Misc

AlmaLinux · Nov 4, 2024 · 73e128f · 73e128f
1 parent bc2a1cf
commit 73e128f
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 4 deletions.
diff --git a/group_vars/mqtt_servers.yml b/group_vars/mqtt_servers.yml
@@ -1,5 +1,22 @@
 ---
-firewalld_extra_allow_ports:
-  - 1883/tcp # mqtt
-  - 1883/udp # mqtt
+beholder_ip: 10.0.21.189
+# Vaulted until migrated to new AWS Infra account
+gitupdater_ip: "{{ lookup('community.hashi_vault.hashi_vault', '{{ hashi_vault_path }}:gitupdater_ip',
+        token=lookup('env', 'VAULT_TOKEN'), url=secrets_url, errors='warn') | default('') }}"
+hashi_vault_path: "kv/data/infra/{% if staging %}stg/{% endif %}mqttserver"
+hashi_vault_generic_path: "kv/data/infra/general-ansible-vars"
+firewalld_extra_allow_ports: []
+firewalld_extra_rich_rules:
+  - rule family="ipv4" source address="{{ beholder_ip }}" port protocol="tcp" port="1883" accept
+  - rule family="ipv4" source address="{{ gitupdater_ip }}" port protocol="udp" port="1883" accept
+  - rule family="ipv4" source address="{{ zabbix_server_ip }}" port protocol="tcp" port="10050" accept
+mosquitto_listeners:
+  - port: 1883
+    address: 0.0.0.0
+  # - port: 8883
+  #   address: 127.0.0.1
+  # - port: 0
+  #   address: /tmp/mosquitto.sock
+zabbix_server_ip: "{{ lookup('community.hashi_vault.hashi_vault', '{{ hashi_vault_generic_path }}:zabbix_server_ip',
+        token=lookup('env', 'VAULT_TOKEN'), url=secrets_url, errors='warn') | default('') }}"
 ...
diff --git a/hosts b/hosts
@@ -66,4 +66,5 @@ gitea_stg
 matterbridge.almalinux.org
 
 [mqtt_servers]
-mqtt.almalinux.dev ansible_host=172.96.188.22
+mqtt.almalinux.org
+# mqtt.almalinux.dev ansible_host=172.96.188.22
diff --git a/mqtt.yml b/mqtt.yml
@@ -1,9 +1,13 @@
 ---
 - name: Configure mqtt servers
   hosts: mqtt_servers
+  remote_user: ec2-user
+  become: true
   roles:
    - common
+   # - artis3n.tailscale
    - community.zabbix.zabbix_agent
    - devsec.hardening.os_hardening
    - devsec.hardening.ssh_hardening
+   # - almalinux.wazuh.agent
    - mqtt
diff --git a/roles/mqtt/templates/mosquitto.conf.j2 b/roles/mqtt/templates/mosquitto.conf.j2
@@ -1,3 +1,4 @@
+# {{ ansible_managed }}
 # Config file for mosquitto
 #
 # See mosquitto.conf(5) for more information.
@@ -232,6 +233,9 @@
 #
 # listener port-number [ip address/host name/unix socket path]
 #listener
+{% for listener in mosquitto_listeners %}
+listener {{ listener.port }}{% if listener.address %} {{ listener.address }}{% endif %}
+{% endfor %}
 
 # By default, a listener will attempt to listen on all supported IP protocol
 # versions. If you do not have an IPv4 or IPv6 interface you may wish to