bundles/mosquitto: introduce, add to node home.nas
All checks were successful
bundlewrap/pipeline/head This commit looks good

This commit is contained in:
Franzi 2021-04-03 09:36:47 +02:00
parent f8bbe00d47
commit 9cbf866de7
Signed by: kunsi
GPG key ID: 12E3D2136B818350
4 changed files with 119 additions and 9 deletions

View file

@ -0,0 +1,39 @@
per_listener_settings true
allow_zero_length_clientid true
autosave_interval 5
autosave_on_changes true
log_dest syslog
log_timestamp false
persistence true
persistence_location /var/lib/mosquitto/
pid_file /run/mosquitto/mosquitto.pid
set_tcp_nodelay ${str(node.metadata.get('mosquitto/tcp_nodelay', True)).lower()}
% for port, config in sorted(node.metadata.get('mosquitto/listeners', {}).items()):
listener ${port}
max_connections ${config.get('max_connections', -1)}
protocol ${config.get('protocol', 'mqtt')}
allow_anonymous ${str(config.get('allow_anonymous', True)).lower()}
% endfor
% for bridge, config in sorted(node.metadata.get('mosquitto/bridges', {}).items()):
connection ${bridge}
address ${config['peer']}
bridge_attempt_unsubscribe true
cleansession ${str(config.get('cleansession', True)).lower()}
notifications true
notifications_local_only true
remote_clientid ${config.get('client_id', node.name)}
% if 'auth' in config:
remote_password ${config['auth']['password']}
remote_username ${config['auth']['username']}
% endif
start_type automatic
% for topic in config['topics']:
topic ${topic['pattern']} ${topic.get('direction', 'in')} ${topic.get('qos', 0)} /${topic.get('local_prefix', bridge)}/ ${topic.get('remote_prefix', '')}
% endfor
try_private ${str(config.get('try_private', True)).lower()}
% endfor

View file

@ -0,0 +1,17 @@
files = {
'/etc/mosquitto/mosquitto.conf': {
'content_type': 'mako',
'triggers': {
'svc_systemd:mosquitto:restart',
},
},
}
svc_systemd = {
'mosquitto': {
'needs': {
'file:/etc/mosquitto/mosquitto.conf',
'pkg_apt:mosquitto',
},
},
}

View file

@ -0,0 +1,33 @@
from bundlewrap.metadata import atomic
defaults = {
'apt': {
'packages': {
'mosquitto': {},
'mosquitto-clients': {},
},
},
'mosquitto': {
'listeners': {
'1883': {},
},
},
}
@metadata_reactor.provides(
'iptables/port_rules',
)
def iptables(metadata):
sources = metadata.get('mosquitto/restrict-to', {'*'})
result = {}
for listener in metadata.get('mosquitto/listeners').keys():
result[listener] = atomic(sources)
return {
'iptables': {
'port_rules': result,
},
}

View file

@ -4,6 +4,7 @@ nodes['home.nas'] = {
'hostname': '172.19.138.20',
'bundles': {
'backup-server',
'mosquitto',
'netdata',
'nfs-server',
'smartd',
@ -50,13 +51,9 @@ nodes['home.nas'] = {
'nas': {},
},
'iptables': {
'custom_rules': [
# Dell ULNM
'iptables -A INPUT -p tcp --dport 4679 -j ACCEPT',
],
'port_rules': {
'1883': { # mosquitto
'172.19.136.0/25', # wireguard clients, because remote access
'4679': { # Dell ULNM
'172.19.136.0/25',
'172.19.138.0/24',
},
'5060': { # yate SIP
@ -67,9 +64,6 @@ nodes['home.nas'] = {
'home.snom-wohnzimmer',
'home.bubble01',
},
'8083': { # mosquitto Websocket
'172.19.138.0/24',
},
# yate RTP uses some random UDP port. We cannot firewall
# it, because for incoming calls the other side decides
# which port to use. That's why we simply allow all UDP
@ -82,6 +76,33 @@ nodes['home.nas'] = {
},
},
},
'mosquitto': {
'bridges': {
'c3voc': {
'peer': 'mqtt.c3voc.de',
'client_id': 'kunsi-home',
'auth': {
'username': vault.decrypt('encrypt$gAAAAABgaBa5UZyZlsMM9TV5pa-VyOieFWYzAslxWVnXjOeXHvF4kMHHSHSMOrv-U9k7Ec3mMCDuJFO3ybpOsZSeFQDL7GgEfw=='),
'password': vault.decrypt('encrypt$gAAAAABgaBbfm65cYBuod0UehWNmY0NfeUH9xsrP2kENYNF_LWP2iV5a8db_cqMoITwyjjBsHpvjaeDq07Z5K5nQ_BLZG6zPqapL-Qvp20wyck49Dy2R4V4='),
},
'topics': [
{
'pattern': '#',
'remote_prefix': '/voc/',
},
],
},
},
'listeners': {
'8083': {
'protocol': 'websockets',
},
},
'restrict-to': {
'172.19.136.0/25',
'172.19.138.0/24',
},
},
'nfs-server': {
'shares': {
'/storage/nas': {