add tls setup

This commit is contained in:
Robert Kaussow 2018-11-07 23:05:47 +01:00
parent 4f5f167085
commit c298b50ca5
5 changed files with 81 additions and 4 deletions

View File

@ -38,4 +38,23 @@ mosquitto_acl_file: "{{ mosquitto_base_dir }}/aclfile"
mosquitto_tls_enabled: False mosquitto_tls_enabled: False
mosquitto_tls_ciphers:
- DEFAULT
- "!aNULL"
- "!eNULL"
- "!LOW"
- "!EXPORT"
- "!SSLv2"
- "@STRENGTH"
mosquitto_ca_path: /etc/pki/tls/certs/ mosquitto_ca_path: /etc/pki/tls/certs/
# You can deploy your certificates from a file or from content.
# If you enable mosquitto_tls_source_use_content you have to put the content of your cert files into
# mosquitto_tls_cert_file and mosquitto_tls_cert_file.
mosquitto_tls_source_use_content: False
# If you enable mosquitto_tls_source_use_files theses variables have to contain the path to your
# certificate files located on the ansible "master" host
mosquitto_tls_source_use_files: True
mosquitto_tls_cert_source: mycert.pem
mosquitto_tls_key_source: mykey.pem
mosquitto_tls_cert_file: "{{ mosquitto_base_dir }}/tls/certs/mycert.pem"
mosquitto_tls_key_file: "{{ mosquitto_base_dir }}/tls/private/mykey.pem"

View File

@ -1,3 +1,7 @@
--- ---
- import_tasks: install.yml - import_tasks: install.yml
- import_tasks: config.yml - import_tasks: config.yml
- import_tasks: tls.yml
when: mosquitto_tls_enabled
tags: tls_renewal
- import_tasks: post_tasks.yml

9
tasks/post_tasks.yml Normal file
View File

@ -0,0 +1,9 @@
---
- name: Ensure mosquitto service is up and running
systemd:
state: started
daemon_reload: yes
enabled: yes
name: mosquitto
become: True
become_user: root

43
tasks/tls.yml Normal file
View File

@ -0,0 +1,43 @@
---
- block:
- name: Create tls folder structure
file:
path: "{{ item }}"
state: directory
owner: root
group: root
recurse: True
with_items:
- "{{ mosquitto_tls_cert_path | dirname }}"
- "{{ mosquitto_tls_key_path | dirname }}"
become: True
become_user: root
- block:
- name: Copy certs and private key (file)
copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
mode: "{{ item.mode }}"
with_items:
- { src: "{{ mosquitto_tls_key_source }}", dest: '{{ mosquitto_tls_key_path }}', mode: '0600' }
- { src: "{{ mosquitto_tls_cert_source }}", dest: '{{ mosquitto_tls_cert_path }}', mode: '0750' }
loop_control:
label: "{{ item.dest }}"
register: __mosquitto_certs_file
when: mosquitto_tls_source_use_files
- name: Copy certs and private key (content)
copy:
content: "{{ item.src }}"
dest: "{{ item.dest }}"
mode: "{{ item.mode }}"
with_items:
- { src: "{{ mosquitto_tls_key_source }}", dest: '{{ mosquitto_tls_key_path }}', mode: '0600' }
- { src: "{{ mosquitto_tls_cert_source }}", dest: '{{ mosquitto_tls_cert_path }}', mode: '0750' }
loop_control:
label: "{{ item.dest }}"
register: __mosquitto_certs_content
when: mosquitto_tls_source_use_content
become: True
become_user: "{{ mosquitto_user }}"

View File

@ -186,6 +186,7 @@ port {{ mosquitto_port }}
# See also use_identity_as_username. # See also use_identity_as_username.
#use_username_as_clientid #use_username_as_clientid
{% if mosquitto_tls_enabled %}
# ----------------------------------------------------------------- # -----------------------------------------------------------------
# Certificate based SSL/TLS support # Certificate based SSL/TLS support
# ----------------------------------------------------------------- # -----------------------------------------------------------------
@ -208,15 +209,15 @@ port {{ mosquitto_port }}
capath {{ mosquitto_ca_path }} capath {{ mosquitto_ca_path }}
# Path to the PEM encoded server certificate. # Path to the PEM encoded server certificate.
#certfile certfile {{ mosquitto_tls_cert_file }}
# Path to the PEM encoded keyfile. # Path to the PEM encoded keyfile.
#keyfile keyfile {{ mosquitto_tls_key_file }}
# This option defines the version of the TLS protocol to use for this listener. # This option defines the version of the TLS protocol to use for this listener.
# The default value allows v1.2, v1.1 and v1.0. The valid values are tlsv1.2 # The default value allows v1.2, v1.1 and v1.0. The valid values are tlsv1.2
# tlsv1.1 and tlsv1. # tlsv1.1 and tlsv1.
#tls_version tls_version tlsv1.2
# By default a TLS enabled listener will operate in a similar fashion to a # By default a TLS enabled listener will operate in a similar fashion to a
# https enabled web server, in that the server has a certificate signed by a CA # https enabled web server, in that the server has a certificate signed by a CA
@ -250,7 +251,8 @@ capath {{ mosquitto_ca_path }}
# ciphers" command and should be provided in the same format as the output of # ciphers" command and should be provided in the same format as the output of
# that command. # that command.
# If unset defaults to DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH # If unset defaults to DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH
#ciphers DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH ciphers {{ mosquitto_tls_ciphers | join(':') }}
{% endif %}
# ----------------------------------------------------------------- # -----------------------------------------------------------------
# Pre-shared-key based SSL/TLS support # Pre-shared-key based SSL/TLS support