furtka-apps/apps/mosquitto/scripts/provision-client.sh

#!/bin/sh
# on_install hook (provider: mosquitto).
#
# Runs ONCE, INSIDE the mosquitto container, via `docker compose exec sh -s`
# while a consumer app that `requires` mosquitto is being installed. The
# reconciler/install-runner exports FURTKA_CONSUMER_APP (the app being
# installed) into our environment. stdout KEY=VALUE lines are merged into the
# consumer's .env (hook wins on conflict), so this is how the consumer learns
# its broker address and credentials.
#
# Why we stash the password provider-side: the on_start hook (ensure-client.sh)
# gets NO access to the consumer's stored password and its stdout is discarded,
# so it cannot re-create the same account after a passwd wipe unless we keep a
# copy here, on mosquitto's own persistent data volume.
set -eu

user="${FURTKA_CONSUMER_APP:?provision-client: FURTKA_CONSUMER_APP not set}"
passwd_file=/mosquitto/data/passwd
stash_dir=/mosquitto/data/furtka-clients
stash="${stash_dir}/${user}.pw"

umask 077
mkdir -p "$stash_dir"

# One random 32-char password per consumer, generated once and stashed.
pass="$(tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 32)"
printf '%s' "$pass" > "$stash"

# -b: batch mode (user + password as args). Creates the account, or updates
# it if this consumer is being reinstalled.
mosquitto_passwd -b "$passwd_file" "$user" "$pass"

# Reload the password file so the new account is usable without bouncing the
# broker. PID 1 in this container is mosquitto (see compose `exec mosquitto`).
kill -HUP 1 2>/dev/null || true

# Handed back to the install runner and merged into the consumer's .env.
echo "MQTT_SERVER=mqtt://host.docker.internal:1883"
echo "MQTT_USER=${user}"
echo "MQTT_PASS=${pass}"
feat: add mosquitto + zigbee2mqtt dependency pair First catalog apps to exercise core 26.17's app-to-app dependency feature — until now every app was standalone. - mosquitto: MQTT broker, first dependency provider. Mandatory auth; per-consumer accounts created by on_install/on_start hooks (scripts/provision-client.sh, scripts/ensure-client.sh) that run inside the broker container via `docker compose exec`. Provider-side password stash so on_start can restore an account after a volume wipe. - zigbee2mqtt: first dependency consumer. `requires` mosquitto; MQTT creds wired in from the provisioning hook via ZIGBEE2MQTT_CONFIG_* env. Serial coordinator path as a text setting + devices mapping. Supporting changes: - Bump vendored furtka_manifest.py (26.10-era -> 26.17) so the validator actually validates the `requires` schema instead of ignoring it. - Document `requires`/hooks in apps/README.md (was undocumented), including the three framework gaps building this pair surfaced. - CI now shellchecks app hook scripts (apps//scripts/.sh), not just repo-root scripts/. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-28 23:45:27 +02:00			`#!/bin/sh`
			`# on_install hook (provider: mosquitto).`
			`#`
			# Runs ONCE, INSIDE the mosquitto container, via `docker compose exec sh -s`
			# while a consumer app that `requires` mosquitto is being installed. The
			`# reconciler/install-runner exports FURTKA_CONSUMER_APP (the app being`
			`# installed) into our environment. stdout KEY=VALUE lines are merged into the`
			`# consumer's .env (hook wins on conflict), so this is how the consumer learns`
			`# its broker address and credentials.`
			`#`
			`# Why we stash the password provider-side: the on_start hook (ensure-client.sh)`
			`# gets NO access to the consumer's stored password and its stdout is discarded,`
			`# so it cannot re-create the same account after a passwd wipe unless we keep a`
			`# copy here, on mosquitto's own persistent data volume.`
			`set -eu`

			`user="${FURTKA_CONSUMER_APP:?provision-client: FURTKA_CONSUMER_APP not set}"`
			`passwd_file=/mosquitto/data/passwd`
			`stash_dir=/mosquitto/data/furtka-clients`
			`stash="${stash_dir}/${user}.pw"`

			`umask 077`
			`mkdir -p "$stash_dir"`

			`# One random 32-char password per consumer, generated once and stashed.`
			`pass="$(tr -dc 'A-Za-z0-9' < /dev/urandom \| head -c 32)"`
			`printf '%s' "$pass" > "$stash"`

			`# -b: batch mode (user + password as args). Creates the account, or updates`
			`# it if this consumer is being reinstalled.`
			`mosquitto_passwd -b "$passwd_file" "$user" "$pass"`

			`# Reload the password file so the new account is usable without bouncing the`
			# broker. PID 1 in this container is mosquitto (see compose `exec mosquitto`).
			`kill -HUP 1 2>/dev/null \|\| true`

			`# Handed back to the install runner and merged into the consumer's .env.`
			`echo "MQTT_SERVER=mqtt://host.docker.internal:1883"`
			`echo "MQTT_USER=${user}"`
			`echo "MQTT_PASS=${pass}"`