---
- name: Ensure Mosquitto doesn't allow anonymous access
  ansible.builtin.lineinfile:
    path: /etc/mosquitto/conf.d/default.conf
    regexp: '^allow_anonymous '
    line: 'allow_anonymous false'
    owner: mosquitto
    group: root
    mode: 0660
    create: yes
    backup: yes
  notify: Restart Mosquitto

- name: Ensure Mosquitto log to standard output (journald)
  ansible.builtin.lineinfile:
    path: /etc/mosquitto/conf.d/default.conf
    regexp: '^log_dest stdout'
    line: 'log_dest stdout'
    owner: mosquitto
    group: root
    mode: 0660
    create: yes
    backup: yes
  notify: Restart Mosquitto

- name: Ensure password file for Mosquitto exists
  template:
    dest: /etc/mosquitto/passwd
    src: templates/mosquitto_passwd.j2
    owner: mosquitto
    group: root
    mode: 0660
    backup: yes
  notify: Restart Mosquitto

- name: Ensure Mosquitto use password file
  ansible.builtin.lineinfile:
    path: /etc/mosquitto/conf.d/default.conf
    regexp: '^password_file '
    line: 'password_file  /etc/mosquitto/passwd'
    owner: mosquitto
    group: root
    mode: 0660
    create: yes
    backup: yes
  notify: Restart Mosquitto

- name: Ensure Mosquitto port is accessible
  ufw:
    rule: allow
    port: 1883
  when: open_ufw_to_mosquitto