From 45bddd3c5e7091f60e5942f420716052bec29326 Mon Sep 17 00:00:00 2001 From: Thomas M Date: Sun, 18 Jan 2026 14:21:45 +0000 Subject: [PATCH] mqtt/sec/docker-compose.yml aktualisiert --- mqtt/sec/docker-compose.yml | 91 ++++++++++++++++++------------------- 1 file changed, 44 insertions(+), 47 deletions(-) diff --git a/mqtt/sec/docker-compose.yml b/mqtt/sec/docker-compose.yml index ead4511..a103d54 100644 --- a/mqtt/sec/docker-compose.yml +++ b/mqtt/sec/docker-compose.yml @@ -14,11 +14,7 @@ services: - ${CONFIG_PATH:-./config}:/mosquitto/config - ${DATA_PATH:-./data}:/mosquitto/data - ${LOG_PATH:-./log}:/mosquitto/log - - # System Root CAs (read-only) - /etc/ssl/certs:/etc/ssl/certs:ro - - # Self-signed TLS certs (writeable) - ${TLS_PATH:-./tls}:/mosquitto/tls ports: @@ -27,62 +23,63 @@ services: dns: - ${DNS_SERVER} - command: > - sh -c ' - TLS_DIR=/mosquitto/tls; - CONF=/mosquitto/config/mosquitto.conf; - PASSWD=/mosquitto/config/passwd; + command: + - sh + - -c + - | + TLS_DIR=/mosquitto/tls + CONF=/mosquitto/config/mosquitto.conf + PASSWD=/mosquitto/config/passwd - mkdir -p "$TLS_DIR"; + mkdir -p "$TLS_DIR" - echo "=== Checking certificates ==="; + echo "=== Checking certificates ===" if [ ! -f "$TLS_DIR/server.crt" ]; then - echo "Generating self-signed certificates..."; - openssl genrsa -out $TLS_DIR/ca.key 4096; - openssl req -x509 -new -nodes -key $TLS_DIR/ca.key -sha256 -days 3650 \ - -out $TLS_DIR/ca.crt -subj "/CN=LocalMQTT-CA"; + echo "Generating self-signed certificates..." + openssl genrsa -out "$TLS_DIR/ca.key" 4096 + openssl req -x509 -new -nodes -key "$TLS_DIR/ca.key" -sha256 -days 3650 \ + -out "$TLS_DIR/ca.crt" -subj "/CN=LocalMQTT-CA" - openssl genrsa -out $TLS_DIR/server.key 4096; - openssl req -new -key $TLS_DIR/server.key -out $TLS_DIR/server.csr \ - -subj "/CN=$MQTT_HOSTNAME"; + openssl genrsa -out "$TLS_DIR/server.key" 4096 + openssl req -new -key "$TLS_DIR/server.key" -out "$TLS_DIR/server.csr" \ + -subj "/CN=$MQTT_HOSTNAME" - openssl x509 -req -in $TLS_DIR/server.csr -CA $TLS_DIR/ca.crt \ - -CAkey $TLS_DIR/ca.key -CAcreateserial \ - -out $TLS_DIR/server.crt -days 3650 -sha256; + openssl x509 -req -in "$TLS_DIR/server.csr" -CA "$TLS_DIR/ca.crt" \ + -CAkey "$TLS_DIR/ca.key" -CAcreateserial \ + -out "$TLS_DIR/server.crt" -days 3650 -sha256 else - echo "Self-signed certificates already exist."; - fi; + echo "Self-signed certificates already exist." + fi - echo "=== Checking mosquitto.conf ==="; + echo "=== Checking mosquitto.conf ===" if [ ! -f "$CONF" ]; then - echo "Generating default mosquitto.conf..."; - cat < $CONF -listener ${MQTT_TLS_PORT:-8883} -protocol mqtt -cafile /mosquitto/tls/ca.crt -certfile /mosquitto/tls/server.crt -keyfile /mosquitto/tls/server.key -allow_anonymous false -password_file /mosquitto/config/passwd -EOF + echo "Generating default mosquitto.conf..." + printf '%s\n' \ + "listener ${MQTT_TLS_PORT:-8883}" \ + "protocol mqtt" \ + "cafile /mosquitto/tls/ca.crt" \ + "certfile /mosquitto/tls/server.crt" \ + "keyfile /mosquitto/tls/server.key" \ + "allow_anonymous false" \ + "password_file /mosquitto/config/passwd" \ + > "$CONF" else - echo "Existing mosquitto.conf found."; - fi; + echo "Existing mosquitto.conf found." + fi - echo "=== Checking user ==="; + echo "=== Checking user ===" if [ ! -f "$PASSWD" ]; then - echo "Generating random password for user: $MQTT_USER"; - RANDOM_PASS=$(openssl rand -base64 32); - echo "Generated password (save this!):"; - echo "$RANDOM_PASS"; - mosquitto_passwd -c -b "$PASSWD" "$MQTT_USER" "$RANDOM_PASS"; + echo "Generating random password for user: $MQTT_USER" + RANDOM_PASS=$(openssl rand -base64 32) + echo "Generated password (save this!):" + echo "$RANDOM_PASS" + mosquitto_passwd -c -b "$PASSWD" "$MQTT_USER" "$RANDOM_PASS" else - echo "Password file exists — skipping user creation."; - fi; + echo "Password file exists — skipping user creation." + fi - echo "=== Starting Mosquitto ==="; - mosquitto -c $CONF - ' + echo "=== Starting Mosquitto ===" + mosquitto -c "$CONF"