ansible
/
xoxys.mosquitto
1
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: ansible:main
Branches Tags
ansible:main
ansible:docs
...
pull from: ansible:docs
Branches Tags
ansible:main
ansible:docs

No commits in common. "main" and "docs" have entirely different histories.
main ... docs

34 changed files with 263 additions and 2077 deletions
Show Stats Expand all files Collapse all files

161
.drone.jsonnet
View File

@ -1,161 +0,0 @@
local PipelineLinting = {
kind: 'pipeline',
name: 'linting',
platform: {
os: 'linux',
arch: 'amd64',
},
steps: [
{
name: 'ansible-later',
image: 'thegeeklab/ansible-later',
commands: [
'ansible-later',
],
},
{
name: 'python-format',
image: 'python:3.11',
environment: {
PY_COLORS: 1,
},
commands: [
'pip install -qq yapf',
'[ -z "$(find . -type f -name *.py)" ] || (yapf -rd ./)',
],
},
{
name: 'python-flake8',
image: 'python:3.11',
environment: {
PY_COLORS: 1,
},
commands: [
'pip install -qq flake8',
'flake8',
],
},
],
trigger: {
ref: ['refs/heads/main', 'refs/tags/**', 'refs/pull/**'],
},
};
local PipelineDeployment(scenario='centos7') = {
kind: 'pipeline',
name: 'testing-' + scenario,
platform: {
os: 'linux',
arch: 'amd64',
},
concurrency: {
limit: 1,
},
workspace: {
base: '/drone/src',
path: '${DRONE_REPO_NAME}',
},
steps: [
{
name: 'ansible-molecule',
image: 'thegeeklab/molecule:4',
environment: {
HCLOUD_TOKEN: { from_secret: 'hcloud_token' },
},
commands: [
'molecule test -s ' + scenario,
],
},
],
depends_on: [
'linting',
],
trigger: {
ref: ['refs/heads/main', 'refs/tags/**', 'refs/pull/**'],
},
};
local PipelineDocumentation = {
kind: 'pipeline',
name: 'documentation',
platform: {
os: 'linux',
arch: 'amd64',
},
steps: [
{
name: 'generate',
image: 'thegeeklab/ansible-doctor',
environment: {
ANSIBLE_DOCTOR_LOG_LEVEL: 'INFO',
ANSIBLE_DOCTOR_FORCE_OVERWRITE: true,
ANSIBLE_DOCTOR_EXCLUDE_FILES: 'molecule/',
ANSIBLE_DOCTOR_TEMPLATE: 'hugo-book',
ANSIBLE_DOCTOR_ROLE_NAME: '${DRONE_REPO_NAME#*.}',
ANSIBLE_DOCTOR_OUTPUT_DIR: '_docs/',
},
},
{
name: 'publish',
image: 'plugins/gh-pages',
settings: {
remote_url: 'https://gitea.rknet.org/ansible/${DRONE_REPO_NAME}',
netrc_machine: 'gitea.rknet.org',
username: { from_secret: 'gitea_username' },
password: { from_secret: 'gitea_token' },
pages_directory: '_docs/',
target_branch: 'docs',
},
when: {
ref: ['refs/heads/main'],
},
},
],
trigger: {
ref: ['refs/heads/main', 'refs/tags/**', 'refs/pull/**'],
},
depends_on: [
'testing-centos7',
'testing-rocky8',
],
};
local PipelineNotification = {
kind: 'pipeline',
name: 'notification',
platform: {
os: 'linux',
arch: 'amd64',
},
clone: {
disable: true,
},
steps: [
{
name: 'matrix',
image: 'thegeeklab/drone-matrix',
settings: {
homeserver: { from_secret: 'matrix_homeserver' },
roomid: { from_secret: 'matrix_roomid' },
template: 'Status: **{{ .Build.Status }}**<br/> Build: [{{ .Repo.Owner }}/{{ .Repo.Name }}]({{ .Build.Link }}){{ if .Build.Branch }} ({{ .Build.Branch }}){{ end }} by {{ .Commit.Author }}<br/> Message: {{ .Commit.Message.Title }}',
username: { from_secret: 'matrix_username' },
password: { from_secret: 'matrix_password' },
},
},
],
depends_on: [
'documentation',
],
trigger: {
status: ['success', 'failure'],
ref: ['refs/heads/main', 'refs/tags/**'],
},
};
[
PipelineLinting,
PipelineDeployment(scenario='centos7'),
PipelineDeployment(scenario='rocky8'),
PipelineDocumentation,
PipelineNotification,
]

187
.drone.yml
View File

@ -1,187 +0,0 @@
---
kind: pipeline
name: linting
platform:
os: linux
arch: amd64
steps:
- name: ansible-later
image: thegeeklab/ansible-later
commands:
- ansible-later
- name: python-format
image: python:3.11
commands:
- pip install -qq yapf
- "[ -z \"$(find . -type f -name *.py)\" ] || (yapf -rd ./)"
environment:
PY_COLORS: 1
- name: python-flake8
image: python:3.11
commands:
- pip install -qq flake8
- flake8
environment:
PY_COLORS: 1
trigger:
ref:
- refs/heads/main
- refs/tags/**
- refs/pull/**
---
kind: pipeline
name: testing-centos7
platform:
os: linux
arch: amd64
concurrency:
limit: 1
workspace:
base: /drone/src
path: ${DRONE_REPO_NAME}
steps:
- name: ansible-molecule
image: thegeeklab/molecule:4
commands:
- molecule test -s centos7
environment:
HCLOUD_TOKEN:
from_secret: hcloud_token
trigger:
ref:
- refs/heads/main
- refs/tags/**
- refs/pull/**
depends_on:
- linting
---
kind: pipeline
name: testing-rocky8
platform:
os: linux
arch: amd64
concurrency:
limit: 1
workspace:
base: /drone/src
path: ${DRONE_REPO_NAME}
steps:
- name: ansible-molecule
image: thegeeklab/molecule:4
commands:
- molecule test -s rocky8
environment:
HCLOUD_TOKEN:
from_secret: hcloud_token
trigger:
ref:
- refs/heads/main
- refs/tags/**
- refs/pull/**
depends_on:
- linting
---
kind: pipeline
name: documentation
platform:
os: linux
arch: amd64
steps:
- name: generate
image: thegeeklab/ansible-doctor
environment:
ANSIBLE_DOCTOR_EXCLUDE_FILES: molecule/
ANSIBLE_DOCTOR_FORCE_OVERWRITE: true
ANSIBLE_DOCTOR_LOG_LEVEL: INFO
ANSIBLE_DOCTOR_OUTPUT_DIR: _docs/
ANSIBLE_DOCTOR_ROLE_NAME: ${DRONE_REPO_NAME#*.}
ANSIBLE_DOCTOR_TEMPLATE: hugo-book
- name: publish
image: plugins/gh-pages
settings:
netrc_machine: gitea.rknet.org
pages_directory: _docs/
password:
from_secret: gitea_token
remote_url: https://gitea.rknet.org/ansible/${DRONE_REPO_NAME}
target_branch: docs
username:
from_secret: gitea_username
when:
ref:
- refs/heads/main
trigger:
ref:
- refs/heads/main
- refs/tags/**
- refs/pull/**
depends_on:
- testing-centos7
- testing-rocky8
---
kind: pipeline
name: notification
platform:
os: linux
arch: amd64
clone:
disable: true
steps:
- name: matrix
image: thegeeklab/drone-matrix
settings:
homeserver:
from_secret: matrix_homeserver
password:
from_secret: matrix_password
roomid:
from_secret: matrix_roomid
template: "Status: **{{ .Build.Status }}**<br/> Build: [{{ .Repo.Owner }}/{{ .Repo.Name }}]({{ .Build.Link }}){{ if .Build.Branch }} ({{ .Build.Branch }}){{ end }} by {{ .Commit.Author }}<br/> Message: {{ .Commit.Message.Title }}"
username:
from_secret: matrix_username
trigger:
ref:
- refs/heads/main
- refs/tags/**
status:
- success
- failure
depends_on:
- documentation
---
kind: signature
hmac: 38fb753c217b5efa3d18c0e23db8a2f3323d4cc54b100f8a0d40847b1f1b4118
...

