support tls setup

defaults/main.yml

@@ -1,9 +1,15 @@
 mosquitto_user: mosquitto
 mosquitto_group: mosquitto
-mosquitto_port: 61000
+mosquitto_port: 1883
 mosquitto_bind_address: "{{ ansible_default_ipv4.address }}"
 mosquitto_pid_dir: /var/run
 mosquitto_base_dir: /etc/mosquitto
 mosquitto_config_dir: "{{ mosquitto_base_dir }}/conf.d"
+mosquitto_ca_dir: "{{ mosquitto_base_dir }}/ca_certificates"
+mosquitto_certs_dir: "{{ mosquitto_base_dir }}/certs"
+mosquitto_ca_file: "{{ mosquitto_ca_dir }}/ca.pem"
+mosquitto_private_key_file: "{{ mosquitto_certs_dir }}/mttq.key"
+mosquitto_cert_file: "{{ mosquitto_certs_dir }}/mttq.pem"
 mosquitto_passwd_file: "{{ mosquitto_base_dir }}/passwd"
 mosquitto_pid_file: "{{ mosquitto_pid_dir }}/mosquitto.pid"
+mosquitto_tls_enabled: False

handlers/main.yml

@@ -4,5 +4,6 @@
     state: restarted
     daemon_reload: yes
     name: mosquitto
+    enabled: yes
   listen:
     - "mosquitto_restart"

tasks/config.yml

@@ -0,0 +1,62 @@
+---
+- name: Copy passwd files
+  template:
+    src: "etc/mosquitto/passwd.j2"
+    dest: "{{ mosquitto_passwd_file }}"
+    owner: root
+    group: root
+    mode: 0600
+
+- name: Hash passwd file
+  shell: "mosquitto_passwd -U {{ mosquitto_passwd_file }}"
+  notify:
+    - mosquitto_restart
+
+- name: Copy TLS CA Stack
+  block:
+  - name: Copy tls chained certs
+    copy:
+      content: "{{ mosquitto_ca_content }}"
+      dest: "{{ mosquitto_ca_file }}"
+      owner: root
+      group: root
+      mode: 0644
+    notify:
+      - mosquitto_restart
+
+  - name: Copy tls intermediate CA
+    copy:
+      content: "{{ mosquitto_cert_content }}"
+      dest: "{{ mosquitto_cert_file }}"
+      owner: root
+      group: root
+      mode: 0644
+    notify:
+      - mosquitto_restart
+
+  - name: Copy tls private key
+    copy:
+      content: "{{ mosquitto_private_key_content }}"
+      dest: "{{ mosquitto_private_key_file }}"
+      owner: root
+      group: root
+      mode: 0600
+    notify:
+      - mosquitto_restart
+  when: mosquitto_tls_enabled
+
+- name: Open port for mttq
+  iptables_raw:
+    name: allow_mttq_port
+    state: present
+    rules: '-A INPUT -m state --state NEW -p tcp --dport {{ mosquitto_port }} -j ACCEPT'
+
+- name: Copy systemd unit files
+  template:
+    src: "etc/systemd/system/mosquitto.service.j2"
+    dest: "/etc/systemd/system/mosquitto.service"
+    owner: root
+    group: root
+    mode: 0644
+  notify:
+    - mosquitto_restart

tasks/install.yml

@@ -37,39 +37,3 @@
     mode: 0644
   notify:
     - mosquitto_restart
-
-- name: Copy passwd files
-  template:
-    src: "etc/mosquitto/passwd.j2"
-    dest: "{{ mosquitto_passwd_file }}"
-    owner: root
-    group: root
-    mode: 0600
-
-- name: Hash passwd file
-  shell: "mosquitto_passwd -U {{ mosquitto_passwd_file }}"
-  notify:
-    - mosquitto_restart
-
-- name: Open port for mttq
-  iptables_raw:
-    name: allow_mttq_port
-    state: present
-    rules: '-A INPUT -m state --state NEW -p tcp --dport {{ mosquitto_port }} -j ACCEPT'
-
-- name: Copy systemd unit files
-  template:
-    src: "etc/systemd/system/mosquitto.service.j2"
-    dest: "/etc/systemd/system/mosquitto.service"
-    owner: root
-    group: root
-    mode: 0644
-  notify:
-    - mosquitto_restart
-
-- name: Enable systemd service
-  systemd:
-    state: started
-    daemon_reload: yes
-    enabled: yes
-    name: mosquitto

tasks/main.yml

@@ -1,2 +1,3 @@
 ---
 - include_tasks: install.yml
+- include_tasks: config.yml

templates/etc/mosquitto/conf.d/default.conf.j2

@@ -18,3 +18,10 @@ log_timestamp true
 connection_messages true
 allow_anonymous false
 password_file {{ mosquitto_passwd_file }}
+
+{% if mosquitto_tls_enabled %}
+cafile {{ mosquitto_ca_file }}
+certfile {{ mosquitto_cert_file }}
+keyfile {{ mosquitto_private_key_file }}
+require_certificate true
+{% endif %}