mosquitto password file

bundles/mosquitto/files/managed.conf

@@ -1,16 +1,23 @@
 per_listener_settings true
 
 listener 1883
+password_file /etc/mosquitto/password_file
 
 listener 8883
 dhparamfile /etc/mosquitto/dhparam.pem
 certfile /etc/mosquitto/certs/cert.pem
 cafile /etc/mosquitto/certs/chain.pem
 keyfile /etc/mosquitto/certs/privkey.pem
+password_file /etc/mosquitto/password_file
 
 listener 8083
 protocol websockets
+password_file /etc/mosquitto/password_file
+
+listener 8084
+protocol websockets
 dhparamfile /etc/mosquitto/dhparam.pem
 certfile /etc/mosquitto/certs/cert.pem
 cafile /etc/mosquitto/certs/chain.pem
 keyfile /etc/mosquitto/certs/privkey.pem
+password_file /etc/mosquitto/password_file

bundles/mosquitto/items.py

@@ -21,6 +21,20 @@ files = {
             'svc_systemd:mosquitto:restart'
         ],
     },
+    '/etc/mosquitto/password_file': {
+        'content': '\n'.join(
+            conf['password_file'] for conf in node.metadata.get('mosquitto/users').values()
+        ) + '\n',
+        'needs': [
+            'pkg_apt:mosquitto',
+        ],
+        'needed_by': [
+            'svc_systemd:mosquitto'
+        ],
+        'triggers': [
+            'svc_systemd:mosquitto:restart'
+        ],
+    },
 }
 
 svc_systemd = {

bundles/mosquitto/metadata.py

@@ -1,12 +1,68 @@
+from hashlib import pbkdf2_hmac
+from base64 import b64encode, b64decode
+
 defaults = {
     'apt': {
         'packages': {
             'mosquitto': {},
         },
     },
+    'mosquitto': {
+        'users': {},
+    },
 }
 
 
+def password_file_entry(username, password, salt):
+    hash = pbkdf2_hmac('sha512', password.encode(), b64decode(salt), 101)
+    return f"{username}:$7$101${salt}${b64encode(hash).decode()}"
+
+
+@metadata_reactor.provides(
+    'mosquitto/users'
+)
+def passwords_and_salts(metadata):
+    return  {
+        'mosquitto': {
+            'users': {
+                username: {
+                    'password': str(
+                        repo.vault.random_bytes_as_base64_for(
+                            f"{metadata.get('id')} mosquitto {username}",
+                            key='encrypt',
+                            length=24,
+                        )
+                    ),
+                    'salt': str(
+                        repo.vault.random_bytes_as_base64_for(
+                            f"{metadata.get('id')} mosquitto {username}",
+                            key='generate',
+                            length=12,
+                        )
+                    )
+                }
+                    for username in metadata.get('mosquitto/users')
+            },
+        },
+    }
+
+
+@metadata_reactor.provides(
+    'mosquitto/users'
+)
+def password_file(metadata):
+    return  {
+        'mosquitto': {
+            'users': {
+                username: {
+                    'password_file': password_file_entry(username, conf['password'], conf['salt']),
+                }
+                    for username, conf in metadata.get('mosquitto/users').items()
+            },
+        },
+    }
+
+
 @metadata_reactor.provides(
     'systemd-mount'
 )

nodes/home.server.py

@@ -54,6 +54,9 @@
         },
         'mosquitto': {
             'hostname': 'mqtt.sublimity.de',
+            'users': {
+                'openhab': {},
+            },
         },
         'nextcloud': {
             'hostname': 'cloud.sublimity.de',