From 7352a2014313173387c36d16cc407f8d015ab544 Mon Sep 17 00:00:00 2001
From: Patrik Lundin <patlu@sunet.se>
Date: Sun, 6 Oct 2024 14:26:10 +0200
Subject: [PATCH] Start managing mqtt ACL

Include sample comsos-rules entry for testing out template
---
 global/overlay/etc/puppet/cosmos-rules.yaml       | 11 +++++++++++
 .../etc/puppet/modules/cdn/manifests/mqtt.pp      | 10 ++++++++++
 .../puppet/modules/cdn/templates/mqtt/aclfile.erb | 15 +++++++++++++++
 3 files changed, 36 insertions(+)
 create mode 100644 global/overlay/etc/puppet/modules/cdn/templates/mqtt/aclfile.erb

diff --git a/global/overlay/etc/puppet/cosmos-rules.yaml b/global/overlay/etc/puppet/cosmos-rules.yaml
index 761f754..b2bbbb5 100644
--- a/global/overlay/etc/puppet/cosmos-rules.yaml
+++ b/global/overlay/etc/puppet/cosmos-rules.yaml
@@ -18,3 +18,14 @@
 
 '^internal-.+-test-mqtt-[0-9]+\.cdn\.sunet\.se$':
   cdn::mqtt:
+    dc: tug
+    clients:
+      - shared-tug-test-cache-1.cdn.sunet.se
+      - shared-tug-test-cache-2.cdn.sunet.se
+    bridges:
+      sto3:
+        address: internal-sto3-test-mqtt-1.cdn.sunet.se
+        port: 8883
+      dco:
+        address: internal-dco-test-mqtt-1.cdn.sunet.se
+        port: 8883
diff --git a/global/overlay/etc/puppet/modules/cdn/manifests/mqtt.pp b/global/overlay/etc/puppet/modules/cdn/manifests/mqtt.pp
index b52c75d..cb9c9d1 100644
--- a/global/overlay/etc/puppet/modules/cdn/manifests/mqtt.pp
+++ b/global/overlay/etc/puppet/modules/cdn/manifests/mqtt.pp
@@ -1,6 +1,16 @@
 # Configure a SUNET CDN mqtt server
 class cdn::mqtt(
+  String $dc = '',
+  Hash[String, Hash] $bridges = {},
 )
 {
   package {'mosquitto': ensure => installed }
+
+  file { '/etc/mosquitto/aclfile':
+    ensure  => file,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    content => template('cdn/runner/aclfile.erb'),
+  }
 }
diff --git a/global/overlay/etc/puppet/modules/cdn/templates/mqtt/aclfile.erb b/global/overlay/etc/puppet/modules/cdn/templates/mqtt/aclfile.erb
new file mode 100644
index 0000000..3691bdc
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/cdn/templates/mqtt/aclfile.erb
@@ -0,0 +1,15 @@
+# Clients in the local datacenter
+<% @clients.each do |client| -%>
+user <%= @client %>
+topic readwrite cdn/<%= @dc %>/purge
+topic read cdn/+/purge
+
+<% end -%>
+# Bridge queues to other datacenters
+<% @bridges.each do |remote_dc, bridge_config| -%>
+user <%= bridge_config['address'] %>
+topic readwrite cdn/<%= @remote_dc %>/purge
+
+<% end -%>
+# This affects all clients.
+pattern write $SYS/broker/connection/%c/state