Mosquitto MQTT Broker - Customize configuration for addons and repositories

Just wanted to share some of the configuration changes I made to get the Mosquitto MQTT Broker working with different repositories, both because I had some trouble finding answers and because I forgot what I did between adding new repositories 6 months apart. So hopefully this will help future searches (including my own )

About a year ago, I added the Ring-MQTT with Video Streaming repository, to connect my Ring Alarm and various sensors. At the time I was not using MQTT, so I setup Mosquitto as my Broker, connected them, and everything worked fine. About 6 months later, I added the TeslaMate repository, which required setting up PostgreSQL and Grafana repositories. MQTT was at the heart of all this working, and after some struggling I was able to configure the MQTT Broker to work with all this. Then a few days ago, I setup Switchbot to work locally through a ESP32 MQTT bridge setup, which I ended up having the same struggles as Teslamate. So I wanted to share how I configured it to help others. Everything was done on a HA OS installation on a dedicated Raspberry Pi, but I believe the basic idea is similar for other installations.

The problem was just that the Mosquitto MQTT Broker wanted authentication for connections, and initially I didn’t have Teslamate or the ESP32 MQTT bridge setup that way (Ring was fine but I later discovered why and it was more luck). The solution seemed straightforward: give them authentication. The how was a bit tricky. In summary, I did 3 things to allow my Mosquitto MQTT Broker to be used by other repositories.

1. Change Mosquitto MQTT Broker setting to tell it you’re customizing it
2. Tell Mosquitto you’re adding a list of user accesses
3. Assign users and topics to the list

Below contains the details on how.

Basically, you tell the Mosquitto MQTT Broker it needs to look for authentication somewhere. You can accomplish this by setting a customize option in Mosquitto addon. Under Configuration for the Mosquitto addon, in the customize box, add the following:

active: true
folder: mosquitto

After that, head on over to the mosquitto folder to add the customization. In my HA OS installation, it was under

share/mosquitto/

There, you need to create two files: one to tell the Mosquitto addon what’s being customized (in this case a list of accesses) and the second who gets what access. The files are named:

acl.conf
accesscontrollist

Note that the second file lacks an extension. Open up acl.conf and tell Mosquitto where it can find the list of access controls. That file is in the same location, so it’s the same path. In my case, it’s

acl_file /share/mosquitto/accesscontrollist

After that, it’s time to add different access for different uses/users. Open the accesscontrollist file and define a user and what topics they should have access too. My file looks like this

user addons
topic readwrite #

user homeassistant
topic readwrite #

user <local username>
topic readwrite #

user teslamate
topic readwrite teslamate/#

user ringmqtt
topic readwrite ring/#

user switchbotmqtt
topic readwrite switchbot/#

As you can see, different users have access to different topics. There’s one each for Ring-MQTT, Teslamate, and the ESP32 MQTT bridge controlling Switchbot, all specific to their topics. Then you can see three users who have access to everything. Two, addons and homeassistant, are to allow both access to use MQTT (and prevent things from breaking by adding a custom user access list for Mosquitto). The third is to give my account access to use MQTT Explorer. EDIT: per the discussion below, specific to the ESP32 MQTT Bridge, if you want MQTT auto-discovery in Home Assistant to work (so it will create switchbot devices and entities for you) you’ll need to give the ESP MQTT login access to the Home Assistant topic as well. Everything still works without it, but you won’t have entities without auto-discovery, which means you’ll have to manually publish MQTT messages to communicate with the switchbots.

Note: in theory you could just use your user login for everything, and just add that to the access list. You could even try to just use the addon user for everything too. However, I’d recommend creating unique users for each, so you can limit their topics and troubleshoot individual things without taking everything out. Also, if you don’t have a password manager, you should get one, so it can generate and securely store unique, strong passwords for everything.

Hopefully this can help others, and if anyone has any suggestions or feedback on how I did all this, I’m definitely open to that too.

@tombo12354 just a heads up you will probably want to give access to the homeassistant topic for the switchbot esp32. This is where auto discovery mqtt messages are sent to create devices automatically within HA. Without that you would have to create devices manually

First off, thanks for an awesome project: the ESP bridge works great for the Switchbots I have. Way simpler then the original solution I was looking at.

Regarding giving the Switchbot MQTT login access to the Home Assistant topic, that solves a mystery I couldn’t figure out! When I setup my first test switchbot, I used my login credentials, which had access to all topics, so it was auto-discovered. When I added the rest for my project, I used the MQTT login that only had access to the switchbot topic, and they were not auto-discovered.

I was communicating with them manually so I didn’t need the auto entities, but it was strange. I had put it down as likely a weird conf on my end somewhere, but this solves that mystery. Thanks!