- Shell 83.4%
- Dockerfile 16.6%
|
|
||
|---|---|---|
| .forgejo/workflows | ||
| deploy-cert.sh | ||
| Dockerfile | ||
| entrypoint.sh | ||
| LICENSE | ||
| README.md | ||
| renew-cert.sh | ||
| renovate.json | ||
docker-mqtt
Simple container for my online mqtt server with automatic Let's Encrypt certificates via lego (DNS-01, OVH).
build
docker build . -t docker.asperti.com/paspo/mqtt
docker-compose
version: "3"
services:
server:
image: docker.asperti.com/paspo/mqtt
environment:
ACME_DOMAIN: mqtt.example.com
ACME_EMAIL: admin@example.com
OVH_AK: ${OVH_AK}
OVH_AS: ${OVH_AS}
OVH_CK: ${OVH_CK}
volumes:
- /srv/mqtt/config:/etc/mosquitto
- /srv/mqtt/acme:/acme
ports:
- "8883:8883"
- "8983:8983"
restart: always
Store OVH credentials in a local .env file (do not commit it):
OVH_AK=your_application_key
OVH_AS=your_application_secret
OVH_CK=your_consumer_key
Environment variables
| Variable | Required | Description |
|---|---|---|
ACME_DOMAIN |
yes | Broker FQDN (e.g. mqtt.example.com) |
ACME_EMAIL |
yes | Let's Encrypt account email |
OVH_AK |
yes | OVH API application key (mapped to OVH_APPLICATION_KEY for lego) |
OVH_AS |
yes | OVH API application secret |
OVH_CK |
yes | OVH API consumer key |
OVH_END_POINT |
no | OVH API endpoint (default: ovh-eu) |
ACME_STAGING |
no | Set to true to use Let's Encrypt staging CA |
On first start the container waits until the certificate is issued and deployed
before starting Mosquitto (retries every 60s on failure). On subsequent starts,
if a certificate already exists in /acme, it is deployed without
contacting Let's Encrypt. Renewals run daily via cron when the certificate
expires within 30 days; Mosquitto reloads the certificate on renewal without
restarting the container. Persist /acme to keep lego state and avoid
Let's Encrypt rate limits.
OVH API token
Create a consumer key before deploying. Use a token scoped to your DNS zone
(replace example.com with your domain):
https://api.ovh.com/createToken/?GET=/domain/zone/example.com/&POST=/domain/zone/example.com/&PUT=/domain/zone/example.com/&GET=/domain/zone/example.com&DELETE=/domain/zone/example.com/record/
Select Unlimited validity and authorize access. Copy the three credentials
into your .env file as OVH_AK, OVH_AS, and OVH_CK.
For non-EU OVH accounts, also set OVH_END_POINT (e.g. ovh-ca, ovh-us).
Staging
For testing without production rate limits:
environment:
ACME_STAGING: "true"
mosquitto configuration
This is the configuration (mosquitto.conf):
listener 8883
certfile /tls/cert.pem
cafile /tls/chain.pem
keyfile /tls/privkey.pem
log_dest syslog
allow_anonymous false
password_file /etc/mosquitto/passwd
listener 8983
psk_hint go away
psk_file /etc/mosquitto/pskfile
The first port is used with a passwd file, that you can create in the usual way.
You also need to create a file named "pskfile" to access the "secondary" port, with this syntax:
user1:password1
user2:password2
password update
docker compose exec -u mosquitto server mosquitto_passwd -b /etc/mosquitto/passwd username StrongPa$$w0rd