From 73e128f59fd256f90b33991f5cf912e63a295a38 Mon Sep 17 00:00:00 2001 From: Cody Robertson Date: Mon, 4 Nov 2024 13:09:12 -0500 Subject: [PATCH] Misc --- group_vars/mqtt_servers.yml | 23 ++++++++++++++++++++--- hosts | 3 ++- mqtt.yml | 4 ++++ roles/mqtt/templates/mosquitto.conf.j2 | 4 ++++ 4 files changed, 30 insertions(+), 4 deletions(-) diff --git a/group_vars/mqtt_servers.yml b/group_vars/mqtt_servers.yml index 6a10b99..f605c80 100644 --- a/group_vars/mqtt_servers.yml +++ b/group_vars/mqtt_servers.yml @@ -1,5 +1,22 @@ --- -firewalld_extra_allow_ports: - - 1883/tcp # mqtt - - 1883/udp # mqtt +beholder_ip: 10.0.21.189 +# Vaulted until migrated to new AWS Infra account +gitupdater_ip: "{{ lookup('community.hashi_vault.hashi_vault', '{{ hashi_vault_path }}:gitupdater_ip', + token=lookup('env', 'VAULT_TOKEN'), url=secrets_url, errors='warn') | default('') }}" +hashi_vault_path: "kv/data/infra/{% if staging %}stg/{% endif %}mqttserver" +hashi_vault_generic_path: "kv/data/infra/general-ansible-vars" +firewalld_extra_allow_ports: [] +firewalld_extra_rich_rules: + - rule family="ipv4" source address="{{ beholder_ip }}" port protocol="tcp" port="1883" accept + - rule family="ipv4" source address="{{ gitupdater_ip }}" port protocol="udp" port="1883" accept + - rule family="ipv4" source address="{{ zabbix_server_ip }}" port protocol="tcp" port="10050" accept +mosquitto_listeners: + - port: 1883 + address: 0.0.0.0 + # - port: 8883 + # address: 127.0.0.1 + # - port: 0 + # address: /tmp/mosquitto.sock +zabbix_server_ip: "{{ lookup('community.hashi_vault.hashi_vault', '{{ hashi_vault_generic_path }}:zabbix_server_ip', + token=lookup('env', 'VAULT_TOKEN'), url=secrets_url, errors='warn') | default('') }}" ... diff --git a/hosts b/hosts index 3405336..c54790e 100644 --- a/hosts +++ b/hosts @@ -66,4 +66,5 @@ gitea_stg matterbridge.almalinux.org [mqtt_servers] -mqtt.almalinux.dev ansible_host=172.96.188.22 +mqtt.almalinux.org +# mqtt.almalinux.dev ansible_host=172.96.188.22 diff --git a/mqtt.yml b/mqtt.yml index a1c5bd2..62be226 100644 --- a/mqtt.yml +++ b/mqtt.yml @@ -1,9 +1,13 @@ --- - name: Configure mqtt servers hosts: mqtt_servers + remote_user: ec2-user + become: true roles: - common + # - artis3n.tailscale - community.zabbix.zabbix_agent - devsec.hardening.os_hardening - devsec.hardening.ssh_hardening + # - almalinux.wazuh.agent - mqtt diff --git a/roles/mqtt/templates/mosquitto.conf.j2 b/roles/mqtt/templates/mosquitto.conf.j2 index e691880..111ac4f 100644 --- a/roles/mqtt/templates/mosquitto.conf.j2 +++ b/roles/mqtt/templates/mosquitto.conf.j2 @@ -1,3 +1,4 @@ +# {{ ansible_managed }} # Config file for mosquitto # # See mosquitto.conf(5) for more information. @@ -232,6 +233,9 @@ # # listener port-number [ip address/host name/unix socket path] #listener +{% for listener in mosquitto_listeners %} +listener {{ listener.port }}{% if listener.address %} {{ listener.address }}{% endif %} +{% endfor %} # By default, a listener will attempt to listen on all supported IP protocol # versions. If you do not have an IPv4 or IPv6 interface you may wish to