13
.gitignore vendored
View File

@ -1,13 +0,0 @@
# ---> Ansible
*.retry
filter/plugins/
library
# ---> Python
# Byte-compiled / optimized / DLL files
__pycache__/
*.py[cod]
*$py.class
# ---> Docs
/_docs

19
.later.yml
View File

@ -1,19 +0,0 @@
---
ansible:
custom_modules:
- iptables_raw
- openssl_pkcs12
- proxmox_kvm
- ucr
- corenetworks_dns
- corenetworks_token
rules:
exclude_files:
- molecule/
- "LICENSE*"
- "**/*.md"
- "**/*.ini"
exclude_filter:
- LINT0009

21
LICENSE
View File

@ -1,21 +0,0 @@
MIT License
Copyright (c) 2022 Robert Kaussow <mail@thegeeklab.de>
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is furnished
to do so, subject to the following conditions:
The above copyright notice and this permission notice (including the next
paragraph) shall be included in all copies or substantial portions of the
Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS
OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF
OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

12
README.md
View File

@ -1,12 +0,0 @@
# xoxys.mosquitto
[![Build Status](https://img.shields.io/drone/build/ansible/xoxys.mosquitto?logo=drone&server=https%3A%2F%2Fdrone.rknet.org)](https://drone.rknet.org/ansible/xoxys.mosquitto)
[![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE)
Setup [mosquitto](https://mosquitto.org/) mqtt broker. Eclipse Mosquitto is a message broker that implements the MQTT protocol. It is lightweight and suitable for use on all devices from low power single board computers to full servers.
You can find the full documentation at [https://galaxy.geekdocs.de](https://galaxy.geekdocs.de/roles/IoT/mosquitto/).
## License
This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.

59
defaults/main.yml
View File

@ -1,59 +0,0 @@
---
mosquitto_base_dir: /etc/mosquitto
mosquitto_pid_file: /var/run/mosquitto.pid
mosquitto_user: mosquitto
mosquitto_group: mosquitto
mosquitto_port: 1883
mosquitto_bind_address: "{{ ansible_default_ipv4.address }}"
mosquitto_packages_extra: []
mosquitto_persistence_enabled: False
mosquitto_persistence_path: /var/lib/mosquitto/mosquitto.db
mosquitto_password_auth_enabled: False
mosquitto_password_auth_file: "{{ mosquitto_base_dir }}/passwd"
mosquitto_password_auth_users: []
# @var mosquitto_password_auth_users:example: >
# mosquitto_password_auth_users:
# - name: admin
# password: mysecret
# state: present
# - name: user1
# password: very_secure
# state: absent
# @end
mosquitto_acl_enabled: False
mosquitto_acl_file: "{{ mosquitto_base_dir }}/aclfile"
mosquitto_acl: []
# @var mosquitto_acl:example: >
# mosquitto_acl:
# - name: iot
# user: admin
# acls:
# - acl_base: topic # (topic|pattern, defaults to topic)
# acl_topic: "#"
# acl_policy: readwrite
# - name: readonly_iot
# user: user1
# acls:
# - acl_base: topic
# acl_topic: my/devices
# acl_policy: readwrite
# @end
mosquitto_tls_enabled: False
mosquitto_tls_ciphers:
- DEFAULT
- "!aNULL"
- "!eNULL"
- "!LOW"
- "!EXPORT"
- "!SSLv2"
- "@STRENGTH"
mosquitto_ca_path: /etc/pki/tls/certs/
mosquitto_tls_cert_source: mycert.pem
mosquitto_tls_key_source: mykey.pem
mosquitto_tls_cert_path: "{{ mosquitto_base_dir }}/tls/certs/mycert.pem"
mosquitto_tls_key_path: "{{ mosquitto_base_dir }}/tls/private/mykey.pem"

10
handlers/main.yml
View File

@ -1,10 +0,0 @@
---
- name: Restart mosquitto service
service:
state: restarted
daemon_reload: yes
name: mosquitto
enabled: yes
listen: __mosquitto_restart
become: True
become_user: root

263
index.md Normal file
View File

@ -0,0 +1,263 @@
---
title: mosquitto
type: docs
---
[![Source Code](https://img.shields.io/badge/gitea-source%20code-blue?logo=gitea&logoColor=white)](https://gitea.rknet.org/ansible/xoxys.mosquitto) [![Build Status](https://img.shields.io/drone/build/ansible/xoxys.mosquitto?logo=drone&server=https%3A%2F%2Fdrone.rknet.org)](https://drone.rknet.org/ansible/xoxys.mosquitto) [![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](https://gitea.rknet.org/ansible/xoxys.mosquitto/src/branch/main/LICENSE)
Setup [mosquitto](https://mosquitto.org/) mqtt broker. Eclipse Mosquitto is a message broker that implements the MQTT protocol. It is lightweight and suitable for use on all devices from low power single board computers to full servers.
<!--more-->
- [Default Variables](#default-variables)
- [mosquitto_acl](#mosquitto_acl)
- [mosquitto_acl_enabled](#mosquitto_acl_enabled)
- [mosquitto_acl_file](#mosquitto_acl_file)
- [mosquitto_base_dir](#mosquitto_base_dir)
- [mosquitto_bind_address](#mosquitto_bind_address)
- [mosquitto_ca_path](#mosquitto_ca_path)
- [mosquitto_group](#mosquitto_group)
- [mosquitto_packages_extra](#mosquitto_packages_extra)
- [mosquitto_password_auth_enabled](#mosquitto_password_auth_enabled)
- [mosquitto_password_auth_file](#mosquitto_password_auth_file)
- [mosquitto_password_auth_users](#mosquitto_password_auth_users)
- [mosquitto_persistence_enabled](#mosquitto_persistence_enabled)
- [mosquitto_persistence_path](#mosquitto_persistence_path)
- [mosquitto_pid_file](#mosquitto_pid_file)
- [mosquitto_port](#mosquitto_port)
- [mosquitto_tls_cert_path](#mosquitto_tls_cert_path)
- [mosquitto_tls_cert_source](#mosquitto_tls_cert_source)
- [mosquitto_tls_ciphers](#mosquitto_tls_ciphers)
- [mosquitto_tls_enabled](#mosquitto_tls_enabled)
- [mosquitto_tls_key_path](#mosquitto_tls_key_path)
- [mosquitto_tls_key_source](#mosquitto_tls_key_source)
- [mosquitto_user](#mosquitto_user)
- [Discovered Tags](#discovered-tags)
- [Dependencies](#dependencies)
---
## Default Variables
### mosquitto_acl
#### Default value
```YAML
mosquitto_acl: []
```
#### Example usage
```YAML
mosquitto_acl:
- name: iot
user: admin
acls:
- acl_base: topic # (topic|pattern, defaults to topic)
acl_topic: "#"
acl_policy: readwrite
- name: readonly_iot
user: user1
acls:
- acl_base: topic
acl_topic: my/devices
acl_policy: readwrite
```
### mosquitto_acl_enabled
#### Default value
```YAML
mosquitto_acl_enabled: false
```
### mosquitto_acl_file
#### Default value
```YAML
mosquitto_acl_file: '{{ mosquitto_base_dir }}/aclfile'
```
### mosquitto_base_dir
#### Default value
```YAML
mosquitto_base_dir: /etc/mosquitto
```
### mosquitto_bind_address
#### Default value
```YAML
mosquitto_bind_address: '{{ ansible_default_ipv4.address }}'
```
### mosquitto_ca_path
#### Default value
```YAML
mosquitto_ca_path: /etc/pki/tls/certs/
```
### mosquitto_group
#### Default value
```YAML
mosquitto_group: mosquitto
```
### mosquitto_packages_extra
#### Default value
```YAML
mosquitto_packages_extra: []
```
### mosquitto_password_auth_enabled
#### Default value
```YAML
mosquitto_password_auth_enabled: false
```
### mosquitto_password_auth_file
#### Default value
```YAML
mosquitto_password_auth_file: '{{ mosquitto_base_dir }}/passwd'
```
### mosquitto_password_auth_users
#### Default value
```YAML
mosquitto_password_auth_users: []
```
#### Example usage
```YAML
mosquitto_password_auth_users:
- name: admin
password: mysecret
state: present
- name: user1
password: very_secure
state: absent
```
### mosquitto_persistence_enabled
#### Default value
```YAML
mosquitto_persistence_enabled: false
```
### mosquitto_persistence_path
#### Default value
```YAML
mosquitto_persistence_path: /var/lib/mosquitto/mosquitto.db
```
### mosquitto_pid_file
#### Default value
```YAML
mosquitto_pid_file: /var/run/mosquitto.pid
```
### mosquitto_port
#### Default value
```YAML
mosquitto_port: 1883
```
### mosquitto_tls_cert_path
#### Default value
```YAML
mosquitto_tls_cert_path: '{{ mosquitto_base_dir }}/tls/certs/mycert.pem'
```
### mosquitto_tls_cert_source
#### Default value
```YAML
mosquitto_tls_cert_source: mycert.pem
```
### mosquitto_tls_ciphers
#### Default value
```YAML
mosquitto_tls_ciphers:
- DEFAULT
- '!aNULL'
- '!eNULL'
- '!LOW'
- '!EXPORT'
- '!SSLv2'
- '@STRENGTH'
```
### mosquitto_tls_enabled
#### Default value
```YAML
mosquitto_tls_enabled: false
```
### mosquitto_tls_key_path
#### Default value
```YAML
mosquitto_tls_key_path: '{{ mosquitto_base_dir }}/tls/private/mykey.pem'
```
### mosquitto_tls_key_source
#### Default value
```YAML
mosquitto_tls_key_source: mykey.pem
```
### mosquitto_user
#### Default value
```YAML
mosquitto_user: mosquitto
```
## Discovered Tags
tls_renewal
: &nbsp;
## Dependencies
None.

