-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsetup-broker.sh
executable file
·230 lines (183 loc) · 8.16 KB
/
setup-broker.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
#!/usr/bin/env bash
# setup-broker.sh
# Description: This script will install a Secure Mosquitto MQTT Broker on a Ubuntu / Debian system.
# Verson: 1.0.0
# Version_Date: 2024-03-26
# Author: John Haverlack ([email protected])
# License: MIT (Proposed/Pending) / UAF Only
# Source: https://github.com/acep-uaf/camio-mqtts
# This script is intended to be idemopotent. It can be run multiple times without causing issues.
# Check if dependancy binaries are installed.
req_binaries=(apt awk cat cut date df egrep grep jq lsblk mount sed stat tail tr uname uptime wc which)
for i in "${req_binaries[@]}"; do
if ! which $i > /dev/null 2>&1; then
echo "Error: $i binary not found or not executable. Please install $i"
exit 1
fi
done
# Verify that this script is being run as root.
if [ "$EUID" -ne 0 ]; then
echo "ERROR: This script must be run as root."
exit 1
fi
# Determine the directory full path where this seal-os.sh file is located.
rundir=$(realpath $(dirname $0))
# Check to see if the losd-lib.sh file exists and is readable.
if [ ! -r $rundir/losd/losd-lib.sh ]; then
echo "Error: $rundir/losd/losd-lib.sh file not found or not readable."
exit 1
fi
# Defined supported OS
supported_os=("Ubuntu" "Debian")
# Source the losd-lib.sh file.
source $rundir/losd/losd-lib.sh
losd_json=$(losd)
host_name=$(echo $losd_json | jq '.HOST.HOSTNAME' | sed -r 's/"//g')
os_name=$(echo $losd_json | jq '.DISTRO.NAME' | sed -r 's/"//g')
os_version=$(echo $losd_json | jq '.DISTRO.VERSION' | sed -r 's/"//g')
hw_platform=$(echo $losd_json | jq '.HARDWARE.HOSTNAMECTL.Chassis' | tr -dc '[:print:]' | sed -r 's/\s//g' | sed -r 's/"//g')
ip_addr=$(echo $losd_json | jq .HARDWARE.NETWORK | jq -r '.[] | select(.INTERFACE != "lo") | .IPV4_ADDR')
# Check to see if the losd-lib.sh file exists and is readable.
if [ ! -r $rundir/conf/mqtt.json ]; then
echo "Error: $rundir/losd/losd-lib.sh file not found or not readable."
exit 1
fi
# Read the mqtt.json file
mqtt_json=$(cat $rundir/conf/mqtt.json | jq)
# Extract MQTT Vars
mqtt_conf_file=$(echo $mqtt_json | jq '.CONFIG.CONF_FILE' | sed -r 's/"//g')
## Defaults
mqtt_allow_anon=true
mqtt_host=$(echo $mqtt_json | jq '.BROKER.HOST' | sed -r 's/"//g')
mqtt_port=$(echo $mqtt_json | jq '.BROKER.PORT' | sed -r 's/"//g')
mqtt_tls_status=$(echo $mqtt_json | jq '.TLS.ENABLED' | sed -r 's/"//g')
# if mqtt_tls_status is true, then set mqtt_tls_status to "Enabled", else set it to "Disabled"
if [ $mqtt_tls_status ]; then
mqtt_tls_ca_key=$(echo $mqtt_json | jq '.TLS.CA_KEY' | sed -r 's/"//g')
mqtt_tls_ca_cert=$(echo $mqtt_json | jq '.TLS.CA_CERT' | sed -r 's/"//g')
mqtt_tls_server_key=$(echo $mqtt_json | jq '.TLS.SERVER_KEY' | sed -r 's/"//g')
mqtt_tls_server_csr=$(echo $mqtt_json | jq '.TLS.SERVER_CSR' | sed -r 's/"//g')
mqtt_tls_server_cert=$(echo $mqtt_json | jq '.TLS.SERVER_CERT' | sed -r 's/"//g')
mqtt_host=$(echo $mqtt_json | jq '.TLS.HOST' | sed -r 's/"//g')
mqtt_port=$(echo $mqtt_json | jq '.TLS.PORT' | sed -r 's/"//g')
mqtt_cert_days=$(echo $mqtt_json | jq '.CERT.DAYS' | sed -r 's/"//g')
mqtt_cert_C=$(echo $mqtt_json | jq '.CERT.SUBJECT.C' | sed -r 's/"//g')
mqtt_cert_ST=$(echo $mqtt_json | jq '.CERT.SUBJECT.ST' | sed -r 's/"//g')
mqtt_cert_L=$(echo $mqtt_json | jq '.CERT.SUBJECT.L' | sed -r 's/"//g')
mqtt_cert_O=$(echo $mqtt_json | jq '.CERT.SUBJECT.O' | sed -r 's/"//g')
mqtt_cert_OU=$(echo $mqtt_json | jq '.CERT.SUBJECT.OU' | sed -r 's/"//g')
mqtt_cert_CN=$(echo $mqtt_json | jq '.CERT.SUBJECT.CN' | sed -r 's/"//g')
fi
mqtt_auth_status=$(echo $mqtt_json | jq '.AUTH.ENABLED' | sed -r 's/"//g')
# if mqtt_auth_status is true, then set mqtt_auth_status to "Enabled", else set it to "Disabled"
if [ $mqtt_auth_status ]; then
mqtt_allow_anon=false
mqtt_passwd_file=$(echo $mqtt_json | jq '.CONFIG.PASSWD_FILE' | sed -r 's/"//g')
mqtt_user=$(echo $mqtt_json | jq '.AUTH.USERS[0]' | sed -r 's/"//g')
fi
echo ""
echo "Host Name: $host_name"
echo "OS Name: $os_name"
echo "OS Version: $os_version"
echo "Hardware Platform: $hw_platform"
echo "IP Address: $ip_addr"
echo ""
echo "MQTT Broker Host: $mqtt_host"
echo "MQTT Broker Port: $mqtt_port"
echo "MQTT TLS Status: $mqtt_tls_status"
echo "MQTT Auth Status: $mqtt_auth_status"
echo ""
# Check if the OS is supported
if [[ ! " ${supported_os[@]} " =~ " ${os_name} " ]]; then
echo "ERROR: Unsupported OS detected: $os_name $os_version"
exit 1
fi
echo ""
echo "WARNING:"
echo "This script [setup-broker.sh] will install and configure a TLS secured Mosquitto MQTT Broker."
