diff --git a/mqtt/sec/docker-compose.yml b/mqtt/sec/docker-compose.yml index fd73fc7..bd7c020 100644 --- a/mqtt/sec/docker-compose.yml +++ b/mqtt/sec/docker-compose.yml @@ -11,57 +11,61 @@ services: MQTT_TLS_PORT: ${MQTT_TLS_PORT:-8883} volumes: - - ${VOLUME_ROOT/config:-./config}:/mosquitto/config - - ${VOLUME_ROOT/data:-./data}:/mosquitto/data - - ${VOLUME_ROOT/log:-./log}:/mosquitto/log - - /etc/ssl/certs:/mosquitto/certs:ro + - ${VOLUME_ROOT:-.}/config:/mosquitto/config + - ${VOLUME_ROOT:-.}/data:/mosquitto/data + - ${VOLUME_ROOT:-.}/log:/mosquitto/log + + # Self-signed TLS certs (writeable) + - ${VOLUME_ROOT:-.}/tls:/mosquitto/tls + + # System CA store (read-only) + - /etc/ssl/certs:/etc/ssl/certs:ro ports: - "${MQTT_TLS_PORT:-8883}:8883" - dns: - - ${DNS_SERVER} - command: > sh -c ' - CERT_DIR=/mosquitto/certs; + TLS_DIR=/mosquitto/tls; CONF=/mosquitto/config/mosquitto.conf; PASSWD=/mosquitto/config/passwd; - echo "=== Checking certificates ==="; + mkdir -p "$TLS_DIR"; - if [ ! -f "$CERT_DIR/server.crt" ]; then - echo "Generating self-signed certificates..."; - openssl genrsa -out $CERT_DIR/ca.key 4096; - openssl req -x509 -new -nodes -key $CERT_DIR/ca.key -sha256 -days 3650 \ - -out $CERT_DIR/ca.crt -subj "/CN=LocalMQTT-CA"; + echo "=== Checking self-signed certificates ==="; - openssl genrsa -out $CERT_DIR/server.key 4096; - openssl req -new -key $CERT_DIR/server.key -out $CERT_DIR/server.csr \ + if [ ! -f "$TLS_DIR/server.crt" ]; then + echo "Generating self-signed certificates in $TLS_DIR..."; + openssl genrsa -out $TLS_DIR/ca.key 4096; + openssl req -x509 -new -nodes -key $TLS_DIR/ca.key -sha256 -days 3650 \ + -out $TLS_DIR/ca.crt -subj "/CN=LocalMQTT-CA"; + + openssl genrsa -out $TLS_DIR/server.key 4096; + openssl req -new -key $TLS_DIR/server.key -out $TLS_DIR/server.csr \ -subj "/CN=$MQTT_HOSTNAME"; - openssl x509 -req -in $CERT_DIR/server.csr -CA $CERT_DIR/ca.crt \ - -CAkey $CERT_DIR/ca.key -CAcreateserial \ - -out $CERT_DIR/server.crt -days 3650 -sha256; + openssl x509 -req -in $TLS_DIR/server.csr -CA $TLS_DIR/ca.crt \ + -CAkey $TLS_DIR/ca.key -CAcreateserial \ + -out $TLS_DIR/server.crt -days 3650 -sha256; else - echo "Certificates already exist."; + echo "Self-signed certificates already exist in $TLS_DIR."; fi; echo "=== Checking mosquitto.conf ==="; if [ ! -f "$CONF" ]; then - echo "Generating default mosquitto.conf..."; + echo "Generating default mosquitto.conf at $CONF..."; cat < $CONF listener ${MQTT_TLS_PORT:-8883} protocol mqtt -cafile /mosquitto/certs/ca.crt -certfile /mosquitto/certs/server.crt -keyfile /mosquitto/certs/server.key +cafile /mosquitto/tls/ca.crt +certfile /mosquitto/tls/server.crt +keyfile /mosquitto/tls/server.key allow_anonymous false password_file /mosquitto/config/passwd EOF else - echo "Existing mosquitto.conf found."; + echo "Existing mosquitto.conf found at $CONF."; fi; echo "=== Checking user ==="; @@ -73,7 +77,7 @@ EOF echo "$RANDOM_PASS"; mosquitto_passwd -c -b "$PASSWD" "$MQTT_USER" "$RANDOM_PASS"; else - echo "Password file exists — skipping user creation."; + echo "Password file exists at $PASSWD — skipping user creation."; fi; echo "=== Starting Mosquitto ===";