29
meta/main.yml
View File

@ -1,29 +0,0 @@
# Standards: 0.2
---
galaxy_info:
# @meta author:value: [Robert Kaussow](https://gitea.rknet.org/xoxys)
author: Robert Kaussow <mail@thegeeklab.de>
namespace: xoxys
role_name: mosquitto
# @meta description: >
# [![Source Code](https://img.shields.io/badge/gitea-source%20code-blue?logo=gitea&logoColor=white)](https://gitea.rknet.org/ansible/xoxys.mosquitto)
# [![Build Status](https://img.shields.io/drone/build/ansible/xoxys.mosquitto?logo=drone&server=https%3A%2F%2Fdrone.rknet.org)](https://drone.rknet.org/ansible/xoxys.mosquitto)
# [![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](https://gitea.rknet.org/ansible/xoxys.mosquitto/src/branch/main/LICENSE)
#
# Setup [mosquitto](https://mosquitto.org/) mqtt broker. Eclipse Mosquitto is a message broker
# that implements the MQTT protocol. It is lightweight and suitable for use on all devices
# from low power single board computers to full servers.
# @end
description: Setup mosquitto mqtt broker
license: MIT
min_ansible_version: 2.10
platforms:
- name: EL
versions:
- 7
galaxy_tags:
- mosquitto
- mqtt
dependencies: []
collections:
- community.general

10
molecule/centos7/converge.yml
View File

@ -1,10 +0,0 @@
---
- name: Converge
hosts: all
vars:
mosquitto_packages_extra:
- epel-release
mosquitto_bind_address: "127.0.0.1"
roles:
- role: xoxys.mosquitto

120
molecule/centos7/create.yml
View File

@ -1,120 +0,0 @@
---
- name: Create
hosts: localhost
connection: local
gather_facts: false
no_log: "{{ molecule_no_log }}"
vars:
ssh_port: 22
ssh_user: root
ssh_path: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}/ssh_key"
tasks:
- name: Create SSH key
user:
name: "{{ lookup('env', 'USER') }}"
generate_ssh_key: true
ssh_key_file: "{{ ssh_path }}"
force: true
register: generated_ssh_key
- name: Register the SSH key name
set_fact:
ssh_key_name: "molecule-generated-{{ 12345 | random | to_uuid }}"
- name: Register SSH key for test instance(s)
hcloud_ssh_key:
name: "{{ ssh_key_name }}"
public_key: "{{ generated_ssh_key.ssh_public_key }}"
state: present
- name: Create molecule instance(s)
hcloud_server:
name: "{{ item.name }}"
server_type: "{{ item.server_type }}"
ssh_keys:
- "{{ ssh_key_name }}"
image: "{{ item.image }}"
location: "{{ item.location | default(omit) }}"
datacenter: "{{ item.datacenter | default(omit) }}"
user_data: "{{ item.user_data | default(omit) }}"
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
state: present
register: server
loop: "{{ molecule_yml.platforms }}"
async: 7200
poll: 0
- name: Wait for instance(s) creation to complete
async_status:
jid: "{{ item.ansible_job_id }}"
register: hetzner_jobs
until: hetzner_jobs.finished
retries: 300
loop: "{{ server.results }}"
- name: Create volume(s)
hcloud_volume:
name: "{{ item.name }}"
server: "{{ item.name }}"
location: "{{ item.location | default(omit) }}"
size: "{{ item.volume_size | default(10) }}"
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
state: "present"
loop: "{{ molecule_yml.platforms }}"
when: item.volume | default(False) | bool
register: volumes
async: 7200
poll: 0
- name: Wait for volume(s) creation to complete
async_status:
jid: "{{ item.ansible_job_id }}"
register: hetzner_volumes
until: hetzner_volumes.finished
retries: 300
when: volumes.changed
loop: "{{ volumes.results }}"
# Mandatory configuration for Molecule to function.
- name: Populate instance config dict
set_fact:
instance_conf_dict:
{
"instance": "{{ item.hcloud_server.name }}",
"ssh_key_name": "{{ ssh_key_name }}",
"address": "{{ item.hcloud_server.ipv4_address }}",
"user": "{{ ssh_user }}",
"port": "{{ ssh_port }}",
"identity_file": "{{ ssh_path }}",
"volume": "{{ item.item.item.volume | default(False) | bool }}",
}
loop: "{{ hetzner_jobs.results }}"
register: instance_config_dict
when: server.changed | bool
- name: Convert instance config dict to a list
set_fact:
instance_conf: "{{ instance_config_dict.results | map(attribute='ansible_facts.instance_conf_dict') | list }}"
when: server.changed | bool
- name: Dump instance config
copy:
content: |
# Molecule managed
{{ instance_conf | to_nice_yaml(indent=2) }}
dest: "{{ molecule_instance_config }}"
when: server.changed | bool
- name: Wait for SSH
wait_for:
port: "{{ ssh_port }}"
host: "{{ item.address }}"
search_regex: SSH
delay: 10
loop: "{{ lookup('file', molecule_instance_config) | from_yaml }}"
- name: Wait for VM to settle down
pause:
seconds: 30

78
molecule/centos7/destroy.yml
View File

@ -1,78 +0,0 @@
---
- name: Destroy
hosts: localhost
connection: local
gather_facts: false
no_log: "{{ molecule_no_log }}"
tasks:
- name: Check existing instance config file
stat:
path: "{{ molecule_instance_config }}"
register: cfg
- name: Populate the instance config
set_fact:
instance_conf: "{{ (lookup('file', molecule_instance_config) | from_yaml) if cfg.stat.exists else [] }}"
- name: Destroy molecule instance(s)
hcloud_server:
name: "{{ item.instance }}"
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
state: absent
register: server
loop: "{{ instance_conf }}"
async: 7200
poll: 0
- name: Wait for instance(s) deletion to complete
async_status:
jid: "{{ item.ansible_job_id }}"
register: hetzner_jobs
until: hetzner_jobs.finished
retries: 300
loop: "{{ server.results }}"
- pause:
seconds: 5
- name: Destroy volume(s)
hcloud_volume:
name: "{{ item.instance }}"
server: "{{ item.instance }}"
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
state: "absent"
register: volumes
loop: "{{ instance_conf }}"
when: item.volume | default(False) | bool
async: 7200
poll: 0
- name: Wait for volume(s) deletion to complete
async_status:
jid: "{{ item.ansible_job_id }}"
register: hetzner_volumes
until: hetzner_volumes.finished
retries: 300
when: volumes.changed
loop: "{{ volumes.results }}"
- name: Remove registered SSH key
hcloud_ssh_key:
name: "{{ instance_conf[0].ssh_key_name }}"
state: absent
when: (instance_conf | default([])) | length > 0
# Mandatory configuration for Molecule to function.
- name: Populate instance config
set_fact:
instance_conf: {}
- name: Dump instance config
copy:
content: |
# Molecule managed
{{ instance_conf | to_nice_yaml(indent=2) }}
dest: "{{ molecule_instance_config }}"
when: server.changed | bool

24
molecule/centos7/molecule.yml
View File

@ -1,24 +0,0 @@
---
dependency:
name: galaxy
options:
role-file: molecule/requirements.yml
requirements-file: molecule/requirements.yml
env:
ANSIBLE_GALAXY_DISPLAY_PROGRESS: "false"
driver:
name: delegated
platforms:
- name: centos7-mosquitto
image: centos-7
server_type: cx11
lint: |
/usr/local/bin/flake8
provisioner:
name: ansible
env:
ANSIBLE_FILTER_PLUGINS: ${ANSIBLE_FILTER_PLUGINS:-./plugins/filter}
ANSIBLE_LIBRARY: ${ANSIBLE_LIBRARY:-./library}
log: False
verifier:
name: testinfra

15
molecule/centos7/prepare.yml
View File

@ -1,15 +0,0 @@
---
- name: Prepare
hosts: all
gather_facts: false
tasks:
- name: Bootstrap python for Ansible
raw: |
command -v python3 python || (
(test -e /usr/bin/dnf && sudo dnf install -y python3) ||
(test -e /usr/bin/apt && (apt -y update && apt install -y python-minimal)) ||
(test -e /usr/bin/yum && sudo yum -y -qq install python3) ||
echo "Warning: Python not boostrapped due to unknown platform."
)
become: true
changed_when: false

