feat: Enables authentication for MQTT

fixes #13
hferentschik · Feb 21, 2022 · a9cb884 · a9cb884
1 parent db49146
commit a9cb884
Show file tree

Hide file tree

Showing 13 changed files with 74 additions and 17 deletions.
diff --git a/anemometer/anemometer.py b/anemometer/anemometer.py
@@ -75,7 +75,8 @@ def measure(self):
 
 broker_address = os.environ.get('MQTT_BROKER') or "mqtt"
 client = mqtt.Client("1")
-
+if "MQTT_USER" in os.environ and "MQTT_PASSWORD" in os.environ:
+    client.username_pw_set(username=os.environ.get('MQTT_USER'),password=os.environ.get('MQTT_PASSWORD'))
 
 def record():
     client.connect(broker_address)

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -40,26 +40,25 @@ services:
   temperature:
     build: ./temperature
     privileged: true
-    restart: always   
+    restart: always
     depends_on:
      - mqtt
   windvane:
     build: ./windvane
     privileged: true
     restart: always
     depends_on:
-     - influxdb
-     - dashboard
+     - mqtt
   raingauge:
     build: ./raingauge
     privileged: true
-    restart: always   
+    restart: always
     depends_on:
      - mqtt
   anemometer:
     build: ./anemometer
     privileged: true
-    restart: always   
+    restart: always
     depends_on:
      - mqtt
   humidity:

diff --git a/humidity/sht30.py b/humidity/sht30.py
@@ -77,7 +77,8 @@ def data(self):
 
 broker_address = os.environ.get('MQTT_BROKER') or "mqtt"
 client = mqtt.Client("1")
-
+if "MQTT_USER" in os.environ and "MQTT_PASSWORD" in os.environ:
+    client.username_pw_set(username=os.environ.get('MQTT_USER'),password=os.environ.get('MQTT_PASSWORD'))
 
 def record():
     client.connect(broker_address)

diff --git a/mqtt/Dockerfile b/mqtt/Dockerfile
@@ -1,3 +1,4 @@
-FROM arm64v8/eclipse-mosquitto:2.0.10
+FROM arm64v8/eclipse-mosquitto:2.0.14
 
-COPY mosquitto.conf /mosquitto/config/mosquitto.conf
+COPY mosquitto.conf /mosquitto/config/mosquitto.conf
+COPY docker-entrypoint.sh .
diff --git a/mqtt/README.md b/mqtt/README.md
@@ -2,3 +2,9 @@
 
 This container configures [Eclipse Mosquitto](https://github.com/eclipse/mosquitto) as a MQTT message broker sensors can send their data to.
 
+Per default the MQTT server is unauthneticated, allowing any client to connect to send data.
+It is recommended to use a username and password.
+To do this set the device variables _MQTT_USER_ and _MQTT_PASSWORD_.
+
+The Mosquitto is exposed to the outside via [nginx](../nginx/README.md).
+If you don't have any external clients/sensors it is recommended to remove the nginx configuration.
diff --git a/mqtt/docker-entrypoint.sh b/mqtt/docker-entrypoint.sh
@@ -0,0 +1,19 @@
+#!/bin/ash
+set -e
+
+# Configure auth
+if [[ -z "${MQTT_USER}" || -z "${MQTT_PASSWORD}" ]]; then
+  echo "Using un-authenticated configuration"
+else
+  echo "Configruing username/password authentication"
+  sed -i -e 's/^#password_file$/password_file \/mosquitto\/config\/passwd/g' -e 's/^allow_anonymous true$/allow_anonymous false/' /mosquitto/config/mosquitto.conf
+  mosquitto_passwd -c -b /mosquitto/config/passwd "${MQTT_USER}"  "${MQTT_PASSWORD}"
+fi
+
+# Set permissions
+user="$(id -u)"
+if [ "$user" = '0' ]; then
+        [ -d "/mosquitto" ] && chown -R mosquitto:mosquitto /mosquitto || true
+fi
+
+exec "$@"
diff --git a/nginx/README.md b/nginx/README.md
@@ -1,4 +1,4 @@
 # NGINX
 
