from hashlib import pbkdf2_hmac
from base64 import b64encode, b64decode
defaults = {
'apt': {
'packages': {
'mosquitto': {},
},
},
'mosquitto': {
'users': {},
},
}
def password_file_entry(username, password, salt):
hash = pbkdf2_hmac('sha512', password.encode(), b64decode(salt), 101)
return f"{username}:$7$101${salt}${b64encode(hash).decode()}"
@metadata_reactor.provides(
'mosquitto/users'
)
def passwords_and_salts(metadata):
return {
'mosquitto': {
'users': {
username: {
'password': str(
repo.vault.random_bytes_as_base64_for(
f"{metadata.get('id')} mosquitto {username}",
key='encrypt',
length=24,
)
),
'salt': str(
repo.vault.random_bytes_as_base64_for(
f"{metadata.get('id')} mosquitto {username}",
key='generate',
length=12,
)
)
}
for username in metadata.get('mosquitto/users')
},
},
}
@metadata_reactor.provides(
'mosquitto/users'
)
def password_file(metadata):
return {
'mosquitto': {
'users': {
username: {
'password_file': password_file_entry(username, conf['password'], conf['salt']),
}
for username, conf in metadata.get('mosquitto/users').items()
},
},
}
@metadata_reactor.provides(
'systemd-mount'
)
def mount_certs(metadata):
return {
'systemd-mount': {
'/etc/mosquitto/certs': {
'source': '/var/lib/dehydrated/certs/' + metadata.get('mosquitto/hostname'),
'user': 'mosquitto',
},
},
}
@metadata_reactor.provides(
'letsencrypt/domains'
)
def letsencrypt(metadata):
return {
'letsencrypt': {
'domains': {
metadata.get('mosquitto/hostname'): {},
},
},
}