Fixed findings

2025-11-10 10:12:03 +00:00
parent a6a483dfe1
commit 8dfd6b2e95
13 changed files with 209 additions and 181 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -5,7 +5,7 @@
 .env

 # Passwort-Dateien NICHT committen!
-passwords.txt
+config/passwords.txt

 # Wenn die Datei mit echten Passwörtern gefüllt ist
 # NIEMALS committen!
@@ -13,9 +13,15 @@ passwords.txt
 # Mosquitto Logs
 *.log

-# Docker Volumes
-mosquitto_data/
-mosquitto_log/
+# Docker Volumes / Persistente Daten
+data/*
+log/*
+mqttui-data/*
+
+# Erlaube Platzhalter-Dateien
+!data/.gitkeep
+!log/.gitkeep
+!mqttui-data/.gitkeep

 # Backup Files
 *.bak
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -22,7 +22,7 @@ This is a Docker-based MQTT server setup using Eclipse Mosquitto broker with a w

 ### Authentication & Authorization
 - **Dual authentication model**: Supports both anonymous and authenticated users
- Anonymous users have limited access to `public/#` and `$SYS/#` topics only (defined in config/acl.conf:6-10)
+- Anonymous users have read-only access to `public/#` and `$SYS/#` topics (defined in config/acl.conf:6-10)
 - Authenticated users require username/password stored in `config/passwords.txt`
 - Six user types defined (config/acl.conf):
  - `admin`/`joachim`: Full access (readwrite #)
@@ -35,6 +35,7 @@ This is a Docker-based MQTT server setup using Eclipse Mosquitto broker with a w
 - `config/mosquitto.conf`: Main broker configuration (listeners, persistence, auth, logging)
 - `config/acl.conf`: Access Control Lists defining per-user topic permissions
 - `config/passwords.txt`: Generated by setup.sh, stores hashed passwords (not in repo)
+- `config/passwords.txt.template`: Tracked placeholder copied to `passwords.txt` on bootstrap
 - `.env`: Environment variables for credentials and settings (not in repo, use .env.example)
 - `mqtt-panel-config.json`: Legacy config file (current setup uses mqttui instead of mqtt-panel)

@@ -50,7 +51,7 @@ cp .env.example .env
 chmod +x setup.sh test-mqtt.sh

 # Start containers
-docker-compose up -d
+docker compose up -d

 # Create MQTT users from .env credentials
 ./setup.sh
@@ -59,34 +60,34 @@ docker-compose up -d
 ### Container Management
 ```bash
 # Start all services
-docker-compose up -d
+docker compose up -d

 # View logs
-docker-compose logs -f                    # All services
-docker-compose logs -f mosquitto          # Mosquitto only
-docker-compose logs -f mqttui             # MQTTUI only
+docker compose logs -f                    # All services
+docker compose logs -f mosquitto          # Mosquitto only
+docker compose logs -f mqttui             # MQTTUI only

 # Restart services
-docker-compose restart                    # All
-docker-compose restart mosquitto          # Mosquitto only
+docker compose restart                    # All
+docker compose restart mosquitto          # Mosquitto only

 # Stop and remove containers
-docker-compose down
+docker compose down

 # Stop and remove including volumes
-docker-compose down -v
+docker compose down -v
 ```

 ### User Management
 ```bash
 # Add/update user password
-docker exec -it mosquitto mosquitto_passwd -b /mosquitto/config/passwords.txt USERNAME PASSWORD
+docker compose exec -T mosquitto mosquitto_passwd -b /mosquitto/config/passwords.txt USERNAME PASSWORD

 # Delete user
-docker exec -it mosquitto mosquitto_passwd -D /mosquitto/config/passwords.txt USERNAME
+docker compose exec -T mosquitto mosquitto_passwd -D /mosquitto/config/passwords.txt USERNAME

 # After modifying users or ACL, restart Mosquitto
-docker-compose restart mosquitto
+docker compose restart mosquitto
 ```

 ### Testing & Debugging
@@ -94,24 +95,21 @@ docker-compose restart mosquitto
 # Run test script (sends sample messages to various topics)
 ./test-mqtt.sh

-# Publish to public topic (no auth required)
-docker exec mosquitto mosquitto_pub -h localhost -t "public/test" -m "Hello"
+# Subscribe to public topic (no auth required)
+docker compose exec -T mosquitto mosquitto_sub -h localhost -t "public/#" -v

