Install mosquitto MQTT broker.
#!/bin/bash # This assumes Raspbian buster # For stretch you may have to configure apt-get # to use the mosquitto repository and key sudo apt-get update sudo apt-get -y upgrade sudo apt-get -y install mosquitto mosquitto-clients
Securing Your MQTT Broker
If you wish to use a MQTT dashboard app on your laptop or mobile device for remote access to your home automation gear then you should enable password authentication and encryption for your MQTT broker.
Follow the instructions at https://mosquitto.org/man/mosquitto_passwd-1.html to create a passwd file containing your desired credentials, e.g.
sudo mosquitto_passwd -c /etc/mosquitto/passwd jdoe
Edit /etc/mosquitto/mosquitto.conf to specify the passwd file you created, e.g.
sudo nano /etc/mosquitto/mosquitto.conf
allow_anonymous false password_file /etc/mosquitto/passwd
To enable TLS encryption, use the
keyfileoptions to reference your letsencrypt certificate and key files installed via certbot, e.g. insert something like the following in /etc/mosquitto/mosquitto.conf:
capath /etc/letsencrypt/live/yourdomain.duckdns.org/ certfile /etc/letsencrypt/live/yourdomain.duckdns.org/fullchain.pem keyfile /etc/letsencrypt/live/yourdomain.duckdns.org/privkey.pem
Note that for the latter, you need to make sure that the user account that the mosquitto service runs as has read permissions to the relevant letsencrypt files. Depending on exactly how you set all of this up, you may either have to loosen the security permissions on the files and directories under /etc/letsencrypt/live/ or use a post-renewal script to make copies in some other location. See https://certbot.eff.org/docs/using.html and https://mosquitto.org/man/mosquitto-conf-5.html for details.