_path | dirname }}
 # See the TLS client require_certificate and use_identity_as_username options
 # for alternative authentication options. If an auth_plugin is used as well as
 # password_file, the auth_plugin check will be made first.
-#password_file
+{% if mosquitto_password_auth_enabled %}
+password_file {{ mosquitto_password_auth_file }}
+{% endif %}
 
 # Access may also be controlled using a pre-shared-key file. This requires
 # TLS-PSK support and a listener configured to use it. The file should be text