23
molecule/centos7/tests/test_default.py
View File

@ -1,23 +0,0 @@
import os
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ["MOLECULE_INVENTORY_FILE"]
).get_hosts("all")
def test_mosquitto_is_installed(host):
mosquitto = host.package("mosquitto")
assert mosquitto.is_installed
def test_mosquitto_running_and_enabled(host):
mosquitto = host.service("mosquitto")
assert mosquitto.is_running
assert mosquitto.is_enabled
def test_mosquitto_socket(host):
# Verify the socket is listening for HTTP traffic
assert host.socket("tcp://127.0.0.1:1883").is_listening

1
molecule/default
View File

@ -1 +0,0 @@
rocky8

3
molecule/pytest.ini
View File

@ -1,3 +0,0 @@
[pytest]
filterwarnings =
ignore::DeprecationWarning

6
molecule/requirements.yml
View File

@ -1,6 +0,0 @@
---
collections:
- name: https://gitea.rknet.org/ansible/xoxys.general/releases/download/v2.1.1/xoxys-general-2.1.1.tar.gz
- name: community.general
roles: []

10
molecule/rocky8/converge.yml
View File

@ -1,10 +0,0 @@
---
- name: Converge
hosts: all
vars:
mosquitto_packages_extra:
- epel-release
mosquitto_bind_address: "127.0.0.1"
roles:
- role: xoxys.mosquitto

120
molecule/rocky8/create.yml
View File

@ -1,120 +0,0 @@
---
- name: Create
hosts: localhost
connection: local
gather_facts: false
no_log: "{{ molecule_no_log }}"
vars:
ssh_port: 22
ssh_user: root
ssh_path: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}/ssh_key"
tasks:
- name: Create SSH key
user:
name: "{{ lookup('env', 'USER') }}"
generate_ssh_key: true
ssh_key_file: "{{ ssh_path }}"
force: true
register: generated_ssh_key
- name: Register the SSH key name
set_fact:
ssh_key_name: "molecule-generated-{{ 12345 | random | to_uuid }}"
- name: Register SSH key for test instance(s)
hcloud_ssh_key:
name: "{{ ssh_key_name }}"
public_key: "{{ generated_ssh_key.ssh_public_key }}"
state: present
- name: Create molecule instance(s)
hcloud_server:
name: "{{ item.name }}"
server_type: "{{ item.server_type }}"
ssh_keys:
- "{{ ssh_key_name }}"
image: "{{ item.image }}"
location: "{{ item.location | default(omit) }}"
datacenter: "{{ item.datacenter | default(omit) }}"
user_data: "{{ item.user_data | default(omit) }}"
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
state: present
register: server
loop: "{{ molecule_yml.platforms }}"
async: 7200
poll: 0
- name: Wait for instance(s) creation to complete
async_status:
jid: "{{ item.ansible_job_id }}"
register: hetzner_jobs
until: hetzner_jobs.finished
retries: 300
loop: "{{ server.results }}"
- name: Create volume(s)
hcloud_volume:
name: "{{ item.name }}"
server: "{{ item.name }}"
location: "{{ item.location | default(omit) }}"
size: "{{ item.volume_size | default(10) }}"
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
state: "present"
loop: "{{ molecule_yml.platforms }}"
when: item.volume | default(False) | bool
register: volumes
async: 7200
poll: 0
- name: Wait for volume(s) creation to complete
async_status:
jid: "{{ item.ansible_job_id }}"
register: hetzner_volumes
until: hetzner_volumes.finished
retries: 300
when: volumes.changed
loop: "{{ volumes.results }}"
# Mandatory configuration for Molecule to function.
- name: Populate instance config dict
set_fact:
instance_conf_dict:
{
"instance": "{{ item.hcloud_server.name }}",
"ssh_key_name": "{{ ssh_key_name }}",
"address": "{{ item.hcloud_server.ipv4_address }}",
"user": "{{ ssh_user }}",
"port": "{{ ssh_port }}",
"identity_file": "{{ ssh_path }}",
"volume": "{{ item.item.item.volume | default(False) | bool }}",
}
loop: "{{ hetzner_jobs.results }}"
register: instance_config_dict
when: server.changed | bool
- name: Convert instance config dict to a list
set_fact:
instance_conf: "{{ instance_config_dict.results | map(attribute='ansible_facts.instance_conf_dict') | list }}"
when: server.changed | bool
- name: Dump instance config
copy:
content: |
# Molecule managed
{{ instance_conf | to_nice_yaml(indent=2) }}
dest: "{{ molecule_instance_config }}"
when: server.changed | bool
- name: Wait for SSH
wait_for:
port: "{{ ssh_port }}"
host: "{{ item.address }}"
search_regex: SSH
delay: 10
loop: "{{ lookup('file', molecule_instance_config) | from_yaml }}"
- name: Wait for VM to settle down
pause:
seconds: 30

78
molecule/rocky8/destroy.yml
View File

@ -1,78 +0,0 @@
---
- name: Destroy
hosts: localhost
connection: local
gather_facts: false
no_log: "{{ molecule_no_log }}"
tasks:
- name: Check existing instance config file
stat:
path: "{{ molecule_instance_config }}"
register: cfg
- name: Populate the instance config
set_fact:
instance_conf: "{{ (lookup('file', molecule_instance_config) | from_yaml) if cfg.stat.exists else [] }}"
- name: Destroy molecule instance(s)
hcloud_server:
name: "{{ item.instance }}"
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
state: absent
register: server
loop: "{{ instance_conf }}"
async: 7200
poll: 0
- name: Wait for instance(s) deletion to complete
async_status:
jid: "{{ item.ansible_job_id }}"
register: hetzner_jobs
until: hetzner_jobs.finished
retries: 300
loop: "{{ server.results }}"
- pause:
seconds: 5
- name: Destroy volume(s)
hcloud_volume:
name: "{{ item.instance }}"
server: "{{ item.instance }}"
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
state: "absent"
register: volumes
loop: "{{ instance_conf }}"
when: item.volume | default(False) | bool
async: 7200
poll: 0
- name: Wait for volume(s) deletion to complete
async_status:
jid: "{{ item.ansible_job_id }}"
register: hetzner_volumes
until: hetzner_volumes.finished
retries: 300
when: volumes.changed
loop: "{{ volumes.results }}"
- name: Remove registered SSH key
hcloud_ssh_key:
name: "{{ instance_conf[0].ssh_key_name }}"
state: absent
when: (instance_conf | default([])) | length > 0
# Mandatory configuration for Molecule to function.
- name: Populate instance config
set_fact:
instance_conf: {}
- name: Dump instance config
copy:
content: |
# Molecule managed
{{ instance_conf | to_nice_yaml(indent=2) }}
dest: "{{ molecule_instance_config }}"
when: server.changed | bool

24
molecule/rocky8/molecule.yml
View File

@ -1,24 +0,0 @@
---
dependency:
name: galaxy
options:
role-file: molecule/requirements.yml
requirements-file: molecule/requirements.yml
env:
ANSIBLE_GALAXY_DISPLAY_PROGRESS: "false"
driver:
name: delegated
platforms:
- name: rocky8-mosquitto
image: rocky-8
server_type: cx11
lint: |
/usr/local/bin/flake8
provisioner:
name: ansible
env:
ANSIBLE_FILTER_PLUGINS: ${ANSIBLE_FILTER_PLUGINS:-./plugins/filter}
ANSIBLE_LIBRARY: ${ANSIBLE_LIBRARY:-./library}
log: False
verifier:
name: testinfra

15
molecule/rocky8/prepare.yml
View File

@ -1,15 +0,0 @@
---
- name: Prepare
hosts: all
gather_facts: false
tasks:
- name: Bootstrap python for Ansible
raw: |
command -v python3 python || (
(test -e /usr/bin/dnf && sudo dnf install -y python3) ||
(test -e /usr/bin/apt && (apt -y update && apt install -y python-minimal)) ||
(test -e /usr/bin/yum && sudo yum -y -qq install python3) ||
echo "Warning: Python not boostrapped due to unknown platform."
)
become: true
changed_when: false

23
molecule/rocky8/tests/test_default.py
View File

@ -1,23 +0,0 @@
import os
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ["MOLECULE_INVENTORY_FILE"]
).get_hosts("all")
def test_mosquitto_is_installed(host):
mosquitto = host.package("mosquitto")
assert mosquitto.is_installed
def test_mosquitto_running_and_enabled(host):
mosquitto = host.service("mosquitto")
assert mosquitto.is_running
assert mosquitto.is_enabled
def test_mosquitto_socket(host):
# Verify the socket is listening for HTTP traffic
assert host.socket("tcp://127.0.0.1:1883").is_listening

12
setup.cfg
View File

@ -1,12 +0,0 @@
[flake8]
ignore = D100, D101, D102, D103, D105, D107, E402, W503
max-line-length = 99
inline-quotes = double
exclude = .git,.tox,__pycache__,build,dist,tests,*.pyc,*.egg-info,.cache,.eggs,env*
[yapf]
based_on_style = google
column_limit = 99
dedent_closing_brackets = true
coalesce_brackets = true
split_before_logical_operator = true

