mqtt-broker-mosquitto

TLS-ready Mosquitto broker with sane defaults

arm64amd64
MQTTBrokerTelemetryIoT
Overview
Primary hardware
Generic Edge (arm64/amd64)
What it does

Drops in an MQTT broker for telemetry/command. Mount certs; set env for auth; done.

Why it saves time

Zero yak-shaving: persistent volumes, TLS, and password file handled automatically.

Get access

Use StreamDeploy to manage OTA updates, versioned configs, and rollbacks across fleets.

Request access
Dockerfile
ARG BASE_IMAGE
FROM ${BASE_IMAGE:-"eclipse-mosquitto:2.0"}
USER root
RUN apk add --no-cache bash ca-certificates
COPY entrypoint.sh /usr/local/bin/entrypoint.sh
RUN chmod +x /usr/local/bin/entrypoint.sh
ENV MQTT_USERNAME="" MQTT_PASSWORD="" MQTT_TLS=false \
    MQTT_CERT=/mosquitto/certs/server.crt \
    MQTT_KEY=/mosquitto/certs/server.key \
    MQTT_CAFILE=/mosquitto/certs/ca.crt
EXPOSE 1883 8883
HEALTHCHECK --interval=30s --timeout=5s --start-period=10s \
  CMD nc -z localhost 1883 || nc -z localhost 8883
ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
entrypoint.sh
#!/usr/bin/env bash
set -euo pipefail
mkdir -p /mosquitto/config /mosquitto/data /mosquitto/log
CONF=/mosquitto/config/mosquitto.conf
: "${MQTT_USERNAME:=}"; : "${MQTT_PASSWORD:=}"; : "${MQTT_TLS:=false}"

cat > "$CONF" <<EOF
listener 1883
persistence true
persistence_location /mosquitto/data/
allow_anonymous false
EOF

if [[ -n "${MQTT_USERNAME}" && -n "${MQTT_PASSWORD}" ]]; then
  touch /mosquitto/config/passwd
  mosquitto_passwd -b /mosquitto/config/passwd "${MQTT_USERNAME}" "${MQTT_PASSWORD}"
  echo "password_file /mosquitto/config/passwd" >> "$CONF"
fi

if [[ "${MQTT_TLS}" == "true" ]]; then
  cat >> "$CONF" <<TLS
listener 8883
cafile ${MQTT_CAFILE}
certfile ${MQTT_CERT}
keyfile ${MQTT_KEY}
require_certificate false
TLS
fi

exec mosquitto -c "$CONF" -v