diff --git a/mqtt/sec/docker-compose.yml b/mqtt/sec/docker-compose.yml index 8cdfb6a..f803c8f 100644 --- a/mqtt/sec/docker-compose.yml +++ b/mqtt/sec/docker-compose.yml @@ -9,22 +9,24 @@ services: MQTT_HOSTNAME: ${MQTT_HOSTNAME:-mqtt.local} MQTT_USER: ${MQTT_USER:-mqttuser} MQTT_TLS_PORT: ${MQTT_TLS_PORT:-8883} - dns: - - ${DNS_SERVER} + volumes: - - ${VOLUME_ROOT:-.}/config:/mosquitto/config - - ${VOLUME_ROOT:-.}/data:/mosquitto/data - - ${VOLUME_ROOT:-.}/log:/mosquitto/log + - ${CONFIG_PATH:-./config}:/mosquitto/config + - ${DATA_PATH:-./data}:/mosquitto/data + - ${LOG_PATH:-./log}:/mosquitto/log + + # System Root CAs (read-only) + - /etc/ssl/certs:/etc/ssl/certs:ro # Self-signed TLS certs (writeable) - - ${VOLUME_ROOT:-.}/tls:/mosquitto/tls - - # System CA store (read-only) - - /etc/ssl/certs:/etc/ssl/certs:ro + - ${TLS_PATH:-./tls}:/mosquitto/tls ports: - "${MQTT_TLS_PORT:-8883}:8883" + dns: + - ${DNS_SERVER} + command: > sh -c ' TLS_DIR=/mosquitto/tls; @@ -33,10 +35,10 @@ services: mkdir -p "$TLS_DIR"; - echo "=== Checking self-signed certificates ==="; + echo "=== Checking certificates ==="; if [ ! -f "$TLS_DIR/server.crt" ]; then - echo "Generating self-signed certificates in $TLS_DIR..."; + echo "Generating self-signed certificates..."; openssl genrsa -out $TLS_DIR/ca.key 4096; openssl req -x509 -new -nodes -key $TLS_DIR/ca.key -sha256 -days 3650 \ -out $TLS_DIR/ca.crt -subj "/CN=LocalMQTT-CA"; @@ -49,13 +51,13 @@ services: -CAkey $TLS_DIR/ca.key -CAcreateserial \ -out $TLS_DIR/server.crt -days 3650 -sha256; else - echo "Self-signed certificates already exist in $TLS_DIR."; + echo "Self-signed certificates already exist."; fi; echo "=== Checking mosquitto.conf ==="; if [ ! -f "$CONF" ]; then - echo "Generating default mosquitto.conf at $CONF..."; + echo "Generating default mosquitto.conf..."; cat < $CONF listener ${MQTT_TLS_PORT:-8883} protocol mqtt @@ -66,7 +68,7 @@ allow_anonymous false password_file /mosquitto/config/passwd EOF else - echo "Existing mosquitto.conf found at $CONF."; + echo "Existing mosquitto.conf found."; fi; echo "=== Checking user ==="; @@ -78,7 +80,7 @@ EOF echo "$RANDOM_PASS"; mosquitto_passwd -c -b "$PASSWD" "$MQTT_USER" "$RANDOM_PASS"; else - echo "Password file exists at $PASSWD — skipping user creation."; + echo "Password file exists — skipping user creation."; fi; echo "=== Starting Mosquitto ===";