add tls setup

2018-11-07 23:05:47 +01:00 · 2018-11-07 23:05:47 +01:00 · c298b50ca5
parent 4f5f167085
commit c298b50ca5
5 changed files with 81 additions and 4 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -38,4 +38,23 @@ mosquitto_acl_file: "{{ mosquitto_base_dir }}/aclfile"


 mosquitto_tls_enabled: False
+mosquitto_tls_ciphers:
+  - DEFAULT
+  - "!aNULL"
+  - "!eNULL"
+  - "!LOW"
+  - "!EXPORT"
+  - "!SSLv2"
+  - "@STRENGTH"
 mosquitto_ca_path: /etc/pki/tls/certs/
+# You can deploy your certificates from a file or from content.
+# If you enable mosquitto_tls_source_use_content you have to put the content of your cert files into
+# mosquitto_tls_cert_file and mosquitto_tls_cert_file.
+mosquitto_tls_source_use_content: False
+# If you enable mosquitto_tls_source_use_files theses variables have to contain the path to your
+# certificate files located on the ansible "master" host
+mosquitto_tls_source_use_files: True
+mosquitto_tls_cert_source: mycert.pem
+mosquitto_tls_key_source: mykey.pem
+mosquitto_tls_cert_file: "{{ mosquitto_base_dir }}/tls/certs/mycert.pem"
+mosquitto_tls_key_file: "{{ mosquitto_base_dir }}/tls/private/mykey.pem"
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -1,3 +1,7 @@
 ---
 - import_tasks: install.yml
 - import_tasks: config.yml
+- import_tasks: tls.yml
+  when: mosquitto_tls_enabled
+  tags: tls_renewal
+- import_tasks: post_tasks.yml
--- a/tasks/post_tasks.yml
+++ b/tasks/post_tasks.yml
@ -0,0 +1,9 @@
+---
+- name: Ensure mosquitto service is up and running
+  systemd:
+    state: started
+    daemon_reload: yes
+    enabled: yes
+    name: mosquitto
+  become: True
+  become_user: root
--- a/tasks/tls.yml
+++ b/tasks/tls.yml
@ -0,0 +1,43 @@
+---
+- block:
+  - name: Create tls folder structure
+    file:
+      path: "{{ item }}"
+      state: directory
+      owner: root
+      group: root
+      recurse: True
+    with_items:
+      - "{{ mosquitto_tls_cert_path | dirname }}"
+      - "{{ mosquitto_tls_key_path | dirname }}"
+  become: True
+  become_user: root
+
+- block:
+  - name: Copy certs and private key (file)
+    copy:
+      src: "{{ item.src }}"
+      dest: "{{ item.dest }}"
+      mode: "{{ item.mode }}"
+    with_items:
+      - { src: "{{ mosquitto_tls_key_source }}", dest: '{{ mosquitto_tls_key_path }}', mode: '0600' }
+      - { src: "{{ mosquitto_tls_cert_source }}", dest: '{{ mosquitto_tls_cert_path }}', mode: '0750' }
+    loop_control:
+      label: "{{ item.dest }}"
+    register: __mosquitto_certs_file
+    when: mosquitto_tls_source_use_files
+
+  - name: Copy certs and private key (content)
+    copy:
+      content: "{{ item.src }}"
+      dest: "{{ item.dest }}"
+      mode: "{{ item.mode }}"
+    with_items:
+      - { src: "{{ mosquitto_tls_key_source }}", dest: '{{ mosquitto_tls_key_path }}', mode: '0600' }
+      - { src: "{{ mosquitto_tls_cert_source }}", dest: '{{ mosquitto_tls_cert_path }}', mode: '0750' }
+    loop_control:
+      label: "{{ item.dest }}"
+    register: __mosquitto_certs_content
+    when: mosquitto_tls_source_use_content
+  become: True
+  become_user: "{{ mosquitto_user }}"
--- a/templates/etc/mosquitto/mosquitto.conf.j2
+++ b/templates/etc/mosquitto/mosquitto.conf.j2
@ -186,6 +186,7 @@ port {{ mosquitto_port }}
 # See also use_identity_as_username.
 #use_username_as_clientid

+{% if mosquitto_tls_enabled %}
 # -----------------------------------------------------------------
 # Certificate based SSL/TLS support
 # -----------------------------------------------------------------
@ -208,15 +209,15 @@ port {{ mosquitto_port }}
 capath {{ mosquitto_ca_path }}

 # Path to the PEM encoded server certificate.
-#certfile
+certfile {{ mosquitto_tls_cert_file }}

 # Path to the PEM encoded keyfile.
-#keyfile
+keyfile {{ mosquitto_tls_key_file }}

 # This option defines the version of the TLS protocol to use for this listener.
 # The default value allows v1.2, v1.1 and v1.0. The valid values are tlsv1.2
 # tlsv1.1 and tlsv1.
-#tls_version
+tls_version tlsv1.2

 # By default a TLS enabled listener will operate in a similar fashion to a
 # https enabled web server, in that the server has a certificate signed by a CA
@ -250,7 +251,8 @@ capath {{ mosquitto_ca_path }}
 # ciphers" command and should be provided in the same format as the output of
 # that command.
 # If unset defaults to DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH
-#ciphers DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH
+ciphers {{ mosquitto_tls_ciphers | join(':') }}
+{% endif %}

 # -----------------------------------------------------------------
 # Pre-shared-key based SSL/TLS support