add task for iptables

defaults/main.yml

@@ -10,5 +10,7 @@ mosquitto_bind_address: "{{ ansible_default_ipv4.address }}"
 mosquitto_persistence_enabled: False
 mosquitto_persistence_path: /var/lib/mosquitto/mosquitto.db
 
+mosquitto_iptables_enabled: False
+
 mosquitto_tls_enabled: False
 mosquitto_ca_path: /etc/pki/tls/certs/

tasks/config.yml

@@ -1,62 +1,17 @@
 ---
-- name: Copy passwd files
-  template:
-    src: "etc/mosquitto/passwd.j2"
-    dest: "{{ mosquitto_passwd_file }}"
-    owner: root
-    group: root
-    mode: 0600
+- block:
+    - name: Copy passwd file to '{{ mosquitto_passwd_path }}'
+      template:
+        src: "etc/mosquitto/passwd.j2"
+        dest: "{{ mosquitto_passwd_path }}"
+        owner: root
+        group: root
+        mode: 0600
+      register: __mosquitto_passwd
 
-- name: Hash passwd file
-  shell: "mosquitto_passwd -U {{ mosquitto_passwd_file }}"
-  notify:
-    - mosquitto_restart
-
-- name: Copy TLS CA Stack
-  block:
-  - name: Copy tls chained certs
-    copy:
-      content: "{{ mosquitto_ca_content }}"
-      dest: "{{ mosquitto_ca_file }}"
-      owner: root
-      group: root
-      mode: 0644
-    notify:
-      - mosquitto_restart
-
-  - name: Copy tls intermediate CA
-    copy:
-      content: "{{ mosquitto_cert_content }}"
-      dest: "{{ mosquitto_cert_file }}"
-      owner: root
-      group: root
-      mode: 0644
-    notify:
-      - mosquitto_restart
-
-  - name: Copy tls private key
-    copy:
-      content: "{{ mosquitto_private_key_content }}"
-      dest: "{{ mosquitto_private_key_file }}"
-      owner: root
-      group: root
-      mode: 0600
-    notify:
-      - mosquitto_restart
-  when: mosquitto_tls_enabled
-
-- name: Open port for mttq
-  iptables_raw:
-    name: allow_mttq_port
-    state: present
-    rules: '-A INPUT -m state --state NEW -p tcp --dport {{ mosquitto_port }} -j ACCEPT'
-
-- name: Copy systemd unit files
-  template:
-    src: "etc/systemd/system/mosquitto.service.j2"
-    dest: "/etc/systemd/system/mosquitto.service"
-    owner: root
-    group: root
-    mode: 0644
-  notify:
-    - mosquitto_restart
+    - name: Hash passwd file
+      shell: "mosquitto_passwd -U {{ mosquitto_passwd_path }}"
+      notify: __mosquitto_restart
+      when: __mosquitto_passwd.changed
+  become: True
+  become_user: root

tasks/install.yml

@@ -26,5 +26,12 @@
         group: root
         mode: 0644
       notify: __mosquitto_restart
+
+    - name: Open port in iptables
+      iptables_raw:
+        name: allow_mosquitto_port
+        state: present
+        rules: '-A INPUT -m state --state NEW -p tcp --dport {{ mosquitto_port }} -j ACCEPT'
+      when: mosquitto_iptables_enabled
   become: True
   become_user: root