 # Publish with authentication
-docker exec mosquitto mosquitto_pub -h localhost -t "sensors/temperature" -m "22.5" -u admin -P admin123
+docker compose exec -T mosquitto mosquitto_pub -h localhost -t "sensors/temperature" -m "22.5" -u admin -P $MQTT_ADMIN_PASSWORD

 # Subscribe to all topics
-docker exec mosquitto mosquitto_sub -h localhost -t '#' -v -u admin -P admin123
-
-# Subscribe to public topics only (no auth)
-docker exec mosquitto mosquitto_sub -h localhost -t 'public/#' -v
+docker compose exec -T mosquitto mosquitto_sub -h localhost -t '#' -v -u admin -P $MQTT_ADMIN_PASSWORD

 # Test Mosquitto configuration
-docker exec mosquitto mosquitto -c /mosquitto/config/mosquitto.conf -v
+docker compose exec -T mosquitto mosquitto -c /mosquitto/config/mosquitto.conf -v

 # Access container shell
-docker exec -it mosquitto sh
-docker exec -it mqttui sh
+docker compose exec -it mosquitto sh
+docker compose exec -it mqttui sh
 ```

 ## Important Notes
@@ -119,7 +117,7 @@ docker exec -it mqttui sh
 ### Security Considerations
 - `.env` file contains all credentials and MUST NOT be committed (already in .gitignore)
 - Default passwords in .env.example must be changed for production
- Anonymous access is enabled but restricted to `public/#` topics via ACL
+- Anonymous access is enabled but restricted to read-only `public/#` topics via ACL
 - All credentials are loaded from .env by setup.sh (lines setup.sh:8-18)
 - The SECRET_KEY in .env is used by mqttui for session management

@@ -128,10 +126,10 @@ docker exec -it mqttui sh
 - Anonymous users get explicit rules defined under `user anonymous`
 - Authenticated users inherit their specific user rules
 - Pattern `#` is wildcard for all topics, `+` for single-level wildcard
- After ACL changes, always restart mosquitto: `docker-compose restart mosquitto`
+- After ACL changes, always restart mosquitto: `docker compose restart mosquitto`

 ### MQTTUI Dashboard
- The docker-compose.yml uses mqttui (not mqtt-panel as mentioned in README.md)
+- The docker compose.yml uses mqttui (not mqtt-panel as mentioned in README.md)
 - Dashboard connects to broker using credentials from .env: MQTT_PANEL_USERNAME/PASSWORD
 - Database storage enabled (DB_PATH=/app/data/mqtt_messages.db) with cleanup after 30 days
 - Max 10,000 messages retained in database (DB_MAX_MESSAGES)
@@ -140,12 +138,12 @@ docker exec -it mqttui sh
 ### File Permissions
 - Mosquitto runs as UID:GID specified in .env (default 1000:1000)
 - Ensure config/, data/, and log/ directories have correct permissions
- passwords.txt should be readable by the mosquitto user (chmod 644)
+- config/passwords.txt should be readable by the mosquitto user (chmod 640)

 ### Persistence
 - MQTT messages persist in `./data/mosquitto.db`
 - MQTTUI data stored in `./mqttui-data/mqtt_messages.db`
- To completely reset: `docker-compose down -v` and remove data/log directories
+- To completely reset: `docker compose down -v` and remove data/log directories

 ## Endpoints

@@ -160,16 +158,16 @@ docker exec -it mqttui sh
 2. Update setup.sh to create the user (lines setup.sh:59-86)
 3. Add ACL rules in config/acl.conf
 4. Run `./setup.sh` to create user
-5. Restart mosquitto: `docker-compose restart mosquitto`
+5. Restart mosquitto: `docker compose restart mosquitto`

 ### Debugging ACL Issues
 1. Enable verbose logging in config/mosquitto.conf (add `log_type all`)
-2. Restart mosquitto: `docker-compose restart mosquitto`
-3. Check logs: `docker-compose logs -f mosquitto`
+2. Restart mosquitto: `docker compose restart mosquitto`
+3. Check logs: `docker compose logs -f mosquitto`
 4. Look for "DENIED" messages indicating ACL blocks

 ### Client Integration
 - Use MQTT port 1883 for native MQTT clients (Python paho-mqtt, etc.)
 - Use WebSocket port 9001 for browser-based clients
 - Provide username/password from .env for authenticated topics
- Use anonymous connection only for public/* topics
+- Use anonymous connection only for read-only public/* topics
--- a/README.md
+++ b/README.md
@@ -9,7 +9,7 @@ Komplettes MQTT Setup mit Eclipse Mosquitto Broker und MQTTUI Web Dashboard.
 - WebSocket auf Port 9001
 - Passwort-Authentifizierung
 - ACL (Access Control Lists)
- Öffentliches Topic ohne Anmeldung (`public/*`)
+- Öffentliches Read-Only Topic ohne Anmeldung (`public/*`)
 - Persistenz aktiviert

 ✅ **Web Dashboard (MQTTUI)**
@@ -25,6 +25,7 @@ mqtt/
 ├── config/                     # Konfigurationsdateien
 │   ├── mosquitto.conf          # Mosquitto Hauptkonfiguration
 │   ├── acl.conf                # Access Control Lists
+│   ├── passwords.txt.template  # Platzhalter zum Bootstrap
 │   └── passwords.txt           # User/Passwort Datei (wird generiert)
 ├── data/                       # Mosquitto Persistenz Daten
 ├── log/                        # Mosquitto Log-Dateien
@@ -52,9 +53,20 @@ cp .env.example .env
 nano .env
 ```

