mosquitto password file

2021-11-02 23:22:24 +01:00 · 2021-11-02 23:22:24 +01:00 · cf4bf15db0
commit cf4bf15db0
parent 753954ebaf
4 changed files with 80 additions and 0 deletions
--- a/bundles/mosquitto/files/managed.conf
+++ b/bundles/mosquitto/files/managed.conf
@ -1,16 +1,23 @@
 per_listener_settings true

 listener 1883
+password_file /etc/mosquitto/password_file

 listener 8883
 dhparamfile /etc/mosquitto/dhparam.pem
 certfile /etc/mosquitto/certs/cert.pem
 cafile /etc/mosquitto/certs/chain.pem
 keyfile /etc/mosquitto/certs/privkey.pem
+password_file /etc/mosquitto/password_file

 listener 8083
 protocol websockets
+password_file /etc/mosquitto/password_file
+
+listener 8084
+protocol websockets
 dhparamfile /etc/mosquitto/dhparam.pem
 certfile /etc/mosquitto/certs/cert.pem
 cafile /etc/mosquitto/certs/chain.pem
 keyfile /etc/mosquitto/certs/privkey.pem
+password_file /etc/mosquitto/password_file
--- a/bundles/mosquitto/items.py
+++ b/bundles/mosquitto/items.py
@ -21,6 +21,20 @@ files = {
            'svc_systemd:mosquitto:restart'
        ],
    },
+    '/etc/mosquitto/password_file': {
+        'content': '\n'.join(
+            conf['password_file'] for conf in node.metadata.get('mosquitto/users').values()
+        ) + '\n',
+        'needs': [
+            'pkg_apt:mosquitto',
+        ],
+        'needed_by': [
+            'svc_systemd:mosquitto'
+        ],
+        'triggers': [
+            'svc_systemd:mosquitto:restart'
+        ],
+    },
 }

 svc_systemd = {
--- a/bundles/mosquitto/metadata.py
+++ b/bundles/mosquitto/metadata.py
@ -1,12 +1,68 @@
+from hashlib import pbkdf2_hmac
+from base64 import b64encode, b64decode
+
 defaults = {
    'apt': {
        'packages': {
            'mosquitto': {},
        },
    },
+    'mosquitto': {
+        'users': {},
+    },
 }


+def password_file_entry(username, password, salt):
+    hash = pbkdf2_hmac('sha512', password.encode(), b64decode(salt), 101)
+    return f"{username}:$7$101${salt}${b64encode(hash).decode()}"
+
+
+@metadata_reactor.provides(
+    'mosquitto/users'
+)
+def passwords_and_salts(metadata):
+    return  {
+        'mosquitto': {
+            'users': {
+                username: {
+                    'password': str(
+                        repo.vault.random_bytes_as_base64_for(
+                            f"{metadata.get('id')} mosquitto {username}",
+                            key='encrypt',
+                            length=24,
+                        )
+                    ),
+                    'salt': str(
+                        repo.vault.random_bytes_as_base64_for(
+                            f"{metadata.get('id')} mosquitto {username}",
+                            key='generate',
+                            length=12,
+                        )
+                    )
+                }
+                    for username in metadata.get('mosquitto/users')
+            },
+        },
+    }
+
+
+@metadata_reactor.provides(
+    'mosquitto/users'
+)
+def password_file(metadata):
+    return  {
+        'mosquitto': {
+            'users': {
+                username: {
+                    'password_file': password_file_entry(username, conf['password'], conf['salt']),
+                }
+                    for username, conf in metadata.get('mosquitto/users').items()
+            },
+        },
+    }
+
+
@metadata_reactor.provides(
    'systemd-mount'
 )
--- a/nodes/home.server.py
+++ b/nodes/home.server.py
@ -54,6 +54,9 @@
        },
        'mosquitto': {
            'hostname': 'mqtt.sublimity.de',
+            'users': {
+                'openhab': {},
+            },
        },
        'nextcloud': {
            'hostname': 'cloud.sublimity.de',