Mosquitto

Install mosquitto MQTT broker.

Script

#!/bin/bash

# This assumes Raspbian buster

# For stretch you may have to configure apt-get
# to use the mosquitto repository and key

sudo apt-get update
sudo apt-get -y upgrade
sudo apt-get -y install mosquitto mosquitto-clients

Usage

./config-mosquitto.sh

Additional Information

Configure your router to forward port 1883 to your Pi
Set up mosquitto using config-mosquitto.sh

Securing Your MQTT Broker

If you wish to use a MQTT dashboard app on your laptop or mobile device for remote access to your home automation gear then you should enable password authentication and encryption for your MQTT broker.

Follow the instructions at https://mosquitto.org/man/mosquitto_passwd-1.html to create a passwd file containing your desired credentials, e.g.
```
sudo mosquitto_passwd -c /etc/mosquitto/passwd jdoe
```

Edit /etc/mosquitto/mosquitto.conf to specify the passwd file you created, e.g.

sudo nano /etc/mosquitto/mosquitto.conf

and insert:

allow_anonymous false
password_file /etc/mosquitto/passwd

To enable TLS encryption, use the capath, certfile and keyfile options to reference your letsencrypt certificate and key files installed via certbot, e.g. insert something like the following in /etc/mosquitto/mosquitto.conf:
```
capath /etc/letsencrypt/live/yourdomain.duckdns.org/
certfile /etc/letsencrypt/live/yourdomain.duckdns.org/fullchain.pem
keyfile /etc/letsencrypt/live/yourdomain.duckdns.org/privkey.pem
```

Note that for the latter, you need to make sure that the user account that the mosquitto service runs as has read permissions to the relevant letsencrypt files. Depending on exactly how you set all of this up, you may either have to loosen the security permissions on the files and directories under /etc/letsencrypt/live/ or use a post-renewal script to make copies in some other location. See https://certbot.eff.org/docs/using.html and https://mosquitto.org/man/mosquitto-conf-5.html for details.