50
tasks/config.yml
View File

@ -1,50 +0,0 @@
---
- name: Check if password file '{{ mosquitto_password_auth_file }}' exists
stat:
path: "{{ mosquitto_password_auth_file }}"
register: __mosquitto_passwd
become: True
become_user: root
- name: Create password file if not exist
file:
path: "{{ mosquitto_password_auth_file }}"
mode: 0600
state: touch
become: True
become_user: root
when: not __mosquitto_passwd.stat.exists
# TODO: ugly workaround, move this to a custom module
- block:
- name: Add users to password file
command: "mosquitto_passwd -b {{ mosquitto_password_auth_file }} {{ item.name }} {{ item.password }}"
loop: "{{ mosquitto_password_auth_users }}"
loop_control:
label: "{{ item.name }}"
when: item.state == "present"
changed_when: False
no_log: True
- name: Remove unnecessary users from password file
command: "mosquitto_passwd -D {{ mosquitto_password_auth_file }} {{ item.name }}"
loop: "{{ mosquitto_password_auth_users }}"
loop_control:
label: "{{ item.name }}"
when: item.state == "absent"
changed_when: False
no_log: True
- name: Create acl file at '{{ mosquitto_acl_file }}'
template:
src: "etc/mosquitto/aclfile.j2"
dest: "{{ mosquitto_acl_file }}"
owner: root
group: root
mode: 0600
when:
- mosquitto_acl_enabled | bool
- mosquitto_acl is defined
notify: __mosquitto_restart
become: True
become_user: root

31
tasks/install.yml
View File

@ -1,31 +0,0 @@
---
- block:
- name: Install mqtt packages
package:
name: "{{ item }}"
state: present
loop: "{{ mosquitto_packages_extra + __mosquitto_packages }}"
- name: Create group '{{ mosquitto_group }}'
group:
name: '{{ mosquitto_group }}'
state: present
- name: Create user '{{ mosquitto_user }}'
user:
name: '{{ mosquitto_user }}'
group: '{{ mosquitto_group }}'
home: "{{ mosquitto_base_dir }}"
system: yes
shell: /sbin/nologin
- name: Deploy default configuration
template:
src: "etc/mosquitto/mosquitto.conf.j2"
dest: "{{ mosquitto_base_dir }}/mosquitto.conf"
owner: root
group: root
mode: 0644
notify: __mosquitto_restart
become: True
become_user: root

7
tasks/main.yml
View File

@ -1,7 +0,0 @@
---
- import_tasks: install.yml
- import_tasks: config.yml
- import_tasks: tls.yml
when: mosquitto_tls_enabled | bool
tags: tls_renewal
- import_tasks: post_tasks.yml

9
tasks/post_tasks.yml
View File

@ -1,9 +0,0 @@
---
- name: Ensure mosquitto service is up and running
service:
state: started
daemon_reload: yes
enabled: yes
name: mosquitto
become: True
become_user: root

26
tasks/tls.yml
View File

@ -1,26 +0,0 @@
---
- block:
- name: Create tls folder structure
file:
path: "{{ item }}"
state: directory
owner: root
group: root
recurse: True
loop:
- "{{ mosquitto_tls_cert_path | dirname }}"
- "{{ mosquitto_tls_key_path | dirname }}"
- name: Copy certs and private key
copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
mode: "{{ item.mode }}"
loop:
- { src: "{{ mosquitto_tls_key_source }}", dest: '{{ mosquitto_tls_key_path }}', mode: '0600' }
- { src: "{{ mosquitto_tls_cert_source }}", dest: '{{ mosquitto_tls_cert_path }}', mode: '0750' }
loop_control:
label: "{{ item.dest }}"
notify: __mosquitto_restart
become: True
become_user: root

10
templates/etc/mosquitto/aclfile.j2
View File

@ -1,10 +0,0 @@
{{ ansible_managed | comment }}
{% for item in mosquitto_acl %}
{% if not item.name == "all" %}
user {{ item.name }}
{% endif %}
{% for acl in item.acls %}
{{ acl.acl_base if acl.acl_base is defined else 'topic' }} {{ acl.acl_policy }} {{ acl.acl_topic }}
{% endfor %}
{% endfor %}

