mqtt-broker-mosquitto
TLS-ready Mosquitto broker with sane defaults
arm64amd64
MQTTBrokerTelemetryIoT
Overview
Primary hardware
Generic Edge (arm64/amd64)
What it does
Drops in an MQTT broker for telemetry/command. Mount certs; set env for auth; done.
Why it saves time
Zero yak-shaving: persistent volumes, TLS, and password file handled automatically.
Get access
Use StreamDeploy to manage OTA updates, versioned configs, and rollbacks across fleets.
Request accessDockerfile
ARG BASE_IMAGE
FROM ${BASE_IMAGE:-"eclipse-mosquitto:2.0"}
USER root
RUN apk add --no-cache bash ca-certificates
COPY entrypoint.sh /usr/local/bin/entrypoint.sh
RUN chmod +x /usr/local/bin/entrypoint.sh
ENV MQTT_USERNAME="" MQTT_PASSWORD="" MQTT_TLS=false \
MQTT_CERT=/mosquitto/certs/server.crt \
MQTT_KEY=/mosquitto/certs/server.key \
MQTT_CAFILE=/mosquitto/certs/ca.crt
EXPOSE 1883 8883
HEALTHCHECK --interval=30s --timeout=5s --start-period=10s \
CMD nc -z localhost 1883 || nc -z localhost 8883
ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]entrypoint.sh
#!/usr/bin/env bash
set -euo pipefail
mkdir -p /mosquitto/config /mosquitto/data /mosquitto/log
CONF=/mosquitto/config/mosquitto.conf
: "${MQTT_USERNAME:=}"; : "${MQTT_PASSWORD:=}"; : "${MQTT_TLS:=false}"
cat > "$CONF" <<EOF
listener 1883
persistence true
persistence_location /mosquitto/data/
allow_anonymous false
EOF
if [[ -n "${MQTT_USERNAME}" && -n "${MQTT_PASSWORD}" ]]; then
touch /mosquitto/config/passwd
mosquitto_passwd -b /mosquitto/config/passwd "${MQTT_USERNAME}" "${MQTT_PASSWORD}"
echo "password_file /mosquitto/config/passwd" >> "$CONF"
fi
if [[ "${MQTT_TLS}" == "true" ]]; then
cat >> "$CONF" <<TLS
listener 8883
cafile ${MQTT_CAFILE}
certfile ${MQTT_CERT}
keyfile ${MQTT_KEY}
require_certificate false
TLS
fi
exec mosquitto -c "$CONF" -v