This documentation is part of the "Projects with Books" initiative at zenOSmosis.
The source code for this project is available on GitHub.
Reference
Relevant source files
This page provides technical reference documentation for all configuration files and settings in the Docker MQTT Mosquitto Cloudflare Tunnel system. It serves as a comprehensive guide to the structure and relationships between configuration files.
For detailed references of individual configuration files, see:
For security and access control details, see Security Model. For production deployment considerations, see Production Considerations.
Configuration Files Overview
The system uses three primary configuration files to define services, MQTT broker behavior, and authentication credentials:
| File | Purpose | Version Controlled | Contains Secrets |
|---|---|---|---|
docker-compose.yml | Service orchestration and container definitions | Yes | No |
mosquitto.conf | MQTT broker configuration (listeners, protocols, access control) | Yes | No |
.env | Runtime secrets and environment variables | No | Yes |
.env.sample | Template for .env file | Yes | No |
Configuration File Relationships
Sources: docker-compose.yml:1-18 mosquitto.conf:1-6 .env.sample:1-3
Configuration Directive Mapping
The following diagram maps natural language concepts to specific configuration directives and code symbols used in the system:
Sources: docker-compose.yml:1-18 mosquitto.conf:1-6 .env.sample:1-3
graph TB
subgraph "docker-compose.yml Directives"
Version["version: '3.8'"]
MosqService["services.mosquitto"]
MosqImage["image: eclipse-mosquitto:latest"]
MosqContainer["container_name: mosquitto"]
MosqVolume["volumes:\n./mosquitto.conf:/mosquitto/config/mosquitto.conf"]
MosqRestart["restart: unless-stopped"]
CFService["services.cloudflared"]
CFImage["image: cloudflare/cloudflared:latest"]
CFContainer["container_name: cloudflared"]
CFCommand["command: tunnel --no-autoupdate run --token"]
CFEnv["environment:\nCLOUDFLARE_TUNNEL_TOKEN"]
CFRestart["restart: unless-stopped"]
end
subgraph "mosquitto.conf Directives"
Listener1883["listener 1883"]
AllowAnon["allow_anonymous true"]
Listener9001["listener 9001"]
ProtocolWS["protocol websockets"]
end
subgraph ".env Variables"
TunnelToken["CLOUDFLARE_TUNNEL_TOKEN=<value>"]
end
subgraph "Runtime Behavior"
TCPPort["TCP MQTT on port 1883"]
WSPort["WebSocket MQTT on port 9001"]
NoAuth["No authentication required"]
TunnelAuth["Tunnel authentication to Cloudflare"]
end
Listener1883 --> TCPPort
Listener9001 --> WSPort
ProtocolWS --> WSPort
AllowAnon --> NoAuth
TunnelToken --> CFEnv
CFEnv --> TunnelAuth
MosqVolume -.->|mounts| Listener1883
MosqVolume -.->|mounts| AllowAnon
MosqVolume -.->|mounts| Listener9001
MosqVolume -.->|mounts| ProtocolWS
Configuration Loading Sequence
The following diagram shows the order in which configuration is loaded and applied during system startup:
Sources: docker-compose.yml:1-18 mosquitto.conf:1-6 .env.sample:1-3
sequenceDiagram
participant DC as docker-compose
participant Env as .env file
participant DCFile as docker-compose.yml
participant MConf as mosquitto.conf
participant MosqC as mosquitto container
participant CFC as cloudflared container
Note over DC,CFC: Configuration Loading Phase
DC->>Env: Read CLOUDFLARE_TUNNEL_TOKEN
DC->>DCFile: Parse service definitions
Note over DCFile: services.mosquitto (lines 4-9)
Note over DCFile: services.cloudflared (lines 11-17)
DC->>MosqC: Create container from eclipse-mosquitto:latest
DC->>MosqC: Mount ./mosquitto.conf to /mosquitto/config/mosquitto.conf
DC->>CFC: Create container from cloudflare/cloudflared:latest
DC->>CFC: Set environment variable CLOUDFLARE_TUNNEL_TOKEN
DC->>CFC: Set command with --token flag
Note over MosqC,CFC: Container Startup Phase
MosqC->>MConf: Read configuration file
Note over MConf: listener 1883 (line 1)
Note over MConf: allow_anonymous true (line 2)
Note over MConf: listener 9001 (line 4)
Note over MConf: protocol websockets (line 5)
MosqC->>MosqC: Initialize listeners 1883 and 9001
CFC->>CFC: Execute tunnel run with token
CFC->>CFC: Establish connection to Cloudflare
Service Configuration Matrix
The following table maps configuration sources to their effects on each service:
| Configuration Aspect | Source File | Line(s) | Applies To | Effect |
|---|---|---|---|---|
| MQTT TCP listener | mosquitto.conf | 1 | mosquitto service | Opens port 1883 for MQTT TCP connections |
| Anonymous access | mosquitto.conf | 2 | mosquitto service | Allows connections without authentication |
| WebSocket listener | mosquitto.conf | 4-5 | mosquitto service | Opens port 9001 for WebSocket MQTT connections |
| Mosquitto image | docker-compose.yml | 5 | mosquitto service | Uses eclipse-mosquitto:latest |
