Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a fairly significant refactor so buckle up:
The Goal
SkyScan should be able to communicate on the MQTT bus using TLS encryption.
This PR is the first step towards that goal.
How it works
This adds a Certificate Authority(CA) server on the same docker network as the mqtt broker. The CA exists at ca.mqtt.local and the broker can be found at broker.mqtt.local so as not to unnecessarily expose MQTT traffic to external interference. The MQTT broker waits for the CA to become healthy and then bootstraps the CA's root cert (so that it will trust the CA) and then uses certbot to perform an ACME challenge to obtain a certificate. Clients that wish to validate can obtain their own certs in the same fashion. TLS encrypted MQTT (aka MQTTS) is authenticated using a username and password and communicates over port 8883.
Instructions for Use
mqtt
.env
file specify theMQTT_PREFIX
environment variabledocker-compose -f docker-compose.yml -f mqtt/docker-compose.mqtt.yml
Important Notes
.env
file DOES NOT contain environment variables needed by containers; it is the environment provided todocker-compose
. Environment variables required inside of containers should be specified incontainer.env
(though this is not considered ideal as all containers will have identical environments).mqtt
directory is a subtree pointed to https://github.com/IQTLabs/edgetech-mqtt-compose and as such should not be updated from this project.docker-compose.yml
file found at the project root be the first one referenced in a-f
flag as it defines the context under which ALL subsequent compose files will be evaluated, in accordance with the documentation.