+> `UID` und `GID` in der `.env` bestimmen jetzt den User, unter dem der Mosquitto-Container läuft. Passe die Werte an deinen Host-User an, falls du nicht `1000:1000` bist.
+
 ⚠️ **WICHTIG**: Setze sichere Passwörter in der `.env` Datei!

-### 2. Server starten
+### 2. Passwort-Datei vorbereiten
+
+```bash
+# Platzhalter kopieren, damit der Container starten kann
+cp config/passwords.txt.template config/passwords.txt
+```
+
+> Das Setup-Script erstellt die Datei bei Bedarf automatisch. Wenn du manuell startest, führe den Kopier-Befehl einmalig aus.
+
+### 3. Server starten

 ```bash
 # Container starten
@@ -64,7 +76,7 @@ docker compose up -d
 docker compose logs -f
 ```

-### 3. Benutzer erstellen
+### 4. Benutzer erstellen

 ```bash
 # Setup-Script ausführbar machen
@@ -95,7 +107,7 @@ Das Script erstellt folgende User (Credentials aus .env):

 Ohne ACL-Eintrag hat der neue User keine Zugriffsrechte!

-### 4. Dashboard öffnen
+### 5. Dashboard öffnen

 Web Dashboard: **http://localhost:5000**

@@ -107,17 +119,16 @@ Web Dashboard: **http://localhost:5000**
 - **WebSocket**: `ws://localhost:9001`
 - **Web Dashboard**: `http://localhost:5000`

-### Öffentliches Topic (ohne Anmeldung)
+### Öffentliche Topics (ohne Anmeldung, read-only)

 Topic: `public/*`

-**Beispiel mit mosquitto_pub:**
 ```bash
-# Nachricht an öffentliches Topic senden (KEINE Authentifizierung)
-docker exec mosquitto mosquitto_pub -h localhost -t "public/test" -m "Hallo Welt!"
+# Öffentliches Topic abhören (keine Auth nötig)
+docker compose exec -T mosquitto mosquitto_sub -h localhost -t "public/#" -v

-# Öffentliches Topic abhören
-docker exec mosquitto mosquitto_sub -h localhost -t "public/#" -v
+# Zum Publishen sind Credentials erforderlich, z.B. Admin:
+docker compose exec -T mosquitto mosquitto_pub -h localhost -t "public/test" -m "Hallo Welt" -u admin -P <ADMIN_PASSWORD>
 ```

 ### Mit Authentifizierung
@@ -125,10 +136,10 @@ docker exec mosquitto mosquitto_sub -h localhost -t "public/#" -v
 **Beispiel mit Admin User:**
 ```bash
 # Mit Authentifizierung publishen (Credentials aus .env verwenden)
-docker exec mosquitto mosquitto_pub -h localhost -t "devices/device1/status" -m "online" -u admin -P <ADMIN_PASSWORD>
+docker compose exec -T mosquitto mosquitto_pub -h localhost -t "devices/device1/status" -m "online" -u admin -P <ADMIN_PASSWORD>

