feat: Enabled authentication for MQTT

fixes #13
hferentschik · Feb 21, 2022 · 58a5112 · 58a5112
1 parent 6a2c570
commit 58a5112
Show file tree

Hide file tree

Showing 11 changed files with 59 additions and 12 deletions.
diff --git a/anemometer/anemometer.py b/anemometer/anemometer.py
@@ -75,7 +75,8 @@ def measure(self):
 
 broker_address = os.environ.get('MQTT_BROKER') or "mqtt"
 client = mqtt.Client("1")
-
+if "MQTT_USER" in os.environ and "MQTT_PASSWORD" in os.environ:
+    client.username_pw_set(username=os.environ.get('MQTT_USER'),password=os.environ.get('MQTT_PASSWORD'))
 
 def record():
     client.connect(broker_address)

diff --git a/humidity/sht30.py b/humidity/sht30.py
@@ -77,7 +77,8 @@ def data(self):
 
 broker_address = os.environ.get('MQTT_BROKER') or "mqtt"
 client = mqtt.Client("1")
-
+if "MQTT_USER" in os.environ and "MQTT_PASSWORD" in os.environ:
+    client.username_pw_set(username=os.environ.get('MQTT_USER'),password=os.environ.get('MQTT_PASSWORD'))
 
 def record():
     client.connect(broker_address)

diff --git a/mqtt/Dockerfile b/mqtt/Dockerfile
@@ -1,3 +1,4 @@
-FROM arm64v8/eclipse-mosquitto:2.0.10
+FROM arm64v8/eclipse-mosquitto:2.0.14
 
-COPY mosquitto.conf /mosquitto/config/mosquitto.conf
+COPY mosquitto.conf /mosquitto/config/mosquitto.conf
+COPY docker-entrypoint.sh .
diff --git a/mqtt/README.md b/mqtt/README.md
@@ -1,4 +1,3 @@
 # Mosquitto
 
 This container configures [Eclipse Mosquitto](https://github.com/eclipse/mosquitto) as a MQTT message broker sensors can send their data to.
-
diff --git a/mqtt/docker-entrypoint.sh b/mqtt/docker-entrypoint.sh
@@ -0,0 +1,19 @@
+#!/bin/ash
+set -e
+
+# Configure auth
+if [[ -z "${MQTT_USER}" || -z "${MQTT_PASSWORD}" ]]; then
+  echo "Using un-authenticated configuration"
+else
+  echo "Configruing username/password authentication"
+  sed -i -e 's/^#password_file$/password_file \/mosquitto\/config\/passwd/g' -e 's/^allow_anonymous true$/allow_anonymous false/' /mosquitto/config/mosquitto.conf
+  mosquitto_passwd -c -b /mosquitto/config/passwd "${MQTT_USER}"  "${MQTT_PASSWORD}"
+fi
+
+# Set permissions
+user="$(id -u)"
+if [ "$user" = '0' ]; then
+        [ -d "/mosquitto" ] && chown -R mosquitto:mosquitto /mosquitto || true
+fi
+
+exec "$@"
diff --git a/nginx/http.conf b/nginx/http.conf
@@ -7,7 +7,7 @@ server {
     proxy_pass http://dashboard:80/weather/;
   }
 
-  location /{
+  location / {
       proxy_pass http://mqtt:9001;
       proxy_http_version 1.1;
       proxy_set_header Upgrade $http_upgrade;

diff --git a/raingauge/raingauge.py b/raingauge/raingauge.py
@@ -78,7 +78,8 @@ def reset(self):
 
 broker_address = os.environ.get('MQTT_BROKER') or "mqtt"
 client = mqtt.Client("1")
-
+if "MQTT_USER" in os.environ and "MQTT_PASSWORD" in os.environ:
+    client.username_pw_set(username=os.environ.get('MQTT_USER'),password=os.environ.get('MQTT_PASSWORD'))
 
 def record():
     client.connect(broker_address)

diff --git a/telegraf/Dockerfile b/telegraf/Dockerfile
@@ -1,8 +1,9 @@
-FROM arm64v8/telegraf:1.15.4
+FROM telegraf:1.19
 
 RUN apt-get update \
  && apt-get install -y vim netcat \
  && apt-get clean \
  && rm -rf /var/lib/apt/lists/*
 
 COPY telegraf.conf /etc/telegraf/telegraf.conf
+COPY entrypoint.sh /entrypoint.sh
diff --git a/telegraf/entrypoint.sh b/telegraf/entrypoint.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+set -e
+
+# Configure auth
+if [[ -z "${MQTT_USER}" || -z "${MQTT_PASSWORD}" ]]; then
+  echo "Using un-authenticated configuration"
+else
+  echo "Configuring username/password authentication"
+  sed -i -e 's/^    # username =.*/    username = \"'"${MQTT_USER}"'\"/g' -e 's/^    # password =.*/    password = \"'"${MQTT_PASSWORD}"'\"/g' /etc/telegraf/telegraf.conf
+fi
+
+if [ "${1:0:1}" = '-' ]; then
+    set -- telegraf "$@"
+fi
+
+if [ $EUID -ne 0 ]; then
+    exec "$@"
+else
+    # Allow telegraf to send ICMP packets and bind to privliged ports
+    setcap cap_net_raw,cap_net_bind_service+ep /usr/bin/telegraf || echo "Failed to set additional capabilities on /usr/bin/telegraf"
+
+    exec setpriv --reuid telegraf --init-groups "$@"
+fi
diff --git a/temperature/sensor_read.rb b/temperature/sensor_read.rb
@@ -61,15 +61,15 @@ def read_temperature
       :value => measurement,
       :sensor => 'DS18B20'
     }
-  }  
+  }
 
   json_payload = JSON[payload]
   logger.info "new measurement: #{json_payload}"
   begin
-   MQTT::Client.connect(broker_address) do |c|
+   MQTT::Client.connect(:host => broker_address, :username => ENV['MQTT_USER'], :password => ENV['MQTT_PASSWORD'],) do |c|
     c.publish('sensors', json_payload)
    end
-  rescue Exception => e 
+  rescue Exception => e
     logger.info "unable to connect or publish to MQTT client: #{e.message}"
   end
 end

diff --git a/windvane/windvane.py b/windvane/windvane.py
@@ -143,7 +143,8 @@ def record(self):
 windvane = Windvane()
 broker_address = os.environ.get('MQTT_BROKER') or "mqtt"
 client = mqtt.Client("1")
-
+if "MQTT_USER" in os.environ and "MQTT_PASSWORD" in os.environ:
+    client.username_pw_set(username=os.environ.get('MQTT_USER'),password=os.environ.get('MQTT_PASSWORD'))
 
 def record():
     client.connect(broker_address)