From b90ef48c51da97f0b20b1c2eb20427ea954351ff Mon Sep 17 00:00:00 2001 From: Robert Kaussow Date: Mon, 5 Nov 2018 00:31:54 +0100 Subject: [PATCH] add task for iptables --- defaults/main.yml | 2 ++ tasks/config.yml | 75 ++++++++++------------------------------------- tasks/install.yml | 7 +++++ 3 files changed, 24 insertions(+), 60 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 8cd2edb..01d6a9f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -10,5 +10,7 @@ mosquitto_bind_address: "{{ ansible_default_ipv4.address }}" mosquitto_persistence_enabled: False mosquitto_persistence_path: /var/lib/mosquitto/mosquitto.db +mosquitto_iptables_enabled: False + mosquitto_tls_enabled: False mosquitto_ca_path: /etc/pki/tls/certs/ diff --git a/tasks/config.yml b/tasks/config.yml index 32ecccc..c140f96 100644 --- a/tasks/config.yml +++ b/tasks/config.yml @@ -1,62 +1,17 @@ --- -- name: Copy passwd files - template: - src: "etc/mosquitto/passwd.j2" - dest: "{{ mosquitto_passwd_file }}" - owner: root - group: root - mode: 0600 +- block: + - name: Copy passwd file to '{{ mosquitto_passwd_path }}' + template: + src: "etc/mosquitto/passwd.j2" + dest: "{{ mosquitto_passwd_path }}" + owner: root + group: root + mode: 0600 + register: __mosquitto_passwd -- name: Hash passwd file - shell: "mosquitto_passwd -U {{ mosquitto_passwd_file }}" - notify: - - mosquitto_restart - -- name: Copy TLS CA Stack - block: - - name: Copy tls chained certs - copy: - content: "{{ mosquitto_ca_content }}" - dest: "{{ mosquitto_ca_file }}" - owner: root - group: root - mode: 0644 - notify: - - mosquitto_restart - - - name: Copy tls intermediate CA - copy: - content: "{{ mosquitto_cert_content }}" - dest: "{{ mosquitto_cert_file }}" - owner: root - group: root - mode: 0644 - notify: - - mosquitto_restart - - - name: Copy tls private key - copy: - content: "{{ mosquitto_private_key_content }}" - dest: "{{ mosquitto_private_key_file }}" - owner: root - group: root - mode: 0600 - notify: - - mosquitto_restart - when: mosquitto_tls_enabled - -- name: Open port for mttq - iptables_raw: - name: allow_mttq_port - state: present - rules: '-A INPUT -m state --state NEW -p tcp --dport {{ mosquitto_port }} -j ACCEPT' - -- name: Copy systemd unit files - template: - src: "etc/systemd/system/mosquitto.service.j2" - dest: "/etc/systemd/system/mosquitto.service" - owner: root - group: root - mode: 0644 - notify: - - mosquitto_restart + - name: Hash passwd file + shell: "mosquitto_passwd -U {{ mosquitto_passwd_path }}" + notify: __mosquitto_restart + when: __mosquitto_passwd.changed + become: True + become_user: root diff --git a/tasks/install.yml b/tasks/install.yml index d211185..113beee 100644 --- a/tasks/install.yml +++ b/tasks/install.yml @@ -26,5 +26,12 @@ group: root mode: 0644 notify: __mosquitto_restart + + - name: Open port in iptables + iptables_raw: + name: allow_mosquitto_port + state: present + rules: '-A INPUT -m state --state NEW -p tcp --dport {{ mosquitto_port }} -j ACCEPT' + when: mosquitto_iptables_enabled become: True become_user: root