feat: tls enable with bridge - mqtt - Mosquitto, Zigbee2mqtt and node-red combo

commit c00b7e7789b40f473804b00a398c5748d196b6bc
parent 4b91adaf899ce562eb904a934f5a566c59850a00
Author: Tomas Nemec <owl@gtms.dev>
Date:   Sat,  8 Mar 2025 02:37:13 +0100

feat: tls enable with bridge

Diffstat:
M compose.yaml  | 40 ++++++++++++++++++++++++++++++++++++----
A mosquitto-bridge/.gitignore  | 2 ++
A mosquitto-bridge/certs/.keep  | 0 
A mosquitto-bridge/mosquitto.conf  | 21 +++++++++++++++++++++
D mosquitto/.gitignore  | 1 -
D mosquitto/config/mosquitto.conf  | 18 ------------------
A mosquitto/docker-entrypoint.sh  | 15 +++++++++++++++
A mosquitto/mosquitto.conf  | 18 ++++++++++++++++++

8 files changed, 92 insertions(+), 23 deletions(-)
diff --git a/compose.yaml b/compose.yaml
@@ -6,15 +6,26 @@ volumes:
 
 services:
   mosquitto:
-    image: eclipse-mosquitto
+    profiles:
+      - server
+    image: tms/eclipse-mosquitto
+    build:
+      dockerfile_inline: |
+        FROM eclipse-mosquitto
+        COPY mosquitto/mosquitto.conf /mosquitto/config/mosquitto.conf
+        COPY mosquitto/docker-entrypoint.sh /docker-entrypoint.sh
     restart: unless-stopped
     volumes:
-      - /home/pi/.local/share/mosquitto/config:/mosquitto/config
       - mosquitto-data:/mosquitto/data
+      - /etc/ssl/certs/tms.pem:/mosquitto-certs/ca.crt:ro
+      - /home/pi/.local/share/ssl/server.crt:/mosquitto-certs/server.crt:ro
+      - /home/pi/.local/share/ssl/server.key:/mosquitto-certs/server.key:ro
     ports:
       - 1883:1883
       - 8883:8883
   zigbee2mqtt:
+    profiles:
+      - server
     image: koenkk/zigbee2mqtt
     restart: unless-stopped
     volumes:
@@ -30,13 +41,34 @@ services:
     group_add:
       - dialout
   node-red:
-    image: my-node-red
+    profiles:
+      - server
+    image: tms/node-red
     build:
       dockerfile_inline: |
-        FROM docker.io/nodered/node-red
+        FROM nodered/node-red
         RUN npm install node-red-contrib-zigbee2mqtt
     restart: always
     volumes:
       - node-red-data:/data
     ports:
       - 1880:1880
+  mosquitto-bridge:
+    profiles:
+      - bridge
+    image: tms/eclipse-mosquitto
+    build:
+      dockerfile_inline: |
+        FROM eclipse-mosquitto
+        COPY mosquitto-bridge/mosquitto.conf /mosquitto/config/mosquitto.conf
+        COPY mosquitto-bridge/certs/* /mosquitto-certs/
+        COPY mosquitto/docker-entrypoint.sh /docker-entrypoint.sh
+    restart: unless-stopped
+    volumes:
+      - /etc/ssl/certs/TMSCA.pem:/mosquitto-certs/ca.crt:ro
+      - /etc/mosquitto/certs/server.crt:/mosquitto-certs/server.crt:ro
+      - /etc/mosquitto/certs/server.key:/mosquitto-certs/server.key:ro
+    extra_hosts:
+      - "mqtt.home:<BROKER_IP>"
+    ports:
+      - 1883:1883
diff --git a/mosquitto-bridge/.gitignore b/mosquitto-bridge/.gitignore
@@ -0,0 +1,2 @@
+certs/*
+!.keep
diff --git a/mosquitto-bridge/certs/.keep b/mosquitto-bridge/certs/.keep
diff --git a/mosquitto-bridge/mosquitto.conf b/mosquitto-bridge/mosquitto.conf
@@ -0,0 +1,21 @@
+per_listener_settings true
+persistence_location /mosquitto/data/
+
+listener 1883
+allow_anonymous false
+
+require_certificate true
+cafile /mosquitto/certs/ca.crt
+certfile /mosquitto/certs/server.crt
+keyfile /mosquitto/certs/server.key
+
+# Bridge to local Mosquitto
+connection bridge-to-local
+address mqtt.home:8883
+
+bridge_cafile /mosquitto/certs/ca.crt
+bridge_certfile /mosquitto/certs/bridge.crt
+bridge_keyfile /mosquitto/certs/bridge.key
+bridge_insecure false
+
+topic # both 0
diff --git a/mosquitto/.gitignore b/mosquitto/.gitignore
@@ -1 +0,0 @@
-config/certs
diff --git a/mosquitto/config/mosquitto.conf b/mosquitto/config/mosquitto.conf
@@ -1,18 +0,0 @@
-per_listener_settings true
-persistence_location /mosquitto/data/
-
-#log_type all
-log_timestamp_format %Y-%m-%dT%H:%M:%S
-
-listener 1883
-allow_anonymous true
-
-listener 8883
-allow_anonymous false
-
-require_certificate true
-cafile /mosquitto/config/certs/ca.crt
-certfile /mosquitto/config/certs/server.crt
-keyfile /mosquitto/config/certs/server.key
-
-use_identity_as_username true
diff --git a/mosquitto/docker-entrypoint.sh b/mosquitto/docker-entrypoint.sh
@@ -0,0 +1,15 @@
+#!/bin/ash
+set -e
+
+# Set permissions
+user="$(id -u)"
+if [ "$user" = '0' ]; then
+	# Copy certs
+	if [ -d "/mosquitto-certs" ]; then
+		cp -r /mosquitto-certs /mosquitto/certs
+	fi
+
+	[ -d "/mosquitto" ] && chown -R mosquitto:mosquitto /mosquitto || true
+fi
+
+exec "$@"
diff --git a/mosquitto/mosquitto.conf b/mosquitto/mosquitto.conf
@@ -0,0 +1,18 @@
+per_listener_settings true
+persistence_location /mosquitto/data/
+
+#log_type all
+log_timestamp_format %Y-%m-%dT%H:%M:%S
+
+listener 1883
+allow_anonymous true
+
+listener 8883
+allow_anonymous false
+
+require_certificate true
+cafile /mosquitto/certs/ca.crt
+certfile /mosquitto/certs/server.crt
+keyfile /mosquitto/certs/server.key
+
+use_identity_as_username true

	mqtt Mosquitto, Zigbee2mqtt and node-red combo
	git clone git://gtms.dev/mqtt
	Log \| Files \| Refs

M	compose.yaml	\|	40	++++++++++++++++++++++++++++++++++++----
A	mosquitto-bridge/.gitignore	\|	2	++
A	mosquitto-bridge/certs/.keep	\|	0
A	mosquitto-bridge/mosquitto.conf	\|	21	+++++++++++++++++++++
D	mosquitto/.gitignore	\|	1	-
D	mosquitto/config/mosquitto.conf	\|	18	------------------
A	mosquitto/docker-entrypoint.sh	\|	15	+++++++++++++++
A	mosquitto/mosquitto.conf	\|	18	++++++++++++++++++