868
templates/etc/mosquitto/mosquitto.conf.j2
View File

@ -1,868 +0,0 @@
{{ ansible_managed | comment }}
# =================================================================
# General configuration
# =================================================================
# Time in seconds between updates of the $SYS tree.
# Set to 0 to disable the publishing of the $SYS tree.
#sys_interval 10
# Time in seconds between cleaning the internal message store of
# unreferenced messages. Lower values will result in lower memory
# usage but more processor time, higher values will have the
# opposite effect.
# Setting a value of 0 means the unreferenced messages will be
# disposed of as quickly as possible.
#store_clean_interval 10
# Write process id to a file. Default is a blank string which means
# a pid file shouldn't be written.
# This should be set to /var/run/mosquitto.pid if mosquitto is
# being run automatically on boot with an init script and
# start-stop-daemon or similar.
pid_file {{ mosquitto_pid_file }}
# When run as root, drop privileges to this user and its primary
# group.
# Set to root to stay as root, but this is not recommended.
# If run as a non-root user, this setting has no effect.
# Note that on Windows this has no effect and so mosquitto should
# be started by the user you wish it to run as.
user {{ mosquitto_user }}
# The maximum number of QoS 1 and 2 messages currently inflight per
# client.
# This includes messages that are partway through handshakes and
# those that are being retried. Defaults to 20. Set to 0 for no
# maximum. Setting to 1 will guarantee in-order delivery of QoS 1
# and 2 messages.
#max_inflight_messages 20
# QoS 1 and 2 messages will be allowed inflight per client until this limit
# is exceeded. Defaults to 0. (No maximum)
# See also max_inflight_messages
#max_inflight_bytes 0
# The maximum number of QoS 1 and 2 messages to hold in a queue per client
# above those that are currently in-flight. Defaults to 100. Set
# to 0 for no maximum (not recommended).
# See also queue_qos0_messages.
# See also max_queued_bytes.
#max_queued_messages 100
# QoS 1 and 2 messages above those currently in-flight will be queued per
# client until this limit is exceeded. Defaults to 0. (No maximum)
# See also max_queued_messages.
# If both max_queued_messages and max_queued_bytes are specified, packets will
# be queued until the first limit is reached.
#max_queued_bytes 0
# Set to true to queue messages with QoS 0 when a persistent client is
# disconnected. These messages are included in the limit imposed by
# max_queued_messages and max_queued_bytes
# Defaults to false.
# This is a non-standard option for the MQTT v3.1 spec but is allowed in
# v3.1.1.
#queue_qos0_messages false
# This option sets the maximum publish payload size that the broker will allow.
# Received messages that exceed this size will not be accepted by the broker.
# The default value is 0, which means that all valid MQTT messages are
# accepted. MQTT imposes a maximum payload size of 268435455 bytes.
#message_size_limit 0
# This option controls whether a client is allowed to connect with a zero
# length client id or not. This option only affects clients using MQTT v3.1.1
# and later. If set to false, clients connecting with a zero length client id
# are disconnected. If set to true, clients will be allocated a client id by
# the broker. This means it is only useful for clients with clean session set
# to true.
#allow_zero_length_clientid true
# If allow_zero_length_clientid is true, this option allows you to set a prefix
# to automatically generated client ids to aid visibility in logs.
#auto_id_prefix
# This option allows persistent clients (those with clean session set to false)
# to be removed if they do not reconnect within a certain time frame.
#
# This is a non-standard option in MQTT V3.1 but allowed in MQTT v3.1.1.
#
# Badly designed clients may set clean session to false whilst using a randomly
# generated client id. This leads to persistent clients that will never
# reconnect. This option allows these clients to be removed.
#
# The expiration period should be an integer followed by one of h d w m y for
# hour, day, week, month and year respectively. For example
#
# persistent_client_expiration 2m
# persistent_client_expiration 14d
# persistent_client_expiration 1y
#
# The default if not set is to never expire persistent clients.
#persistent_client_expiration
# If a client is subscribed to multiple subscriptions that overlap, e.g. foo/#
# and foo/+/baz , then MQTT expects that when the broker receives a message on
# a topic that matches both subscriptions, such as foo/bar/baz, then the client
# should only receive the message once.
# Mosquitto keeps track of which clients a message has been sent to in order to
# meet this requirement. The allow_duplicate_messages option allows this
# behaviour to be disabled, which may be useful if you have a large number of
# clients subscribed to the same set of topics and are very concerned about
# minimising memory usage.
# It can be safely set to true if you know in advance that your clients will
# never have overlapping subscriptions, otherwise your clients must be able to
# correctly deal with duplicate messages even when then have QoS=2.
#allow_duplicate_messages false
# The MQTT specification requires that the QoS of a message delivered to a
# subscriber is never upgraded to match the QoS of the subscription. Enabling
# this option changes this behaviour. If upgrade_outgoing_qos is set true,
# messages sent to a subscriber will always match the QoS of its subscription.
# This is a non-standard option explicitly disallowed by the spec.
#upgrade_outgoing_qos false
# Disable Nagle's algorithm on client sockets. This has the effect of reducing
# latency of individual messages at the potential cost of increasing the number
# of packets being sent.
#set_tcp_nodelay false
# Use per listener security settings.
# If this option is set to true, then all authentication and access control
# options are controlled on a per listener basis. The following options are
# affected:
#
# password_file acl_file psk_file auth_plugin auth_opt_* allow_anonymous
# auto_id_prefix allow_zero_length_clientid
#
# The default behaviour is for this to be set to false, which maintains the
# setting behaviour from previous versions of mosquitto.
#per_listener_settings false
# =================================================================
# Default listener
# =================================================================
# IP address/hostname to bind the default listener to. If not
# given, the default listener will not be bound to a specific
# address and so will be accessible to all network interfaces.
# bind_address ip-address/host name
bind_address {{ mosquitto_bind_address }}
# Port to use for the default listener.
port {{ mosquitto_port }}
# The maximum number of client connections to allow. This is
# a per listener setting.
# Default is -1, which means unlimited connections.
# Note that other process limits mean that unlimited connections
# are not really possible. Typically the default maximum number of
# connections possible is around 1024.
#max_connections -1
# Choose the protocol to use when listening.
# This can be either mqtt or websockets.
# Websockets support is currently disabled by default at compile time.
# Certificate based TLS may be used with websockets, except that
# only the cafile, certfile, keyfile and ciphers options are supported.
#protocol mqtt
# When a listener is using the websockets protocol, it is possible to serve
# http data as well. Set http_dir to a directory which contains the files you
# wish to serve. If this option is not specified, then no normal http
# connections will be possible.
#http_dir
# Set use_username_as_clientid to true to replace the clientid that a client
# connected with with its username. This allows authentication to be tied to
# the clientid, which means that it is possible to prevent one client
# disconnecting another by using the same clientid.
# If a client connects with no username it will be disconnected as not
# authorised when this option is set to true.
# Do not use in conjunction with clientid_prefixes.
# See also use_identity_as_username.
#use_username_as_clientid
{% if mosquitto_tls_enabled %}
# -----------------------------------------------------------------
# Certificate based SSL/TLS support
# -----------------------------------------------------------------
# The following options can be used to enable SSL/TLS support for
# this listener. Note that the recommended port for MQTT over TLS
# is 8883, but this must be set manually.
#
# See also the mosquitto-tls man page.
# At least one of cafile or capath must be defined. They both
# define methods of accessing the PEM encoded Certificate
# Authority certificates that have signed your server certificate
# and that you wish to trust.
# cafile defines the path to a file containing the CA certificates.
# capath defines a directory that will be searched for files
# containing the CA certificates. For capath to work correctly, the
# certificate files must have ".crt" as the file ending and you must run
# "openssl rehash /path/to/capath" each time you add/remove a certificate.
#cafile
capath {{ mosquitto_ca_path }}
# Path to the PEM encoded server certificate.
certfile {{ mosquitto_tls_cert_path }}
# Path to the PEM encoded keyfile.
keyfile {{ mosquitto_tls_key_path }}
# This option defines the version of the TLS protocol to use for this listener.
# The default value allows v1.2, v1.1 and v1.0. The valid values are tlsv1.2
# tlsv1.1 and tlsv1.
tls_version tlsv1.2
# By default a TLS enabled listener will operate in a similar fashion to a
# https enabled web server, in that the server has a certificate signed by a CA
# and the client will verify that it is a trusted certificate. The overall aim
# is encryption of the network traffic. By setting require_certificate to true,
# the client must provide a valid certificate in order for the network
# connection to proceed. This allows access to the broker to be controlled
# outside of the mechanisms provided by MQTT.
#require_certificate false
# If require_certificate is true, you may set use_identity_as_username to true
# to use the CN value from the client certificate as a username. If this is
# true, the password_file option will not be used for this listener.
# This takes priority over use_subject_as_username.
# See also use_subject_as_username.
#use_identity_as_username false
# If require_certificate is true, you may set use_subject_as_username to true
# to use the complete subject value from the client certificate as a username.
# If this is true, the password_file option will not be used for this listener.
# See also use_identity_as_username
#use_subject_as_username false
# If you have require_certificate set to true, you can create a certificate
# revocation list file to revoke access to particular client certificates. If
# you have done this, use crlfile to point to the PEM encoded revocation file.
#crlfile
# If you wish to control which encryption ciphers are used, use the ciphers
# option. The list of available ciphers can be obtained using the "openssl
# ciphers" command and should be provided in the same format as the output of
# that command.
# If unset defaults to DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH
ciphers {{ mosquitto_tls_ciphers | join(':') }}
{% endif %}
# -----------------------------------------------------------------
# Pre-shared-key based SSL/TLS support
# -----------------------------------------------------------------
# The following options can be used to enable PSK based SSL/TLS support for
# this listener. Note that the recommended port for MQTT over TLS is 8883, but
# this must be set manually.
#
# See also the mosquitto-tls man page and the "Certificate based SSL/TLS
# support" section. Only one of certificate or PSK encryption support can be
# enabled for any listener.
# The psk_hint option enables pre-shared-key support for this listener and also
# acts as an identifier for this listener. The hint is sent to clients and may
# be used locally to aid authentication. The hint is a free form string that
# doesn't have much meaning in itself, so feel free to be creative.
# If this option is provided, see psk_file to define the pre-shared keys to be
# used or create a security plugin to handle them.
#psk_hint
# Set use_identity_as_username to have the psk identity sent by the client used
# as its username. Authentication will be carried out using the PSK rather than
# the MQTT username/password and so password_file will not be used for this
# listener.
#use_identity_as_username false
# When using PSK, the encryption ciphers used will be chosen from the list of
# available PSK ciphers. If you want to control which ciphers are available,
# use the "ciphers" option. The list of available ciphers can be obtained
# using the "openssl ciphers" command and should be provided in the same format
# as the output of that command.
#ciphers