 This container configures NGINX as a reverse proxy on the externally URL of the application.
-The proxy at the moment either routes to the Grafana dashboard or to the MQTT queue.
+The proxy at the moment either routes to the [Grafana dashboard](../dashboard/README.md) or to the[MQTT server](../mqtt/README.md).
diff --git a/nginx/http.conf b/nginx/http.conf
@@ -7,7 +7,11 @@ server {
     proxy_pass http://dashboard:80/weather/;
   }
 
-  location /{
+  # This is exposing the MQTT server on port 80 in order to let other client
+  # connect and send data. Remove this location if you don't want MQTT to be
+  # available from the outside.
+  # If enabled, access to MQTT should be secured via MQTT_USER and MQTT_PASSWORD.
+  location / {
       proxy_pass http://mqtt:9001;
       proxy_http_version 1.1;
       proxy_set_header Upgrade $http_upgrade;

diff --git a/raingauge/raingauge.py b/raingauge/raingauge.py
@@ -78,7 +78,8 @@ def reset(self):
 
 broker_address = os.environ.get('MQTT_BROKER') or "mqtt"
 client = mqtt.Client("1")
-
+if "MQTT_USER" in os.environ and "MQTT_PASSWORD" in os.environ:
+    client.username_pw_set(username=os.environ.get('MQTT_USER'),password=os.environ.get('MQTT_PASSWORD'))
 
 def record():
     client.connect(broker_address)

diff --git a/telegraf/Dockerfile b/telegraf/Dockerfile
@@ -1,8 +1,9 @@
-FROM arm64v8/telegraf:1.15.4
+FROM telegraf:1.19
 
 RUN apt-get update \
  && apt-get install -y vim netcat \
  && apt-get clean \
  && rm -rf /var/lib/apt/lists/*
 
 COPY telegraf.conf /etc/telegraf/telegraf.conf
+COPY entrypoint.sh /entrypoint.sh
diff --git a/telegraf/entrypoint.sh b/telegraf/entrypoint.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+set -e
+
+# Configure auth
+if [[ -z "${MQTT_USER}" || -z "${MQTT_PASSWORD}" ]]; then
+  echo "Using un-authenticated configuration"
+else
+  echo "Configuring username/password authentication"
+  sed -i -e 's/^    # username =.*/    username = \"'"${MQTT_USER}"'\"/g' -e 's/^    # password =.*/    password = \"'"${MQTT_PASSWORD}"'\"/g' /etc/telegraf/telegraf.conf
+fi
+
+if [ "${1:0:1}" = '-' ]; then
+    set -- telegraf "$@"
+fi
+
+if [ $EUID -ne 0 ]; then
+    exec "$@"
+else
+    # Allow telegraf to send ICMP packets and bind to privliged ports
+    setcap cap_net_raw,cap_net_bind_service+ep /usr/bin/telegraf || echo "Failed to set additional capabilities on /usr/bin/telegraf"
+
+    exec setpriv --reuid telegraf --init-groups "$@"
+fi
diff --git a/temperature/sensor_read.rb b/temperature/sensor_read.rb
@@ -61,15 +61,15 @@ def read_temperature
       :value => measurement,
       :sensor => 'DS18B20'
     }
-  }  
+  }
 
   json_payload = JSON[payload]
   logger.info "new measurement: #{json_payload}"
   begin
-   MQTT::Client.connect(broker_address) do |c|
+   MQTT::Client.connect(:host => broker_address, :username => ENV['MQTT_USER'], :password => ENV['MQTT_PASSWORD'],) do |c|
     c.publish('sensors', json_payload)
    end
-  rescue Exception => e 
+  rescue Exception => e
     logger.info "unable to connect or publish to MQTT client: #{e.message}"
   end
 end

diff --git a/windvane/windvane.py b/windvane/windvane.py
@@ -143,7 +143,8 @@ def record(self):
 windvane = Windvane()
 broker_address = os.environ.get('MQTT_BROKER') or "mqtt"
 client = mqtt.Client("1")
-
+if "MQTT_USER" in os.environ and "MQTT_PASSWORD" in os.environ:
+    client.username_pw_set(username=os.environ.get('MQTT_USER'),password=os.environ.get('MQTT_PASSWORD'))
 
 def record():
     client.connect(broker_address)