From 0b69a41ebc046ee535ea1cdaa57661f8836a4f13 Mon Sep 17 00:00:00 2001
From: Felix Stupp <felix.stupp@outlook.com>
Date: Fri, 20 Mar 2020 22:07:20 +0100
Subject: [PATCH] Added roles mqtt/application and mqtt/user

---
 roles/mqtt/application/defaults/main.yml      | 17 +++++++
 roles/mqtt/application/handlers/main.yml      | 19 +++++++
 roles/mqtt/application/meta/main.yml          |  5 ++
 roles/mqtt/application/tasks/main.yml         | 50 +++++++++++++++++++
 roles/mqtt/application/templates/main.acl     |  4 ++
 roles/mqtt/application/templates/main.conf    | 11 ++++
 .../application/templates/mosquitto.makefile  | 25 ++++++++++
 roles/mqtt/user/defaults/main.yml             |  8 +++
 roles/mqtt/user/meta/main.yml                 |  6 +++
 roles/mqtt/user/tasks/main.yml                | 19 +++++++
 roles/mqtt/user/templates/user.acl            | 13 +++++
 11 files changed, 177 insertions(+)
 create mode 100644 roles/mqtt/application/defaults/main.yml
 create mode 100644 roles/mqtt/application/handlers/main.yml
 create mode 100644 roles/mqtt/application/meta/main.yml
 create mode 100644 roles/mqtt/application/tasks/main.yml
 create mode 100644 roles/mqtt/application/templates/main.acl
 create mode 100644 roles/mqtt/application/templates/main.conf
 create mode 100644 roles/mqtt/application/templates/mosquitto.makefile
 create mode 100644 roles/mqtt/user/defaults/main.yml
 create mode 100644 roles/mqtt/user/meta/main.yml
 create mode 100644 roles/mqtt/user/tasks/main.yml
 create mode 100644 roles/mqtt/user/templates/user.acl

diff --git a/roles/mqtt/application/defaults/main.yml b/roles/mqtt/application/defaults/main.yml
new file mode 100644
index 0000000..4ac3f92
--- /dev/null
+++ b/roles/mqtt/application/defaults/main.yml
@@ -0,0 +1,17 @@
+---
+
+configuration_directory: "/etc/mosquitto"
+configuration_file: "{{ configuration_directory }}/conf.d/0_ansible_main.conf"
+
+environment_directory: "{{ global_configuration_environment_directory }}/mosquitto"
+environment_link_name: "conf"
+
+acl_file_name: "acl"
+acl_file: "{{ configuration_directory }}/{{ acl_file_name }}"
+auth_file_name: "auth"
+auth_file: "{{ configuration_directory }}/{{ auth_file_name }}"
+
+admin_username: "root"
+admin_password: "{{ lookup('password', 'credentials/' + inventory_hostname + '/mqtt/root length=80') }}"
+
+acl_directives: ""
diff --git a/roles/mqtt/application/handlers/main.yml b/roles/mqtt/application/handlers/main.yml
new file mode 100644
index 0000000..5ffdd4e
--- /dev/null
+++ b/roles/mqtt/application/handlers/main.yml
@@ -0,0 +1,19 @@
+---
+
+- name: reconfigure mosquitto acl
+  make:
+    chdir: "{{ environment_directory }}"
+    target: "{{ acl_file_name }}"
+  notify: restart mosquitto
+
+- name: reconfigure mosquitto auth
+  make:
+    chdir: "{{ environment_directory }}"
+    target: "{{ auth_file_name }}"
+  notify: restart mosquitto
+
+- name: restart mosquitto
+  systemd:
+    enabled: yes
+    name: mosquitto
+    state: restarted
diff --git a/roles/mqtt/application/meta/main.yml b/roles/mqtt/application/meta/main.yml
new file mode 100644
index 0000000..27634db
--- /dev/null
+++ b/roles/mqtt/application/meta/main.yml
@@ -0,0 +1,5 @@
+---
+
+allow_duplicates: no
+
+dependencies:
diff --git a/roles/mqtt/application/tasks/main.yml b/roles/mqtt/application/tasks/main.yml
new file mode 100644
index 0000000..32a9c16
--- /dev/null
+++ b/roles/mqtt/application/tasks/main.yml
@@ -0,0 +1,50 @@
+---
+
+- name: Install required packages
+  apt:
+    state: present
+    name:
+      - mosquitto
+
+- name: Create configuration environment directory
+  file:
+    state: directory
+    path: "{{ environment_directory }}"
+    owner: root
+    group: root
+    mode: "u=rwx,g=rx,o=rx"
+
+- name: Configure makefile for environment directory
+  template:
+    src: mosquitto.makefile
+    dest: "{{ environment_directory }}/makefile"
+    owner: root