read -p "Continue [y/N]:" ans
echo ""
if [[ "$ans" != "y" && "$ans" != "Y" ]]; then
echo "INFO: Aborting Script."
exit 1
fi
# ==================== BEGIN MQTTS SETUP SCRIPT ====================
# Install the necessary packages
apt update
apt install -y mosquitto mosquitto-clients ufw
# Generate mqtt_conf_file
mqtt_config=""
mqtt_config+="# This file was generated by the setup-broker.sh script. See: https://github.com/acep-uaf/camio-mqtts\n"
mqtt_config+="# Mosquitto MQTT Broker Configuration File\n"
mqtt_config+="\n"
mqtt_config+="listener $mqtt_port $mqtt_host\n"
mqtt_config+="\n"
mqtt_config+="allow_anonymous $mqtt_allow_anon\n"
if [ $mqtt_auth_status ]; then
mqtt_config+="password_file $mqtt_passwd_file\n"
fi
mqtt_config+="\n"
if [ $mqtt_tls_status ]; then
mqtt_config+="cafile $mqtt_tls_ca_cert\n"
mqtt_config+="certfile $mqtt_tls_server_cert\n"
mqtt_config+="keyfile $mqtt_tls_server_key\n"
mqtt_config+="\n"
fi
# echo "DEBUG: mqtt_config"
# echo -e "$mqtt_config"
# Configure MQTT Passwords
if [ $mqtt_auth_status ]; then
if [ ! -f $mqtt_passwd_file ]; then
echo ""
echo "INFO: Creating Mosquitto Password File: $mqtt_passwd_file"
echo "Please enter a password for the user: $mqtt_user"
mosquitto_passwd -c $mqtt_passwd_file $mqtt_user
# Set the permissions on the password file
chmod 600 $mqtt_passwd_file
chown mosquitto:mosquitto $mqtt_passwd_file
fi
fi
# Create a self-signed certificate
# If either file is missing: $mqtt_tls_ca_key, $mqtt_tls_ca_cert, $mqtt_tls_server_key or $mqtt_tls_server_cert
if [ ! -f $mqtt_tls_ca_key ] || [ ! -f $mqtt_tls_ca_cert ] || [ ! -f $mqtt_tls_server_key ] || [ ! -f $mqtt_tls_server_cert ]; then
echo ""
echo "INFO: Creating Self-Signed Certificate"
cert_subject="/C=$mqtt_cert_C/ST=$mqtt_cert_ST/L=$mqtt_cert_L/O=$mqtt_cert_O/OU=$mqtt_cert_OU/CN=$mqtt_cert_CN"
echo "DEBUG: cert_subject: $cert_subject"
# Create the directories for the certificate files if they do not exist
mkdir -p $(dirname $mqtt_tls_ca_cert) $(dirname $mqtt_tls_ca_key) $(dirname $mqtt_tls_server_cert) $(dirname $mqtt_tls_server_key)
# Generate the CA key and certificate files
openssl genpkey -algorithm RSA -out $mqtt_tls_ca_key
openssl req -new -x509 -key $mqtt_tls_ca_key -out $mqtt_tls_ca_cert -days $mqtt_cert_days -subj "$cert_subject"
# Generate the server key and CSR
openssl genpkey -algorithm RSA -out $mqtt_tls_server_key
openssl req -new -key $mqtt_tls_server_key -out $mqtt_tls_server_csr -subj "$cert_subject"
# Sign the server CSR with the CA certificate and key
openssl x509 -req -in $mqtt_tls_server_csr -CA $mqtt_tls_ca_cert -CAkey $mqtt_tls_ca_key -CAcreateserial -out $mqtt_tls_server_cert -days $mqtt_cert_days
# Set the permissions on the certificate files
chmod 600 $mqtt_tls_ca_key $mqtt_tls_ca_cert $mqtt_tls_server_cert $mqtt_tls_server_key
chown mosquitto:mosquitto $mqtt_tls_ca_key $mqtt_tls_ca_cert $mqtt_tls_server_cert $mqtt_tls_server_key
fi
# Configure the Mosquitto Broker
echo ""
echo "INFO: Configuring Mosquitto Broker: $mqtt_conf_file"
echo -e $mqtt_config > $mqtt_conf_file
# Set the permissions on the configuration file
chmod 644 $mqtt_conf_file
chown mosquitto:mosquitto $mqtt_conf_file
# Configure the UFW Firewall
echo ""
echo "INFO: Configuring UFW Firewall"
ufw allow $mqtt_port/tcp
# Enable and Start the Mosquitto Broker
echo ""
echo "INFO: Enabling and Starting Mosquitto Broker"
systemctl enable mosquitto
# Restart the Mosquitto Broker
echo ""
echo "INFO: Restarting Mosquitto Broker"
systemctl restart mosquitto
# Check the status of the Mosquitto Broker
echo ""
echo "INFO: Checking the status of the Mosquitto Broker"
systemctl status mosquitto