From cf4bf15db0f2eac4a8e689a57fffd122aad9221f Mon Sep 17 00:00:00 2001 From: mwiegand Date: Tue, 2 Nov 2021 23:22:24 +0100 Subject: [PATCH] mosquitto password file --- bundles/mosquitto/files/managed.conf | 7 ++++ bundles/mosquitto/items.py | 14 +++++++ bundles/mosquitto/metadata.py | 56 ++++++++++++++++++++++++++++ nodes/home.server.py | 3 ++ 4 files changed, 80 insertions(+) diff --git a/bundles/mosquitto/files/managed.conf b/bundles/mosquitto/files/managed.conf index 7b89d07..f0319c0 100644 --- a/bundles/mosquitto/files/managed.conf +++ b/bundles/mosquitto/files/managed.conf @@ -1,16 +1,23 @@ per_listener_settings true listener 1883 +password_file /etc/mosquitto/password_file listener 8883 dhparamfile /etc/mosquitto/dhparam.pem certfile /etc/mosquitto/certs/cert.pem cafile /etc/mosquitto/certs/chain.pem keyfile /etc/mosquitto/certs/privkey.pem +password_file /etc/mosquitto/password_file listener 8083 protocol websockets +password_file /etc/mosquitto/password_file + +listener 8084 +protocol websockets dhparamfile /etc/mosquitto/dhparam.pem certfile /etc/mosquitto/certs/cert.pem cafile /etc/mosquitto/certs/chain.pem keyfile /etc/mosquitto/certs/privkey.pem +password_file /etc/mosquitto/password_file diff --git a/bundles/mosquitto/items.py b/bundles/mosquitto/items.py index 31800fd..2829162 100644 --- a/bundles/mosquitto/items.py +++ b/bundles/mosquitto/items.py @@ -21,6 +21,20 @@ files = { 'svc_systemd:mosquitto:restart' ], }, + '/etc/mosquitto/password_file': { + 'content': '\n'.join( + conf['password_file'] for conf in node.metadata.get('mosquitto/users').values() + ) + '\n', + 'needs': [ + 'pkg_apt:mosquitto', + ], + 'needed_by': [ + 'svc_systemd:mosquitto' + ], + 'triggers': [ + 'svc_systemd:mosquitto:restart' + ], + }, } svc_systemd = { diff --git a/bundles/mosquitto/metadata.py b/bundles/mosquitto/metadata.py index 0a25592..98b80a2 100644 --- a/bundles/mosquitto/metadata.py +++ b/bundles/mosquitto/metadata.py @@ -1,12 +1,68 @@ +from hashlib import pbkdf2_hmac +from base64 import b64encode, b64decode + defaults = { 'apt': { 'packages': { 'mosquitto': {}, }, }, + 'mosquitto': { + 'users': {}, + }, } +def password_file_entry(username, password, salt): + hash = pbkdf2_hmac('sha512', password.encode(), b64decode(salt), 101) + return f"{username}:$7$101${salt}${b64encode(hash).decode()}" + + +@metadata_reactor.provides( + 'mosquitto/users' +) +def passwords_and_salts(metadata): + return { + 'mosquitto': { + 'users': { + username: { + 'password': str( + repo.vault.random_bytes_as_base64_for( + f"{metadata.get('id')} mosquitto {username}", + key='encrypt', + length=24, + ) + ), + 'salt': str( + repo.vault.random_bytes_as_base64_for( + f"{metadata.get('id')} mosquitto {username}", + key='generate', + length=12, + ) + ) + } + for username in metadata.get('mosquitto/users') + }, + }, + } + + +@metadata_reactor.provides( + 'mosquitto/users' +) +def password_file(metadata): + return { + 'mosquitto': { + 'users': { + username: { + 'password_file': password_file_entry(username, conf['password'], conf['salt']), + } + for username, conf in metadata.get('mosquitto/users').items() + }, + }, + } + + @metadata_reactor.provides( 'systemd-mount' ) diff --git a/nodes/home.server.py b/nodes/home.server.py index 35257c9..f67598e 100644 --- a/nodes/home.server.py +++ b/nodes/home.server.py @@ -54,6 +54,9 @@ }, 'mosquitto': { 'hostname': 'mqtt.sublimity.de', + 'users': { + 'openhab': {}, + }, }, 'nextcloud': { 'hostname': 'cloud.sublimity.de',