apiVersion: apps/v1
kind: Deployment
metadata:
  name: mosquitto
  namespace: mosquitto
  labels:
    app: mosquitto
  annotations:
    secret.reloader.stakater.com/reload: "mosquitto-tls"
spec:
  replicas: 1
  selector:
    matchLabels:
      app: mosquitto
  template:
    metadata:
      labels:
        app: mosquitto
    spec:
      containers:
      - name: mosquitto
        image: docker.io/eclipse-mosquitto:1.6
        imagePullPolicy: Always
        ports:
          - containerPort: 1883
            name: mqtt
            protocol: TCP
          - containerPort: 8883
            name: mqtts
            protocol: TCP
          - containerPort: 9002
            name: mqttwebsocket
            protocol: TCP
        volumeMounts:
          - mountPath: /mosquitto/config
            name: config
          - mountPath: /mosquitto/certificates
            name: certificates
          - mountPath: /mosquitto/acl
            name: acl
          - mountPath: /mosquitto/passwd
            name: passwd
        livenessProbe:
          failureThreshold: 3
          initialDelaySeconds: 1
          periodSeconds: 10
          successThreshold: 1
          tcpSocket:
            port: 9002
          timeoutSeconds: 1
        readinessProbe:
          failureThreshold: 3
          initialDelaySeconds: 1
          periodSeconds: 10
          successThreshold: 1
          tcpSocket:
            port: 9002
          timeoutSeconds: 1
      volumes:
        - name: config
          configMap:
            name: mosquitto
        - name: certificates
          secret:
            secretName: mosquitto-tls
        - name: acl
          secret:
            secretName: mosquitto-acl
        - name: passwd
          secret:
            secretName: mosquitto-passwd
---
apiVersion: v1
kind: Service
metadata:
  name: mqtt-tls
  namespace: mosquitto
  labels:
    app: mosquitto
spec:
  ports:
  - port: 8883
    protocol: TCP
    targetPort: mqtts
    name: mqtts
  selector:
    app: mosquitto
  type: LoadBalancer
---
apiVersion: v1
kind: Service
metadata:
  name: mqtt-plain
  namespace: mosquitto
  labels:
    app: mosquitto
spec:
  ports:
  - port: 1883
    protocol: TCP
    targetPort: mqtt
  selector:
    app: mosquitto
  type: ClusterIP
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: mosquitto
  namespace: mosquitto
data:
  mosquitto.conf: |
    # Config file for mosquitto
    user mosquitto

    sys_interval 10
    max_inflight_messages 40
    max_queued_messages 200
    queue_qos0_messages false
    message_size_limit 0
    allow_zero_length_clientid true
    persistent_client_expiration 3m
    allow_duplicate_messages false
    autosave_interval 60
    autosave_on_changes false

    # Persistence configuration
    persistence false
    # persistence_location /mosquitto/data/

    # Logging
    connection_messages true
    log_dest stderr
    log_dest stdout
    log_type error
    log_type warning
    log_type notice
    log_type information
    log_type subscribe
    #log_type all
    #log_type debug
    log_timestamp true

    # Listeners
    listener 1883

    listener 8883
    cafile /mosquitto/config/ca.crt
    certfile /mosquitto/certificates/tls.crt
    keyfile /mosquitto/certificates/tls.key
    require_certificate false

    listener 9002
    protocol websockets
    cafile /mosquitto/config/ca.crt
    certfile /mosquitto/certificates/tls.crt
    keyfile /mosquitto/certificates/tls.key

    # Security
    password_file /mosquitto/passwd/mosquitto.passwd
    acl_file /mosquitto/acl/mosquitto.acl
  ca.crt: |
    -----BEGIN CERTIFICATE-----
    MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
    MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
    DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
    SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
    GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
    AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
    q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
    SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
    Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
    a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
    /PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
    AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
    CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
    bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
    c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
    VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
    ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
    MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
    Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
    AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
    uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
    wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
    X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
    PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
    KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
    -----END CERTIFICATE-----
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: mosquitto-tls
  namespace: mosquitto
spec:
  dnsNames:
  - mqtt.tbrnt.ch
  issuerRef:
    kind: ClusterIssuer
    name: letsencrypt-prod
  secretName: mosquitto-tls