diff --git a/_apps/mosquitto.yaml b/_apps/mosquitto.yaml new file mode 100644 index 0000000..52d0aec --- /dev/null +++ b/_apps/mosquitto.yaml @@ -0,0 +1,21 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: mosquitto + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: mosquitto + server: https://kubernetes.default.svc + project: default + source: + path: mosquitto + repoURL: https://git.tbrnt.ch/tobru/gitops-tbrnt.git + targetRevision: HEAD +--- +apiVersion: v1 +kind: Namespace +metadata: + name: mosquitto diff --git a/mosquitto/app.yaml b/mosquitto/app.yaml new file mode 100644 index 0000000..5a442c5 --- /dev/null +++ b/mosquitto/app.yaml @@ -0,0 +1,204 @@ +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: mosquitto + namespace: mosquitto + labels: + app: mosquitto +spec: + replicas: 1 + template: + metadata: + labels: + app: mosquitto + spec: + containers: + - name: mosquitto + image: docker.io/eclipse-mosquitto:1.6 + imagePullPolicy: Always + ports: + - containerPort: 1883 + name: mqtt + protocol: TCP + - containerPort: 8883 + name: mqtts + protocol: TCP + - containerPort: 9002 + name: mqttwebsocket + protocol: TCP + volumeMounts: + - mountPath: /mosquitto/config + name: config + - mountPath: /mosquitto/certificates + name: certificates + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 1 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: 9002 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 1 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: 9002 + timeoutSeconds: 1 + volumes: + - name: config + configMap: + name: mosquitto + - name: certificates + secret: + secretName: mosquitto-tls +--- +apiVersion: v1 +kind: Service +metadata: + name: mqtt-tls + namespace: mosquitto + labels: + app: mosquitto +spec: + ports: + - port: 8883 + protocol: TCP + targetPort: mqtts + name: mqtts + selector: + app: mosquitto + type: LoadBalancer +--- +apiVersion: v1 +kind: Service +metadata: + name: mqtt-plain + namespace: mosquitto + labels: + app: mosquitto +spec: + ports: + - port: 1883 + protocol: TCP + targetPort: mqtt + selector: + app: mosquitto + type: ClusterIP +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: mosquitto + namespace: mosquitto +data: + mosquitto.acl: | + # This affects access control for clients with no username. + topic read $SYS/# + + # This only affects clients with username "tobru". + user tobru + topic /# + topic owntracks/# + + user ot-recorder + topic owntracks/# + + # This affects all clients. + pattern write $SYS/broker/connection/%c/state + mosquitto.conf: | + # Config file for mosquitto + user mosquitto + + sys_interval 10 + max_inflight_messages 40 + max_queued_messages 200 + queue_qos0_messages false + message_size_limit 0 + allow_zero_length_clientid true + persistent_client_expiration 3m + allow_duplicate_messages false + autosave_interval 60 + autosave_on_changes false + + # Persistence configuration + persistence false + # persistence_location /mosquitto/data/ + + # Logging + connection_messages true + log_dest stderr + log_dest stdout + log_type error + log_type warning + log_type notice + log_type information + log_type subscribe + #log_type all + #log_type debug + log_timestamp true + + # Listeners + listener 1883 + + listener 8883 + cafile /mosquitto/config/ca.crt + certfile /mosquitto/certificates/tls.crt + keyfile /mosquitto/certificates/tls.key + require_certificate false + + listener 9002 + protocol websockets + cafile /mosquitto/config/ca.crt + certfile /mosquitto/certificates/tls.crt + keyfile /mosquitto/certificates/tls.key + + # Security + password_file /mosquitto/config/mosquitto.passwd + acl_file /mosquitto/config/mosquitto.acl + mosquitto.passwd: | + tobru:$6$J8h/CHCqJgNR6O3I$jhvpbYRQkS59NUHCWcTl4Bno0dBOHmGyI9wjMObvMXCabt//ksWN33AkYOeZc+afMbHlBftX2NfIxuclzLNXMg== + ot-recorder:$6$naz4hsdtrfSyQa4P$IJnC8S6B4nDHxFLS2xFKkHzEL6UQg6iS3Y9mduzrY26LrA5JuXjMLer7dRmAT39yRyo6jEW4y01vBoVSxacFdQ== + ca.crt: | + -----BEGIN CERTIFICATE----- + MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ + MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT + DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow + SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT + GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC + AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF + q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8 + SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0 + Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA + a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj + /PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T + AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG + CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv + bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k + c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw + VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC + ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz + MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu + Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF + AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo + uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/ + wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu + X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG + PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6 + KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== + -----END CERTIFICATE----- +--- +apiVersion: cert-manager.io/v1alpha2 +kind: Certificate +metadata: + name: mosquitto-tls + namespace: mosquitto +spec: + dnsNames: + - mqtt.tbrnt.ch + issuerRef: + kind: ClusterIssuer + name: letsencrypt-prod + secretName: mosquitto-tls