 # Mit Authentifizierung subscriben (Credentials aus .env verwenden)
-docker exec mosquitto mosquitto_sub -h localhost -t "#" -v -u admin -P <ADMIN_PASSWORD>
+docker compose exec -T mosquitto mosquitto_sub -h localhost -t "#" -v -u admin -P <ADMIN_PASSWORD>
 ```

 💡 **Hinweis**: Ersetze `<ADMIN_PASSWORD>` mit dem Passwort aus deiner `.env` Datei.
@@ -151,7 +162,7 @@ docker compose restart mosquitto
 **Alternativ - Manuell:**
 ```bash
 # User hinzufügen/ändern
-docker exec -it mosquitto mosquitto_passwd -b /mosquitto/config/passwords.txt USERNAME PASSWORD
+docker compose exec -T mosquitto mosquitto_passwd -b /mosquitto/config/passwords.txt USERNAME PASSWORD

 # ACL in config/acl.conf anpassen und Container neu starten
 docker compose restart mosquitto
@@ -160,7 +171,7 @@ docker compose restart mosquitto
 ### User löschen

 ```bash
-docker exec -it mosquitto mosquitto_passwd -D /mosquitto/config/passwords.txt USERNAME
+docker compose exec -T mosquitto mosquitto_passwd -D /mosquitto/config/passwords.txt USERNAME

 # Container neu starten
 docker compose restart mosquitto
@@ -257,19 +268,20 @@ Du kannst den Workflow nach dem Import anpassen:
 ### Via Docker

 ```bash
-# Öffentlich (ohne Auth)
-docker exec mosquitto mosquitto_pub -h localhost -t "public/message" -m "Test Nachricht"
+# Öffentlich (ohne Auth, read-only → Sub only)
+docker compose exec -T mosquitto mosquitto_sub -h localhost -t "public/#" -v

 # Mit Auth (Passwort aus .env verwenden)
-docker exec mosquitto mosquitto_pub -h localhost -t "sensors/temperature" -m "22.5" -u admin -P <ADMIN_PASSWORD>
-docker exec mosquitto mosquitto_pub -h localhost -t "sensors/humidity" -m "65" -u admin -P <ADMIN_PASSWORD>
-docker exec mosquitto mosquitto_pub -h localhost -t "system/cpu" -m "45" -u admin -P <ADMIN_PASSWORD>
+docker compose exec -T mosquitto mosquitto_pub -h localhost -t "sensors/temperature" -m "22.5" -u admin -P <ADMIN_PASSWORD>
+docker compose exec -T mosquitto mosquitto_pub -h localhost -t "sensors/humidity" -m "65" -u admin -P <ADMIN_PASSWORD>
+docker compose exec -T mosquitto mosquitto_pub -h localhost -t "system/cpu" -m "45" -u admin -P <ADMIN_PASSWORD>
 ```

 Oder verwende das Test-Script:
 ```bash
 ./test-mqtt.sh
 ```
+> Das Script lädt Benutzername/Passwort aus `.env` (Variablen `MQTT_ADMIN_USERNAME`/`MQTT_ADMIN_PASSWORD`).

 ### Via Python (paho-mqtt)

@@ -343,23 +355,23 @@ docker compose logs -f mqttui

 ```bash
 # Mosquitto Container
-docker exec -it mosquitto sh
+docker compose exec -it mosquitto sh

 # MQTTUI Container
-docker exec -it mqttui sh
+docker compose exec -it mqttui sh
 ```

 ### Mosquitto Konfiguration testen

 ```bash
-docker exec mosquitto mosquitto -c /mosquitto/config/mosquitto.conf -v
+docker compose exec -T mosquitto mosquitto -c /mosquitto/config/mosquitto.conf -v
 ```

 ### Permissions Fehler

