Add password and TLS configuration for mosquitto

roles/mosquitto/defaults/main.yml

@@ -0,0 +1,7 @@
+---
+mosquitto_user: admin
+mosquitto_password: use the password, Luke!
+
+mosquitto_certfile: ""
+mosquitto_keyfile: ""
+mosquitto_cafile: ""

roles/mosquitto/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: systemctl restart mosquitto
+  systemd:
+    name: mosquitto
+    state: restarted
+  become: true

roles/mosquitto/tasks/main.yml

@@ -4,9 +4,32 @@
     name:
       - mosquitto
       - mosquitto-clients
+      - python3-pexpect
     update_cache: true
     cache_valid_time: 3600
 
+- name: create /etc/mosquitto/passwd with user "{{ mosquitto_user }}"
+  expect:
+    command: mosquitto_passwd -c /etc/mosquitto/passwd {{ mosquitto_user }}
+    responses:
+      (?i)password: "{{ mosquitto_password }}"
+
+- name: ensure /etc/mosquitto/passwd has restrictive persmissions
+  file:
+    path: /etc/mosquitto/passwd
+    owner: root
+    group: root
+    mode: 0640
+
+- name: set mosquitto config file
+  template:
+    src: etc/mosquitto/conf.d/default.conf.j2
+    dest: /etc/mosquitto/conf.d/default.conf
+    owner: root
+    group: root
+    mode: 0640
+  notify: systemctl restart mosquitto
+
 - name: ensure mosquitto is running
   systemd:
     state: started

roles/mosquitto/templates/etc/mosquitto/conf.d/default.conf.j2

@@ -0,0 +1,11 @@
+allow_anonymous false
+password_file /etc/mosquitto/passwd
+
+listener 1883
+
+{% if mosquitto_certfile and mosquitto_keyfile and mosquitto_cafile %}
+listener 8883
+certfile {{ mosquitto_certfile }}
+keyfile {{ mosquitto_keyfile }}
+cafile {{ mosquitto_cafile }}
+{% endif %}