# =================================================================
# Extra listeners
# =================================================================
# Listen on a port/ip address combination. By using this variable
# multiple times, mosquitto can listen on more than one port. If
# this variable is used and neither bind_address nor port given,
# then the default listener will not be started.
# The port number to listen on must be given. Optionally, an ip
# address or host name may be supplied as a second argument. In
# this case, mosquitto will attempt to bind the listener to that
# address and so restrict access to the associated network and
# interface. By default, mosquitto will listen on all interfaces.
# Note that for a websockets listener it is not possible to bind to a host
# name.
# listener port-number [ip address/host name]
#listener
# The maximum number of client connections to allow. This is
# a per listener setting.
# Default is -1, which means unlimited connections.
# Note that other process limits mean that unlimited connections
# are not really possible. Typically the default maximum number of
# connections possible is around 1024.
#max_connections -1
# The listener can be restricted to operating within a topic hierarchy using
# the mount_point option. This is achieved be prefixing the mount_point string
# to all topics for any clients connected to this listener. This prefixing only
# happens internally to the broker; the client will not see the prefix.
#mount_point
# Choose the protocol to use when listening.
# This can be either mqtt or websockets.
# Certificate based TLS may be used with websockets, except that only the
# cafile, certfile, keyfile and ciphers options are supported.
#protocol mqtt
# When a listener is using the websockets protocol, it is possible to serve
# http data as well. Set http_dir to a directory which contains the files you
# wish to serve. If this option is not specified, then no normal http
# connections will be possible.
#http_dir
# Set use_username_as_clientid to true to replace the clientid that a client
# connected with with its username. This allows authentication to be tied to
# the clientid, which means that it is possible to prevent one client
# disconnecting another by using the same clientid.
# If a client connects with no username it will be disconnected as not
# authorised when this option is set to true.
# Do not use in conjunction with clientid_prefixes.
# See also use_identity_as_username.
#use_username_as_clientid
# -----------------------------------------------------------------
# Certificate based SSL/TLS support
# -----------------------------------------------------------------
# The following options can be used to enable certificate based SSL/TLS support
# for this listener. Note that the recommended port for MQTT over TLS is 8883,
# but this must be set manually.
#
# See also the mosquitto-tls man page and the "Pre-shared-key based SSL/TLS
# support" section. Only one of certificate or PSK encryption support can be
# enabled for any listener.
# At least one of cafile or capath must be defined to enable certificate based
# TLS encryption. They both define methods of accessing the PEM encoded
# Certificate Authority certificates that have signed your server certificate
# and that you wish to trust.
# cafile defines the path to a file containing the CA certificates.
# capath defines a directory that will be searched for files
# containing the CA certificates. For capath to work correctly, the
# certificate files must have ".crt" as the file ending and you must run
# "openssl rehash /path/to/capath" each time you add/remove a certificate.
#cafile
#capath
# Path to the PEM encoded server certificate.
#certfile
# Path to the PEM encoded keyfile.
#keyfile
# By default an TLS enabled listener will operate in a similar fashion to a
# https enabled web server, in that the server has a certificate signed by a CA
# and the client will verify that it is a trusted certificate. The overall aim
# is encryption of the network traffic. By setting require_certificate to true,
# the client must provide a valid certificate in order for the network
# connection to proceed. This allows access to the broker to be controlled
# outside of the mechanisms provided by MQTT.
#require_certificate false
# If require_certificate is true, you may set use_identity_as_username to true
# to use the CN value from the client certificate as a username. If this is
# true, the password_file option will not be used for this listener.
#use_identity_as_username false
# If you have require_certificate set to true, you can create a certificate
# revocation list file to revoke access to particular client certificates. If
# you have done this, use crlfile to point to the PEM encoded revocation file.
#crlfile
# If you wish to control which encryption ciphers are used, use the ciphers
# option. The list of available ciphers can be optained using the "openssl
# ciphers" command and should be provided in the same format as the output of
# that command.
#ciphers
# -----------------------------------------------------------------
# Pre-shared-key based SSL/TLS support
# -----------------------------------------------------------------
# The following options can be used to enable PSK based SSL/TLS support for
# this listener. Note that the recommended port for MQTT over TLS is 8883, but
# this must be set manually.
#
# See also the mosquitto-tls man page and the "Certificate based SSL/TLS
# support" section. Only one of certificate or PSK encryption support can be
# enabled for any listener.
# The psk_hint option enables pre-shared-key support for this listener and also
# acts as an identifier for this listener. The hint is sent to clients and may
# be used locally to aid authentication. The hint is a free form string that
# doesn't have much meaning in itself, so feel free to be creative.
# If this option is provided, see psk_file to define the pre-shared keys to be
# used or create a security plugin to handle them.
#psk_hint
# Set use_identity_as_username to have the psk identity sent by the client used
# as its username. Authentication will be carried out using the PSK rather than
# the MQTT username/password and so password_file will not be used for this
# listener.
#use_identity_as_username false
# When using PSK, the encryption ciphers used will be chosen from the list of
# available PSK ciphers. If you want to control which ciphers are available,
# use the "ciphers" option. The list of available ciphers can be optained
# using the "openssl ciphers" command and should be provided in the same format
# as the output of that command.
#ciphers
# =================================================================
# Persistence
# =================================================================
# If persistence is enabled, save the in-memory database to disk
# every autosave_interval seconds. If set to 0, the persistence
# database will only be written when mosquitto exits. See also
# autosave_on_changes.
# Note that writing of the persistence database can be forced by
# sending mosquitto a SIGUSR1 signal.
#autosave_interval 1800
# If true, mosquitto will count the number of subscription changes, retained
# messages received and queued messages and if the total exceeds
# autosave_interval then the in-memory database will be saved to disk.
# If false, mosquitto will save the in-memory database to disk by treating
# autosave_interval as a time in seconds.
#autosave_on_changes false
# Save persistent message data to disk (true/false).
# This saves information about all messages, including
# subscriptions, currently in-flight messages and retained
# messages.
# retained_persistence is a synonym for this option.
persistence {{ mosquitto_persistence_enabled | lower }}
{% if mosquitto_persistence_enabled %}
persistence_file {{ mosquitto_persistence_path | basename }}
persistence_location {{ (mosquitto_persistence_path | dirname) + '/' }}
{% endif %}
# =================================================================
# Logging
# =================================================================
# Places to log to. Use multiple log_dest lines for multiple
# logging destinations.
# Possible destinations are: stdout stderr syslog topic file
#
# stdout and stderr log to the console on the named output.
#
# syslog uses the userspace syslog facility which usually ends up
# in /var/log/messages or similar.
#
# topic logs to the broker topic '$SYS/broker/log/severity',
# where severity is one of D, E, W, N, I, M which are debug, error,
# warning, notice, information and message. Message type severity is used by
# the subscribe/unsubscribe log_types and publishes log messages to
# $SYS/broker/log/M/susbcribe or $SYS/broker/log/M/unsubscribe.
#
# The file destination requires an additional parameter which is the file to be
# logged to, e.g. "log_dest file /var/log/mosquitto.log". The file will be
# closed and reopened when the broker receives a HUP signal. Only a single file
# destination may be configured.
#
# Note that if the broker is running as a Windows service it will default to
# "log_dest none" and neither stdout nor stderr logging is available.
# Use "log_dest none" if you wish to disable logging.
#log_dest stderr
# If using syslog logging (not on Windows), messages will be logged to the
# "daemon" facility by default. Use the log_facility option to choose which of
# local0 to local7 to log to instead. The option value should be an integer
# value, e.g. "log_facility 5" to use local5.
#log_facility
# Types of messages to log. Use multiple log_type lines for logging
# multiple types of messages.
# Possible types are: debug, error, warning, notice, information,
# none, subscribe, unsubscribe, websockets, all.
# Note that debug type messages are for decoding the incoming/outgoing
# network packets. They are not logged in "topics".
#log_type error
#log_type warning
#log_type notice
#log_type information
# Change the websockets logging level. This is a global option, it is not
# possible to set per listener. This is an integer that is interpreted by
# libwebsockets as a bit mask for its lws_log_levels enum. See the
# libwebsockets documentation for more details. "log_type websockets" must also
# be enabled.
#websockets_log_level 0
# If set to true, client connection and disconnection messages will be included
# in the log.
#connection_messages true
# If set to true, add a timestamp value to each log message.
#log_timestamp true
# =================================================================
# Security
# =================================================================
# If set, only clients that have a matching prefix on their
# clientid will be allowed to connect to the broker. By default,
# all clients may connect.
# For example, setting "secure-" here would mean a client "secure-
# client" could connect but another with clientid "mqtt" couldn't.
#clientid_prefixes
# Boolean value that determines whether clients that connect
# without providing a username are allowed to connect. If set to
# false then a password file should be created (see the
# password_file option) to control authenticated client access.
#
# Defaults to true if no other security options are set. If any other
# authentication options are set, then allow_anonymous defaults to false.
#
{% if not mosquitto_password_auth_enabled %}
allow_anonymous true
{% else %}
allow_anonymous false
{% endif %}
# -----------------------------------------------------------------
# Default authentication and topic access control
# -----------------------------------------------------------------
# Control access to the broker using a password file. This file can be
# generated using the mosquitto_passwd utility. If TLS support is not compiled
# into mosquitto (it is recommended that TLS support should be included) then
# plain text passwords are used, in which case the file should be a text file
# with lines in the format:
# username:password
# The password (and colon) may be omitted if desired, although this
# offers very little in the way of security.
#
# See the TLS client require_certificate and use_identity_as_username options
# for alternative authentication options. If an auth_plugin is used as well as
# password_file, the auth_plugin check will be made first.
{% if mosquitto_password_auth_enabled %}
password_file {{ mosquitto_password_auth_file }}
{% endif %}
# Access may also be controlled using a pre-shared-key file. This requires
# TLS-PSK support and a listener configured to use it. The file should be text
# lines in the format:
# identity:key
# The key should be in hexadecimal format without a leading "0x".
# If an auth_plugin is used as well, the auth_plugin check will be made first.
#psk_file