 ```bash
-# Berechtigungen für passwords.txt setzen
-chmod 644 passwords.txt
+# Berechtigungen für config/passwords.txt setzen
+chmod 640 config/passwords.txt
 ```

 ### ACL Debug
--- a/config/acl.conf
+++ b/config/acl.conf
@@ -5,7 +5,6 @@
 # Anonymous User haben Zugriff auf public/* Topics
 user anonymous
 topic read public/#
-topic write public/#
 # Erlaube anonymous Lesezugriff auf $SYS/# für Healthchecks und Monitoring
 topic read $SYS/#

--- a/config/passwords.txt.template
+++ b/config/passwords.txt.template
@@ -0,0 +1,3 @@
+# Placeholder password file for Mosquitto.
+# This file is copied to config/passwords.txt automatically when you run setup.sh.
+# It intentionally contains no credentials. Run ./setup.sh after editing .env to populate it.
--- a/data/.gitkeep
+++ b/data/.gitkeep
--- a/data/mosquitto.db
+++ b/data/mosquitto.db
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -3,7 +3,7 @@ services:
    image: eclipse-mosquitto:2
    container_name: mosquitto
    restart: unless-stopped
-    user: "1000:1000"
+    user: "${UID:-1000}:${GID:-1000}"
    ports:
      - "1883:1883"
      - "9001:9001"
--- a/log/.gitkeep
+++ b/log/.gitkeep
--- a/mqttui-data/.gitkeep
+++ b/mqttui-data/.gitkeep
--- a/mqttui-data/mqtt_messages.db
+++ b/mqttui-data/mqtt_messages.db
--- a/setup.sh
+++ b/setup.sh
@@ -1,40 +1,85 @@
 #!/bin/bash

-# MQTT Setup Script - Erstellt User für Mosquitto
-# ================================================
-#
-# Verwendung:
-#   ./setup.sh                              - Erstellt alle User aus .env
-#   ./setup.sh create <username> <password> - Erstellt einzelnen User
+set -euo pipefail

-set -e
+COMPOSE_CMD=${COMPOSE_CMD:-"docker compose"}
+PASSWORD_FILE="config/passwords.txt"
+PASSWORD_TEMPLATE="config/passwords.txt.template"
+
+ensure_password_file() {
+    if [ -f "$PASSWORD_FILE" ]; then
+        return
+    fi
+
+    if [ -f "$PASSWORD_TEMPLATE" ]; then
+        cp "$PASSWORD_TEMPLATE" "$PASSWORD_FILE"
+    else
+        touch "$PASSWORD_FILE"
+    fi
+
+    chmod 640 "$PASSWORD_FILE" 2>/dev/null || true
+    echo "🆕  Passwort-Datei $PASSWORD_FILE angelegt."
+}
+
+require_docker() {
+    if ! docker info >/dev/null 2>&1; then
+        echo "❌ Fehler: Docker ist nicht gestartet!"
+        exit 1
+    fi
+}
+
+mosquitto_running() {
+    docker ps --format '{{.Names}}' | grep -qx 'mosquitto'
+}
+
+ensure_mosquitto_service() {
+    if mosquitto_running; then
+        return
+    fi
+
+    echo "⚠️  Mosquitto Container läuft nicht. Starte Container..."
+    ensure_password_file
+    $COMPOSE_CMD up -d mosquitto
+    echo "⏳ Warte 5 Sekunden bis Mosquitto gestartet ist..."
+    sleep 5
+}
+
+compose_exec_mosquitto() {
+    $COMPOSE_CMD exec -T mosquitto "$@"
+}
+
+create_user() {
+    local USERNAME=$1
+    local PASSWORD=$2
+    local LABEL=$3
+
+    echo "➡️  Erstelle $LABEL"
+    compose_exec_mosquitto mosquitto_passwd -b /mosquitto/config/passwords.txt "$USERNAME" "$PASSWORD"
+    echo "   ✅ User: $USERNAME erstellt"
+}

 # CLI-Modus: Einzelnen User erstellen
-if [ "$1" == "create" ]; then
-    if [ -z "$2" ] || [ -z "$3" ]; then
+if [ "${1:-}" == "create" ]; then
+    if [ -z "${2:-}" ] || [ -z "${3:-}" ]; then
        echo "❌ Fehler: Username und Passwort erforderlich!"
        echo "Verwendung: $0 create <username> <password>"
        exit 1
    fi

+    require_docker
+    ensure_password_file
+
+    if ! mosquitto_running; then
+        echo "❌ Fehler: Mosquitto Container läuft nicht!"
+        echo "Starte zuerst die Container mit: docker compose up -d"
+        exit 1
