bundles/mosquitto: introduce, add to node home.nas

bundles/mosquitto/files/mosquitto.conf

@@ -0,0 +1,39 @@
+per_listener_settings true
+
+allow_zero_length_clientid true
+autosave_interval 5
+autosave_on_changes true
+log_dest syslog
+log_timestamp false
+persistence true
+persistence_location /var/lib/mosquitto/
+pid_file /run/mosquitto/mosquitto.pid
+set_tcp_nodelay ${str(node.metadata.get('mosquitto/tcp_nodelay', True)).lower()}
+
+% for port, config in sorted(node.metadata.get('mosquitto/listeners', {}).items()):
+listener ${port}
+    max_connections ${config.get('max_connections', -1)}
+    protocol ${config.get('protocol', 'mqtt')}
+    allow_anonymous ${str(config.get('allow_anonymous', True)).lower()}
+
+% endfor
+
+% for bridge, config in sorted(node.metadata.get('mosquitto/bridges', {}).items()):
+connection ${bridge}
+    address ${config['peer']}
+    bridge_attempt_unsubscribe true
+    cleansession ${str(config.get('cleansession', True)).lower()}
+    notifications true
+    notifications_local_only true
+    remote_clientid ${config.get('client_id', node.name)}
+% if 'auth' in config:
+    remote_password ${config['auth']['password']}
+    remote_username ${config['auth']['username']}
+% endif
+    start_type automatic
+% for topic in config['topics']:
+    topic ${topic['pattern']} ${topic.get('direction', 'in')} ${topic.get('qos', 0)} /${topic.get('local_prefix', bridge)}/ ${topic.get('remote_prefix', '')}
+% endfor
+    try_private ${str(config.get('try_private', True)).lower()}
+
+% endfor

bundles/mosquitto/items.py

@@ -0,0 +1,17 @@
+files = {
+    '/etc/mosquitto/mosquitto.conf': {
+        'content_type': 'mako',
+        'triggers': {
+            'svc_systemd:mosquitto:restart',
+        },
+    },
+}
+
+svc_systemd = {
+    'mosquitto': {
+        'needs': {
+            'file:/etc/mosquitto/mosquitto.conf',
+            'pkg_apt:mosquitto',
+        },
+    },
+}

bundles/mosquitto/metadata.py

@@ -0,0 +1,33 @@
+from bundlewrap.metadata import atomic
+
+
+defaults = {
+    'apt': {
+        'packages': {
+            'mosquitto': {},
+            'mosquitto-clients': {},
+        },
+    },
+    'mosquitto': {
+        'listeners': {
+            '1883': {},
+        },
+    },
+}
+
+
+@metadata_reactor.provides(
+    'iptables/port_rules',
+)
+def iptables(metadata):
+    sources = metadata.get('mosquitto/restrict-to', {'*'})
+    result = {}
+
+    for listener in metadata.get('mosquitto/listeners').keys():
+        result[listener] = atomic(sources)
+
+    return {
+        'iptables': {
+            'port_rules': result,
+        },
+    }

nodes/home/nas.py

@@ -4,6 +4,7 @@ nodes['home.nas'] = {
     'hostname': '172.19.138.20',
     'bundles': {
         'backup-server',
+        'mosquitto',
         'netdata',
         'nfs-server',
         'smartd',
@@ -50,13 +51,9 @@ nodes['home.nas'] = {
             'nas': {},
         },
         'iptables': {
-            'custom_rules': [
-                # Dell ULNM
-                'iptables -A INPUT -p tcp --dport 4679 -j ACCEPT',
-            ],
             'port_rules': {
-                '1883': { # mosquitto
+                '4679': { # Dell ULNM
-                    '172.19.136.0/25', # wireguard clients, because remote access
+                    '172.19.136.0/25',
                     '172.19.138.0/24',
                 },
                 '5060': { # yate SIP
@@ -67,9 +64,6 @@ nodes['home.nas'] = {
                     'home.snom-wohnzimmer',
                     'home.bubble01',
                 },
-                '8083': { # mosquitto Websocket
-                    '172.19.138.0/24',
-                },
                 # yate RTP uses some random UDP port. We cannot firewall
                 # it, because for incoming calls the other side decides
                 # which port to use. That's why we simply allow all UDP
@@ -82,6 +76,33 @@ nodes['home.nas'] = {
                 },
             },
         },
+        'mosquitto': {
+            'bridges': {
+                'c3voc': {
+                    'peer': 'mqtt.c3voc.de',
+                    'client_id': 'kunsi-home',
+                    'auth': {
+                        'username': vault.decrypt('encrypt$gAAAAABgaBa5UZyZlsMM9TV5pa-VyOieFWYzAslxWVnXjOeXHvF4kMHHSHSMOrv-U9k7Ec3mMCDuJFO3ybpOsZSeFQDL7GgEfw=='),
+                        'password': vault.decrypt('encrypt$gAAAAABgaBbfm65cYBuod0UehWNmY0NfeUH9xsrP2kENYNF_LWP2iV5a8db_cqMoITwyjjBsHpvjaeDq07Z5K5nQ_BLZG6zPqapL-Qvp20wyck49Dy2R4V4='),
+                    },
+                    'topics': [
+                        {
+                            'pattern': '#',
+                            'remote_prefix': '/voc/',
+                        },
+                    ],
+                },
+            },
+            'listeners': {
+                '8083': {
+                    'protocol': 'websockets',
+                },
+            },
+            'restrict-to': {
+                '172.19.136.0/25',
+                '172.19.138.0/24',
+            },
+        },
         'nfs-server': {
             'shares': {
                 '/storage/nas': {