implement tasks to setup auth

defaults/main.yml

@@ -12,5 +12,10 @@ mosquitto_persistence_path: /var/lib/mosquitto/mosquitto.db
 
 mosquitto_iptables_enabled: False
 
+mosquitto_password_auth_enabled: False
+mosquitto_password_auth_file: "{{ mosquitto_base_dir }}/passwd"
+mosquitto_acl_enabled: False
+mosquitto_acl_file: "{{ mosquitto_base_dir }}/aclfile"
+
 mosquitto_tls_enabled: False
 mosquitto_ca_path: /etc/pki/tls/certs/

tasks/config.yml

@@ -1,17 +1,21 @@
 ---
-- block:
-    - name: Copy passwd file to '{{ mosquitto_passwd_path }}'
-      template:
-        src: "etc/mosquitto/passwd.j2"
-        dest: "{{ mosquitto_passwd_path }}"
-        owner: root
-        group: root
-        mode: 0600
+- name: Check if password file '{{ mosquitto_password_auth_file }}' exists
+  stat:
+    path: "{{ mosquitto_password_auth_file }}"
   register: __mosquitto_passwd
-
-    - name: Hash passwd file
-      shell: "mosquitto_passwd -U {{ mosquitto_passwd_path }}"
-      notify: __mosquitto_restart
-      when: __mosquitto_passwd.changed
   become: True
   become_user: root
+
+- name: Create password file if not exist
+  file:
+    path: "{{ mosquitto_password_auth_file }}"
+    mode: 0600
+    state: touch
+  become: True
+  become_user: root
+  when: not __mosquitto_passwd.stat.exists
+
+- name: Add users to password file
+  shell: "mosquitto_passwd -b {{ mosquitto_password_auth_file }} {{ item.name }} {{ item.value.password }}"
+  with_dict: "{{ mosquitto_login_users | default(omit) }}"
+  notify: __mosquitto_restart

templates/etc/mosquitto/mosquitto.conf.j2

@@ -534,7 +534,11 @@ persistence_location {{ mosquitto_persistence_path | dirname }}
 # Defaults to true if no other security options are set. If any other
 # authentication options are set, then allow_anonymous defaults to false.
 #
-#allow_anonymous true
+{% if not mosquitto_password_auth_enabled %}
+allow_anonymous true
+{% else %}
+allow_anonymous false
+{% endif %}
 
 # -----------------------------------------------------------------
 # Default authentication and topic access control
@@ -552,7 +556,9 @@ persistence_location {{ mosquitto_persistence_path | dirname }}
 # See the TLS client require_certificate and use_identity_as_username options
 # for alternative authentication options. If an auth_plugin is used as well as
 # password_file, the auth_plugin check will be made first.
-#password_file
+{% if mosquitto_password_auth_enabled %}
+password_file {{ mosquitto_password_auth_file }}
+{% endif %}
 
 # Access may also be controlled using a pre-shared-key file. This requires
 # TLS-PSK support and a listener configured to use it. The file should be text