+    group: root
+    mode: "u=rw,g=r,o=r"
+
+- name: Store acl main file
+  template:
+    src: main.acl
+    dest: "{{ environment_directory }}/0_main.acl"
+    owner: root
+    group: root
+    mode: "u=rw,g=r,o=r"
+  notifiy: reconfigure mosquitto acl
+
+- name: Store auth main file
+  command: >-
+    mosquitto_passwd
+    -b
+    {{ environment_directory | quote }}/0_main.auth
+    {{ admin_user | quote }}
+    {{ admin_pass | quote }}
+  notifiy: reconfigure mosquitto auth
+
+- name: Configure mosquitto configuration
+  template:
+    src: "main.conf"
+    dest: "{{ mosquitto_configuration_directory }}/mosquitto.conf"
+    owner: "root"
+    group: "root"
+    mode: "u=rw,g=r,o=r"
+  notifiy: restart mosquitto
diff --git a/roles/mqtt/application/templates/main.acl b/roles/mqtt/application/templates/main.acl
new file mode 100644
index 0000000..523a6b6
--- /dev/null
+++ b/roles/mqtt/application/templates/main.acl
@@ -0,0 +1,4 @@
+{{ acl_directives }}
+
+user root
+topic readwrite #
diff --git a/roles/mqtt/application/templates/main.conf b/roles/mqtt/application/templates/main.conf
new file mode 100644
index 0000000..bacdd21
--- /dev/null
+++ b/roles/mqtt/application/templates/main.conf
@@ -0,0 +1,11 @@
+# Authentication
+allow_anonymous false
+acl_file TODO
+use_username_as_clientid true
+
+# Socket
+protocol mqtt
+port 8883
+
+# TLS
+require_certificate false
diff --git a/roles/mqtt/application/templates/mosquitto.makefile b/roles/mqtt/application/templates/mosquitto.makefile
new file mode 100644
index 0000000..4d2755e
--- /dev/null
+++ b/roles/mqtt/application/templates/mosquitto.makefile
@@ -0,0 +1,25 @@
+dest:={{ environment_link_name }}
+
+# acl file generation
+
+acl_files:=$(wildcard *.acl)
+acl_file_name:={{ acl_file_name }}
+acl_file:=${dest}/${acl_file_name}
+
+.PHONY: ${acl_file_name}
+${acl_file_name}: ${acl_file}
+
+${acl_file}: ${acl_files}
+	cat $^ > "$@";
+
+# auth file generation
+
+auth_files:=$(wildcard *.auth)
+auth_file_name:={{ auth_file_name }}
+auth_file:=${dest}/${auth_file_name}
+
+.PHONY: ${auth_file_name}
+${auth_file_name}: ${auth_file}
+
+${auth_file}: ${auth_files}
+	cat $^ > "$@";
diff --git a/roles/mqtt/user/defaults/main.yml b/roles/mqtt/user/defaults/main.yml
new file mode 100644
index 0000000..593387e
--- /dev/null
+++ b/roles/mqtt/user/defaults/main.yml
@@ -0,0 +1,8 @@
+---
+
+# user:
+pass: "{{ lookup('password', 'credentials/' + inventory_hostname + '/mqtt/' + username + ' length=80') }}"
+
+read_topics: []
+write_topics: []
+readwrite_topics: []
diff --git a/roles/mqtt/user/meta/main.yml b/roles/mqtt/user/meta/main.yml
new file mode 100644
index 0000000..871c6f0
--- /dev/null
+++ b/roles/mqtt/user/meta/main.yml
@@ -0,0 +1,6 @@
+---
+
+allow_duplicates: yes
+
+dependencies:
+  - mqtt/application
diff --git a/roles/mqtt/user/tasks/main.yml b/roles/mqtt/user/tasks/main.yml
new file mode 100644
index 0000000..a33c082
--- /dev/null
+++ b/roles/mqtt/user/tasks/main.yml
@@ -0,0 +1,19 @@
+---
+
+- name: Store acl file for user
+  template:
+    src: user.acl
+    dest: "{{ environment_directory }}/{{ user }}.acl"
+    owner: root
+    group: root
+    mode: "u=rw,g=r,o=r"
+  notify: reconfigure mosquitto acl
+
+- name: Store auth file for user
+  command: >-
+    mosquitto_passwd
+    -b
+    {{ environment_directory | quote }}/{{ user | quote }}.auth
+    {{ user | quote }}
+    {{ pass | quote }}
+  notifiy: reconfigure mosquitto auth
diff --git a/roles/mqtt/user/templates/user.acl b/roles/mqtt/user/templates/user.acl
new file mode 100644
index 0000000..c3f08eb
--- /dev/null
+++ b/roles/mqtt/user/templates/user.acl
@@ -0,0 +1,13 @@
+user {{ user }}
+
+{% for topic in read_topics %}
+topic read {{ topic }}
+{% endfor %}
+
+{% for topic in write_topics %}
+topic write {{ topic }}
+{% endfor %}
+
+{% for topic in readwrite_topics %}
+topic readwrite {{ topic }}
+{% endfor %}