container/mqtt/sec/docker-compose.yml

services:
  mosquitto:
    image: eclipse-mosquitto:2
    container_name: ${CONTAINER_NAME:-mosquitto}
    restart: unless-stopped

    environment:
      TZ: ${TZ:-Europe/Berlin}
      MQTT_HOSTNAME: ${MQTT_HOSTNAME:-mqtt.local}
      MQTT_USER: ${MQTT_USER:-mqttuser}
      MQTT_TLS_PORT: ${MQTT_TLS_PORT:-8883}

    volumes:
      - ${CONFIG_PATH:-./config}:/mosquitto/config
      - ${DATA_PATH:-./data}:/mosquitto/data
      - ${LOG_PATH:-./log}:/mosquitto/log
      - /etc/ssl/certs:/etc/ssl/certs:ro
      - ${TLS_PATH:-./tls}:/mosquitto/tls

    ports:
      - "${MQTT_TLS_PORT:-8883}:8883"

    dns:
      - ${DNS_SERVER}

    command:
      - sh
      - -c
      - |
        TLS_DIR=/mosquitto/tls
        CONF=/mosquitto/config/mosquitto.conf
        PASSWD=/mosquitto/config/passwd

        mkdir -p "$TLS_DIR"

        echo "=== Checking certificates ==="

        if [ ! -f "$TLS_DIR/server.crt" ]; then
          echo "Generating self-signed certificates..."
          openssl genrsa -out "$TLS_DIR/ca.key" 4096
          openssl req -x509 -new -nodes -key "$TLS_DIR/ca.key" -sha256 -days 3650 \
            -out "$TLS_DIR/ca.crt" -subj "/CN=LocalMQTT-CA"

          openssl genrsa -out "$TLS_DIR/server.key" 4096
          openssl req -new -key "$TLS_DIR/server.key" -out "$TLS_DIR/server.csr" \
            -subj "/CN=$MQTT_HOSTNAME"

          openssl x509 -req -in "$TLS_DIR/server.csr" -CA "$TLS_DIR/ca.crt" \
            -CAkey "$TLS_DIR/ca.key" -CAcreateserial \
            -out "$TLS_DIR/server.crt" -days 3650 -sha256
        else
          echo "Self-signed certificates already exist."
        fi

        echo "=== Checking mosquitto.conf ==="

        if [ ! -f "$CONF" ]; then
          echo "Generating default mosquitto.conf..."
          printf '%s\n' \
            "listener ${MQTT_TLS_PORT:-8883}" \
            "protocol mqtt" \
            "cafile /mosquitto/tls/ca.crt" \
            "certfile /mosquitto/tls/server.crt" \
            "keyfile /mosquitto/tls/server.key" \
            "allow_anonymous false" \
            "password_file /mosquitto/config/passwd" \
            > "$CONF"
        else
          echo "Existing mosquitto.conf found."
        fi

        echo "=== Checking user ==="

        if [ ! -f "$PASSWD" ]; then
          echo "Generating random password for user: $MQTT_USER"
          RANDOM_PASS=$(openssl rand -base64 32)
          echo "Generated password (save this!):"
          echo "$RANDOM_PASS"
          mosquitto_passwd -c -b "$PASSWD" "$MQTT_USER" "$RANDOM_PASS"
        else
          echo "Password file exists — skipping user creation."
        fi

        echo "=== Starting Mosquitto ==="
        mosquitto -c "$CONF"