From 23e5990b749f5b736c76680b0db6d7392ce97bfa Mon Sep 17 00:00:00 2001
From: Matthew Treinish <mtreinish@kortar.org>
Date: Wed, 27 Jul 2016 15:57:06 -0400
Subject: [PATCH] Add support for configuring tls ports

This commit adds support for enabling tls encrypted port listeners.
If enable_tls is set you can specify the cert files necessary and
mosquitto will be configured to setup additional ports that are
encryped in addition to the unencrypted ports.

Change-Id: I7c77285e347d8c1b2c3318360258246b78f885a8
---
 manifests/server.pp          | 40 ++++++++++++++++++++++++++++++++++++
 templates/mosquitto.conf.erb | 20 ++++++++++++++++++
 2 files changed, 60 insertions(+)

diff --git a/manifests/server.pp b/manifests/server.pp
index 2916d3b..b52251e 100644
--- a/manifests/server.pp
+++ b/manifests/server.pp
@@ -21,6 +21,11 @@ class mosquitto::server (
   $infra_service_username = 'infra',
   $infra_service_password,
   $websocket_port = 80,
+  $enable_tls = false,
+  $websocket_tls_port = 8080,
+  $ca_file = undef,
+  $cert_file = undef,
+  $key_file = undef,
 ) {
 
   file {'/etc/mosquitto/infra_service.pw':
@@ -46,6 +51,41 @@ class mosquitto::server (
     content => template('mosquitto/mosquitto.acl.erb'),
     require => Exec['passwd_file'],
   }
+  if $ca_file != undef {
+    file { '/etc/mosquitto/ca.crt':
+      ensure  => present,
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0600',
+      content => $ca_file,
+      require => Package['mosquitto'],
+      before  => File['/etc/mosquitto/mosquitto.conf'],
+    }
+  }
+
+  if $cert_file != undef {
+    file { '/etc/mosquitto/server.crt':
+      ensure  => present,
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0600',
+      content => $cert_file,
+      require => Package['mosquitto'],
+      before  => File['/etc/mosquitto/mosquitto.conf'],
+    }
+  }
+
+  if $key_file != undef {
+    file { '/etc/mosquitto/server.key':
+      ensure  => present,
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0600',
+      content => $key_file,
+      require => Package['mosquitto'],
+      before  => File['/etc/mosquitto/mosquitto.conf'],
+    }
+  }
 
   file {'/etc/mosquitto/mosquitto.conf':
     ensure  => present,
diff --git a/templates/mosquitto.conf.erb b/templates/mosquitto.conf.erb
index c733d7a..929fe7e 100644
--- a/templates/mosquitto.conf.erb
+++ b/templates/mosquitto.conf.erb
@@ -276,11 +276,31 @@ pid_file <%= @pid_file %>
 # listener port-number [ip address/host name]
 #
 
+# Default MQTT Port
 listener 1883
 
+# Default Encrypted MQTT Port
+<% if @enable_tls -%>
+listener 8883
+cafile /etc/mosquitto/ca.crt
+certfile /etc/mosquitto/server.crt
+keyfile /etc/mosquitto/server.key
+require_certificate false
+<% end -%>
+
+# Unencrypted http websocket port
 listener <%= @websocket_port %>
 protocol websockets
 
+# Encrypted http websocket port
+<% if @enable_tls -%>
+listener <%= @webocket_tls_port %>
+cafile /etc/mosquitto/ca.crt
+certfile /etc/mosquitto/server.crt
+keyfile /etc/mosquitto/server.key
+require_certificate false
+<% end -%>
+
 # The maximum number of client connections to allow. This is
 # a per listener setting.
 # Default is -1, which means unlimited connections.