Massive update

drb-c2-core/mosquitto/acl.conf

@@ -0,0 +1,19 @@
+# -----------------------------------------------------------------------
+# Mosquitto ACL — DRB C2 Server
+# -----------------------------------------------------------------------
+# Two principals:
+#   drb-c2-core  — the backend service; needs full broker access
+#   drb-node     — shared credential for all edge nodes; scoped to their
+#                  own namespace via MQTT client ID (%c = NODE_ID)
+# -----------------------------------------------------------------------
+
+# C2-core service — full read/write on every topic
+user drb-c2-core
+topic readwrite #
+
+# Edge nodes — each node may only read/write topics under nodes/<its-own-ID>/
+# Mosquitto substitutes %c with the connecting client's MQTT client ID at
+# runtime. Edge nodes set client_id = NODE_ID in mqtt_manager.py, so this
+# cryptographically prevents node-A from publishing to nodes/node-B/api_key
+# or any other node's namespace.
+pattern readwrite nodes/%c/#

drb-c2-core/mosquitto/entrypoint.sh

@@ -0,0 +1,32 @@
+#!/bin/sh
+# Mosquitto entrypoint — generates /mosquitto/config/passwd from env vars
+# before handing off to the broker process.
+#
+# Required environment variables (set in docker-compose.yml):
+#   MQTT_C2_USER   — username for the drb-c2-core service
+#   MQTT_C2_PASS   — password for the drb-c2-core service
+#   MQTT_NODE_USER — shared username for all edge nodes
+#   MQTT_NODE_PASS — shared password for all edge nodes
+set -e
+
+PASSWD_FILE=/mosquitto/config/passwd
+
+# Remove any stale file so we start clean on every container start
+rm -f "$PASSWD_FILE"
+
+if [ -z "$MQTT_C2_USER" ] || [ -z "$MQTT_C2_PASS" ]; then
+    echo "ERROR: MQTT_C2_USER and MQTT_C2_PASS must be set" >&2
+    exit 1
+fi
+
+if [ -z "$MQTT_NODE_USER" ] || [ -z "$MQTT_NODE_PASS" ]; then
+    echo "ERROR: MQTT_NODE_USER and MQTT_NODE_PASS must be set" >&2
+    exit 1
+fi
+
+mosquitto_passwd -b "$PASSWD_FILE" "$MQTT_C2_USER"   "$MQTT_C2_PASS"
+mosquitto_passwd -b "$PASSWD_FILE" "$MQTT_NODE_USER" "$MQTT_NODE_PASS"
+
+echo "Mosquitto: password file written for users: $MQTT_C2_USER, $MQTT_NODE_USER"
+
+exec /usr/sbin/mosquitto -c /mosquitto/config/mosquitto.conf

drb-c2-core/mosquitto/mosquitto.conf

@@ -1,8 +1,15 @@
 listener 1883
-allow_anonymous true
+allow_anonymous false
 
-# Persist messages across restarts
+# Credentials and ACLs are generated/mounted at container startup
+password_file /mosquitto/config/passwd
+acl_file      /mosquitto/config/acl.conf
+
+# Persist retained messages (e.g. api_key, node status) across broker restarts
 persistence true
 persistence_location /mosquitto/data/
 
 log_dest stdout
+log_type error
+log_type warning
+log_type notice