commit 158474f948852cc1a9aa957e4e4ec023a0662667
Author: Antonio J. Delgado <ad@susurrando.com>
Date:   Tue Oct 11 10:19:00 2022 +0300

    Initial commit with previous code

diff --git a/defaults/main.yml b/defaults/main.yml
new file mode 100644
index 0000000..81e7c47
--- /dev/null
+++ b/defaults/main.yml
@@ -0,0 +1,5 @@
+---
+mosquitto_accounts:
+  - username: user
+    password_hash: '$6$abcde1234=='
+open_ufw_to_mosquitto: no
diff --git a/handlers/main.yml b/handlers/main.yml
new file mode 100644
index 0000000..0d3fc74
--- /dev/null
+++ b/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: Restart Mosquitto
+  service:
+    name: mosquitto
+    state: restarted
\ No newline at end of file
diff --git a/tasks/configure.yml b/tasks/configure.yml
new file mode 100644
index 0000000..0e31516
--- /dev/null
+++ b/tasks/configure.yml
@@ -0,0 +1,52 @@
+---
+- name: Ensure Mosquitto doesn't allow anonymous access
+  ansible.builtin.lineinfile:
+    path: /etc/mosquitto/conf.d/default.conf
+    regexp: '^allow_anonymous '
+    line: 'allow_anonymous false'
+    owner: mosquitto
+    group: root
+    mode: 0660
+    create: yes
+    backup: yes
+  notify: Restart Mosquitto
+
+- name: Ensure Mosquitto log to standard output (journald)
+  ansible.builtin.lineinfile:
+    path: /etc/mosquitto/conf.d/default.conf
+    regexp: '^log_dest stdout'
+    line: 'log_dest stdout'
+    owner: mosquitto
+    group: root
+    mode: 0660
+    create: yes
+    backup: yes
+  notify: Restart Mosquitto
+
+- name: Ensure password file for Mosquitto exists
+  template:
+    dest: /etc/mosquitto/passwd
+    src: templates/mosquitto_passwd.j2
+    owner: mosquitto
+    group: root
+    mode: 0660
+    backup: yes
+  notify: Restart Mosquitto
+
+- name: Ensure Mosquitto use password file
+  ansible.builtin.lineinfile:
+    path: /etc/mosquitto/conf.d/default.conf
+    regexp: '^password_file '
+    line: 'password_file  /etc/mosquitto/passwd'
+    owner: mosquitto
+    group: root
+    mode: 0660
+    create: yes
+    backup: yes
+  notify: Restart Mosquitto
+
+- name: Ensure Mosquitto port is accessible
+  ufw:
+    rule: allow
+    port: 1883
+  when: open_ufw_to_mosquitto
diff --git a/tasks/install.yml b/tasks/install.yml
new file mode 100644
index 0000000..4cae2c6
--- /dev/null
+++ b/tasks/install.yml
@@ -0,0 +1,6 @@
+---
+- name: Ensure Mosquitto is installed
+  package:
+    name:
+      - mosquitto
+      - mosquitto-clients
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..cbe813e
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,5 @@
+---
+- name: Ensure installation
+  include_tasks: install.yml
+- name: Ensure configuration
+  include_tasks: configure.yml
\ No newline at end of file
diff --git a/templates/mosquitto_passwd.j2 b/templates/mosquitto_passwd.j2
new file mode 100644
index 0000000..d41e62b
--- /dev/null
+++ b/templates/mosquitto_passwd.j2
@@ -0,0 +1,4 @@
+{% for user in mosquitto_accounts %}
+{{ user.username }}:{{ user.password_hash }}
+
+{% endfor %}