# Control access to topics on the broker using an access control list
# file. If this parameter is defined then only the topics listed will
# have access.
# If the first character of a line of the ACL file is a # it is treated as a
# comment.
# Topic access is added with lines of the format:
#
# topic [read|write|readwrite] 'topic'
#
# The access type is controlled using "read", "write" or "readwrite". This
# parameter is optional (unless 'topic' contains a space character) - if not
# given then the access is read/write. 'topic' can contain the + or #
# wildcards as in subscriptions.
#
# The first set of topics are applied to anonymous clients, assuming
# allow_anonymous is true. User specific topic ACLs are added after a
# user line as follows:
#
# user 'username'
#
# The username referred to here is the same as in password_file. It is
# not the clientid.
#
#
# If is also possible to define ACLs based on pattern substitution within the
# topic. The patterns available for substition are:
#
# %c to match the client id of the client
# %u to match the username of the client
#
# The substitution pattern must be the only text for that level of hierarchy.
#
# The form is the same as for the topic keyword, but using pattern as the
# keyword.
# Pattern ACLs apply to all users even if the "user" keyword has previously
# been given.
#
# If using bridges with usernames and ACLs, connection messages can be allowed
# with the following pattern:
# pattern write $SYS/broker/connection/%c/state
#
# pattern [read|write|readwrite] 'topic'
#
# Example:
#
# pattern write sensor/%u/data
#
# If an auth_plugin is used as well as acl_file, the auth_plugin check will be
# made first.
{% if mosquitto_acl_enabled %}
acl_file {{ mosquitto_acl_file }}
{% endif %}
# -----------------------------------------------------------------
# External authentication and topic access plugin options
# -----------------------------------------------------------------
# External authentication and access control can be supported with the
# auth_plugin option. This is a path to a loadable plugin. See also the
# auth_opt_* options described below.
#
# The auth_plugin option can be specified multiple times to load multiple
# plugins. The plugins will be processed in the order that they are specified
# here. If the auth_plugin option is specified alongside either of
# password_file or acl_file then the plugin checks will be made first.
#
#auth_plugin
# If the auth_plugin option above is used, define options to pass to the
# plugin here as described by the plugin instructions. All options named
# using the format auth_opt_* will be passed to the plugin, for example:
#
# auth_opt_db_host
# auth_opt_db_port
# auth_opt_db_username
# auth_opt_db_password
# =================================================================
# Bridges
# =================================================================
# A bridge is a way of connecting multiple MQTT brokers together.
# Create a new bridge using the "connection" option as described below. Set
# options for the bridges using the remaining parameters. You must specify the
# address and at least one topic to subscribe to.
#
# Each connection must have a unique name.
#
# The address line may have multiple host address and ports specified. See
# below in the round_robin description for more details on bridge behaviour if
# multiple addresses are used. Note that if you use an IPv6 address, then you
# are required to specify a port.
#
# The direction that the topic will be shared can be chosen by
# specifying out, in or both, where the default value is out.
# The QoS level of the bridged communication can be specified with the next
# topic option. The default QoS level is 0, to change the QoS the topic
# direction must also be given.
#
# The local and remote prefix options allow a topic to be remapped when it is
# bridged to/from the remote broker. This provides the ability to place a topic
# tree in an appropriate location.
#
# For more details see the mosquitto.conf man page.
#
# Multiple topics can be specified per connection, but be careful
# not to create any loops.
#
# If you are using bridges with cleansession set to false (the default), then
# you may get unexpected behaviour from incoming topics if you change what
# topics you are subscribing to. This is because the remote broker keeps the
# subscription for the old topic. If you have this problem, connect your bridge
# with cleansession set to true, then reconnect with cleansession set to false
# as normal.
#connection 'name'
#address host[:port] [host[:port]]
#topic 'topic' [[[out | in | both] qos-level] local-prefix remote-prefix]
# Set the version of the MQTT protocol to use with for this bridge. Can be one
# of mqttv311 or mqttv11. Defaults to mqttv311.
#bridge_protocol_version mqttv311
# If a bridge has topics that have "out" direction, the default behaviour is to
# send an unsubscribe request to the remote broker on that topic. This means
# that changing a topic direction from "in" to "out" will not keep receiving
# incoming messages. Sending these unsubscribe requests is not always
# desirable, setting bridge_attempt_unsubscribe to false will disable sending
# the unsubscribe request.
#bridge_attempt_unsubscribe true
# If the bridge has more than one address given in the address/addresses
# configuration, the round_robin option defines the behaviour of the bridge on
# a failure of the bridge connection. If round_robin is false, the default
# value, then the first address is treated as the main bridge connection. If
# the connection fails, the other secondary addresses will be attempted in
# turn. Whilst connected to a secondary bridge, the bridge will periodically
# attempt to reconnect to the main bridge until successful.
# If round_robin is true, then all addresses are treated as equals. If a
# connection fails, the next address will be tried and if successful will
# remain connected until it fails
#round_robin false
# Set the client id to use on the remote end of this bridge connection. If not
# defined, this defaults to 'name.hostname' where name is the connection name
# and hostname is the hostname of this computer.
# This replaces the old "clientid" option to avoid confusion. "clientid"
# remains valid for the time being.
#remote_clientid
# Set the clientid to use on the local broker. If not defined, this defaults to
# 'local.clientid'. If you are bridging a broker to itself, it is important
# that local_clientid and clientid do not match.
#local_clientid
# Set the clean session variable for this bridge.
# When set to true, when the bridge disconnects for any reason, all
# messages and subscriptions will be cleaned up on the remote
# broker. Note that with cleansession set to true, there may be a
# significant amount of retained messages sent when the bridge
# reconnects after losing its connection.
# When set to false, the subscriptions and messages are kept on the
# remote broker, and delivered when the bridge reconnects.
#cleansession false
# If set to true, publish notification messages to the local and remote brokers
# giving information about the state of the bridge connection. Retained
# messages are published to the topic $SYS/broker/connection/clientid/state
# unless the notification_topic option is used.
# If the message is 1 then the connection is active, or 0 if the connection has
# failed.
#notifications true
# Choose the topic on which notification messages for this bridge are
# published. If not set, messages are published on the topic
# $SYS/broker/connection/clientid/state
#notification_topic
# Set the keepalive interval for this bridge connection, in
# seconds.
#keepalive_interval 60
# Set the start type of the bridge. This controls how the bridge starts and
# can be one of three types: automatic, lazy and once. Note that RSMB provides
# a fourth start type "manual" which isn't currently supported by mosquitto.
#
# "automatic" is the default start type and means that the bridge connection
# will be started automatically when the broker starts and also restarted
# after a short delay (30 seconds) if the connection fails.
#
# Bridges using the "lazy" start type will be started automatically when the
# number of queued messages exceeds the number set with the "threshold"
# parameter. It will be stopped automatically after the time set by the
# "idle_timeout" parameter. Use this start type if you wish the connection to
# only be active when it is needed.
#
# A bridge using the "once" start type will be started automatically when the
# broker starts but will not be restarted if the connection fails.
#start_type automatic
# Set the amount of time a bridge using the automatic start type will wait
# until attempting to reconnect. Defaults to 30 seconds.
#restart_timeout 30
# Set the amount of time a bridge using the lazy start type must be idle before
# it will be stopped. Defaults to 60 seconds.
#idle_timeout 60
# Set the number of messages that need to be queued for a bridge with lazy
# start type to be restarted. Defaults to 10 messages.
# Must be less than max_queued_messages.
#threshold 10
# If try_private is set to true, the bridge will attempt to indicate to the
# remote broker that it is a bridge not an ordinary client. If successful, this
# means that loop detection will be more effective and that retained messages
# will be propagated correctly. Not all brokers support this feature so it may
# be necessary to set try_private to false if your bridge does not connect
# properly.
#try_private true
# Set the username to use when connecting to a broker that requires
# authentication.
# This replaces the old "username" option to avoid confusion. "username"
# remains valid for the time being.
#remote_username
# Set the password to use when connecting to a broker that requires
# authentication. This option is only used if remote_username is also set.
# This replaces the old "password" option to avoid confusion. "password"
# remains valid for the time being.
#remote_password
# -----------------------------------------------------------------
# Certificate based SSL/TLS support
# -----------------------------------------------------------------
# Either bridge_cafile or bridge_capath must be defined to enable TLS support
# for this bridge.
# bridge_cafile defines the path to a file containing the
# Certificate Authority certificates that have signed the remote broker
# certificate.
# bridge_capath defines a directory that will be searched for files containing
# the CA certificates. For bridge_capath to work correctly, the certificate
# files must have ".crt" as the file ending and you must run "openssl rehash
# /path/to/capath" each time you add/remove a certificate.
#bridge_cafile
#bridge_capath
# Path to the PEM encoded client certificate, if required by the remote broker.
#bridge_certfile
# Path to the PEM encoded client private key, if required by the remote broker.
#bridge_keyfile
# When using certificate based encryption, bridge_insecure disables
# verification of the server hostname in the server certificate. This can be
# useful when testing initial server configurations, but makes it possible for
# a malicious third party to impersonate your server through DNS spoofing, for
# example. Use this option in testing only. If you need to resort to using this
# option in a production environment, your setup is at fault and there is no
# point using encryption.
#bridge_insecure false
# -----------------------------------------------------------------
# PSK based SSL/TLS support
# -----------------------------------------------------------------
# Pre-shared-key encryption provides an alternative to certificate based
# encryption. A bridge can be configured to use PSK with the bridge_identity
# and bridge_psk options. These are the client PSK identity, and pre-shared-key
# in hexadecimal format with no "0x". Only one of certificate and PSK based
# encryption can be used on one
# bridge at once.
#bridge_identity
#bridge_psk
# =================================================================
# External config files
# =================================================================
# External configuration files may be included by using the
# include_dir option. This defines a directory that will be searched
# for config files. All files that end in '.conf' will be loaded as
# a configuration file. It is best to have this as the last option
# in the main file. This option will only be processed from the main
# configuration file. The directory specified must not contain the
# main configuration file.
#include_dir
# =================================================================
# rsmb options - unlikely to ever be supported
# =================================================================
#ffdc_output
#max_log_entries
#trace_level
#trace_output

3
vars/main.yml
View File

@ -1,3 +0,0 @@
---
__mosquitto_packages:
- mosquitto