Add support for configuring tls ports

This commit adds support for enabling tls encrypted port listeners. If enable_tls is set you can specify the cert files necessary and mosquitto will be configured to setup additional ports that are encryped in addition to the unencrypted ports. Change-Id: I7c77285e347d8c1b2c3318360258246b78f885a8
2016-07-27 15:57:06 -04:00 · 2016-07-27 15:57:06 -04:00 · 23e5990b74
parent 695d94cc3c
commit 23e5990b74
2 changed files with 60 additions and 0 deletions
--- a/manifests/server.pp
+++ b/manifests/server.pp
@ -21,6 +21,11 @@ class mosquitto::server (
  $infra_service_username = 'infra',
  $infra_service_password,
  $websocket_port = 80,
+  $enable_tls = false,
+  $websocket_tls_port = 8080,
+  $ca_file = undef,
+  $cert_file = undef,
+  $key_file = undef,
 ) {

  file {'/etc/mosquitto/infra_service.pw':
@ -46,6 +51,41 @@ class mosquitto::server (
    content => template('mosquitto/mosquitto.acl.erb'),
    require => Exec['passwd_file'],
  }
+  if $ca_file != undef {
+    file { '/etc/mosquitto/ca.crt':
+      ensure  => present,
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0600',
+      content => $ca_file,
+      require => Package['mosquitto'],
+      before  => File['/etc/mosquitto/mosquitto.conf'],
+    }
+  }
+
+  if $cert_file != undef {
+    file { '/etc/mosquitto/server.crt':
+      ensure  => present,
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0600',
+      content => $cert_file,
+      require => Package['mosquitto'],
+      before  => File['/etc/mosquitto/mosquitto.conf'],
+    }
+  }
+
+  if $key_file != undef {
+    file { '/etc/mosquitto/server.key':
+      ensure  => present,
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0600',
+      content => $key_file,
+      require => Package['mosquitto'],
+      before  => File['/etc/mosquitto/mosquitto.conf'],
+    }
+  }

  file {'/etc/mosquitto/mosquitto.conf':
    ensure  => present,
--- a/templates/mosquitto.conf.erb
+++ b/templates/mosquitto.conf.erb
@ -276,11 +276,31 @@ pid_file <%= @pid_file %>
 # listener port-number [ip address/host name]
 #

+# Default MQTT Port
 listener 1883

+# Default Encrypted MQTT Port
+<% if @enable_tls -%>
+listener 8883
+cafile /etc/mosquitto/ca.crt
+certfile /etc/mosquitto/server.crt
+keyfile /etc/mosquitto/server.key
+require_certificate false
+<% end -%>
+
+# Unencrypted http websocket port
 listener <%= @websocket_port %>
 protocol websockets

+# Encrypted http websocket port
+<% if @enable_tls -%>
+listener <%= @webocket_tls_port %>
+cafile /etc/mosquitto/ca.crt
+certfile /etc/mosquitto/server.crt
+keyfile /etc/mosquitto/server.key
+require_certificate false
+<% end -%>
+
 # The maximum number of client connections to allow. This is
 # a per listener setting.
 # Default is -1, which means unlimited connections.