| Mosquitto container name | docker-compose.yml | 6 | mosquitto service | Container named mosquitto |
| Configuration mount | docker-compose.yml | 8 | mosquitto service | Mounts mosquitto.conf to /mosquitto/config/mosquitto.conf |
| Mosquitto restart policy | docker-compose.yml | 9 | mosquitto service | Restarts unless explicitly stopped |
| Cloudflared image | docker-compose.yml | 12 | cloudflared service | Uses cloudflare/cloudflared:latest |
| Cloudflared container name | docker-compose.yml | 13 | cloudflared service | Container named cloudflared |
| Tunnel command | docker-compose.yml | 14 | cloudflared service | Runs tunnel --no-autoupdate run --token |
| Cloudflared restart policy | docker-compose.yml | 15 | cloudflared service | Restarts unless explicitly stopped |
| Tunnel token | .env | 1 | cloudflared service | Authenticates tunnel with Cloudflare |
Sources: docker-compose.yml:1-18 mosquitto.conf:1-6 .env.sample:1-3
Configuration File Syntax
docker-compose.yml Syntax
The docker-compose.yml file follows Docker Compose version 3.8 specification. Key structural elements:
Sources: docker-compose.yml:1-18
graph TB
Root["docker-compose.yml root"]
Version["version: '3.8'"]
Services["services:] MosqService[mosquitto:] MosqProps[Properties:\n- image\n- container_name\n- volumes\n- restart"]
CFService["cloudflared:] CFProps[Properties:\n- image\n- container_name\n- command\n- restart\n- environment"]
Root --> Version
Root --> Services
Services --> MosqService
Services --> CFService
MosqService --> MosqProps
CFService --> CFProps
mosquitto.conf Syntax
The mosquitto.conf file uses the Mosquitto broker configuration format. Each directive appears on its own line:
Sources: mosquitto.conf:1-6
graph LR
Conf["mosquitto.conf"]
Block1["Listener Block 1:\nlistener 1883\nallow_anonymous true"]
Block2["Listener Block 2:\nlistener 9001\nprotocol websockets"]
Conf --> Block1
Conf --> Block2
Block1 --> Port1["Port: 1883"]
Block1 --> Anon["Anonymous: true"]
Block2 --> Port2["Port: 9001"]
Block2 --> Proto["Protocol: websockets"]
.env File Syntax
The .env file uses simple KEY=value syntax, one variable per line:
CLOUDFLARE_TUNNEL_TOKEN=your_token_here
Sources: .env.sample:1-3
Configuration Validation
The system validates configuration at multiple stages:
| Validation Stage | Component | What Is Validated | Failure Behavior |
|---|---|---|---|
| Compose file parse | docker-compose CLI | YAML syntax of docker-compose.yml | Exit with parse error |
| Environment variable resolution | docker-compose CLI | Presence of ${CLOUDFLARE_TUNNEL_TOKEN} in .env | Warning or substitution with empty string |
| Mosquitto config parse | mosquitto process | Syntax of mosquitto.conf directives | Container logs error and may exit |
| Tunnel authentication | cloudflared process | Validity of CLOUDFLARE_TUNNEL_TOKEN | Connection fails, logged in container output |
| Port binding | Docker Engine | Availability of specified ports | Container fails to start if ports in use |
Sources: docker-compose.yml:1-18 mosquitto.conf:1-6 .env.sample:1-3
Configuration Override Hierarchy
When configuration values can be specified in multiple locations, the following precedence applies:
- Command-line arguments to
docker-compose(highest precedence) - Environment variables in the shell running
docker-compose .envfile in the project directory- Default values in
docker-compose.yml - Container defaults from images (lowest precedence)
For the mosquitto service, the configuration file mosquitto.conf:1-6 is mounted as a volume and overrides all default Mosquitto configurations.
Sources: docker-compose.yml:1-18 mosquitto.conf:1-6 .env.sample:1-3
Cross-Reference Index
The following table provides a quick reference for locating configuration settings:
| Setting Name | Configuration File | Line Number(s) |
|---|---|---|
version | docker-compose.yml | 1 |
services.mosquitto.image | docker-compose.yml | 5 |
services.mosquitto.container_name | docker-compose.yml | 6 |
services.mosquitto.volumes | docker-compose.yml | 7-8 |
services.mosquitto.restart | docker-compose.yml | 9 |
services.cloudflared.image | docker-compose.yml | 12 |
services.cloudflared.container_name | docker-compose.yml | 13 |
services.cloudflared.command | docker-compose.yml | 14 |
services.cloudflared.restart | docker-compose.yml | 15 |
services.cloudflared.environment | docker-compose.yml | 16-17 |
listener (port 1883) | mosquitto.conf | 1 |
allow_anonymous | mosquitto.conf | 2 |
listener (port 9001) | mosquitto.conf | 4 |
protocol | mosquitto.conf | 5 |
CLOUDFLARE_TUNNEL_TOKEN | .env.sample (template) | 1 |
Sources: docker-compose.yml:1-18 mosquitto.conf:1-6 .env.sample:1-3