+    fi
+
    USERNAME="$2"
    PASSWORD="$3"

-    # Prüfe ob Docker läuft
-    if ! docker info > /dev/null 2>&1; then
-        echo "❌ Fehler: Docker ist nicht gestartet!"
-        exit 1
-    fi
-
-    # Prüfe ob Container läuft
-    if ! docker ps | grep -q mosquitto; then
-        echo "❌ Fehler: Mosquitto Container läuft nicht!"
-        echo "Starte zuerst die Container mit: docker compose up -d"
-        exit 1
-    fi
-
    echo "📝 Erstelle User: $USERNAME"
-    docker exec mosquitto mosquitto_passwd -b /mosquitto/config/passwords.txt "$USERNAME" "$PASSWORD"
+    compose_exec_mosquitto mosquitto_passwd -b /mosquitto/config/passwords.txt "$USERNAME" "$PASSWORD"
    echo "✅ User $USERNAME erfolgreich erstellt/aktualisiert!"
    echo ""
    echo "⚠️  Vergiss nicht, ACL-Regeln in config/acl.conf anzupassen!"
@@ -42,24 +87,25 @@ if [ "$1" == "create" ]; then
    exit 0
 fi

-# Lade Umgebungsvariablen aus .env
 if [ ! -f .env ]; then
    echo "❌ Fehler: .env Datei nicht gefunden!"
    echo "Bitte erstelle eine .env Datei basierend auf .env.example"
    exit 1
 fi

-# Lade .env und exportiere Variablen
 set -a
 source .env
 set +a

+ensure_password_file
+require_docker
+ensure_mosquitto_service
+
 echo "================================================"
 echo "MQTT Server Setup - Benutzer erstellen"
 echo "================================================"
 echo ""

-# Validiere dass alle benötigten Variablen gesetzt sind
 required_vars=(
    "MQTT_ADMIN_USERNAME" "MQTT_ADMIN_PASSWORD"
    "MQTT_PANEL_USERNAME" "MQTT_PANEL_PASSWORD"
@@ -76,51 +122,12 @@ for var in "${required_vars[@]}"; do
    fi
 done

-# Prüfe ob Docker läuft
-if ! docker info > /dev/null 2>&1; then
-    echo "❌ Fehler: Docker ist nicht gestartet!"
-    exit 1
-fi
-
-# Prüfe ob Container läuft
-if ! docker ps | grep -q mosquitto; then
-    echo "⚠️  Mosquitto Container läuft nicht. Starte Container..."
-    docker compose up -d mosquitto
-    echo "⏳ Warte 5 Sekunden bis Mosquitto gestartet ist..."
-    sleep 5
-fi
-
-echo "📝 Erstelle Benutzer in der Passwort-Datei..."
-echo ""
-
-# Admin User
-echo "➡️  Erstelle Admin User (Vollzugriff)"
-docker exec -it mosquitto mosquitto_passwd -b /mosquitto/config/passwords.txt "$MQTT_ADMIN_USERNAME" "$MQTT_ADMIN_PASSWORD"
-echo "   ✅ User: $MQTT_ADMIN_USERNAME erstellt"
-
-# Panel User für Web UI
-echo "➡️  Erstelle Panel User (für Web Dashboard)"
-docker exec -it mosquitto mosquitto_passwd -b /mosquitto/config/passwords.txt "$MQTT_PANEL_USERNAME" "$MQTT_PANEL_PASSWORD"
-echo "   ✅ User: $MQTT_PANEL_USERNAME erstellt"
-
-# Test User
-echo "➡️  Erstelle Test User"
-docker exec -it mosquitto mosquitto_passwd -b /mosquitto/config/passwords.txt "$MQTT_TESTUSER_USERNAME" "$MQTT_TESTUSER_PASSWORD"
-echo "   ✅ User: $MQTT_TESTUSER_USERNAME erstellt"
-
-# Device User
-echo "➡️  Erstelle Device1 User"
-docker exec -it mosquitto mosquitto_passwd -b /mosquitto/config/passwords.txt "$MQTT_DEVICE1_USERNAME" "$MQTT_DEVICE1_PASSWORD"
-echo "   ✅ User: $MQTT_DEVICE1_USERNAME erstellt"
-
-echo "➡️  Erstelle Device2 User"
-docker exec -it mosquitto mosquitto_passwd -b /mosquitto/config/passwords.txt "$MQTT_DEVICE2_USERNAME" "$MQTT_DEVICE2_PASSWORD"
-echo "   ✅ User: $MQTT_DEVICE2_USERNAME erstellt"
-
-# Monitor User (Read-Only)
-echo "➡️  Erstelle Monitor User (Read-Only)"
-docker exec -it mosquitto mosquitto_passwd -b /mosquitto/config/passwords.txt "$MQTT_MONITOR_USERNAME" "$MQTT_MONITOR_PASSWORD"
-echo "   ✅ User: $MQTT_MONITOR_USERNAME erstellt"
+create_user "$MQTT_ADMIN_USERNAME" "$MQTT_ADMIN_PASSWORD" "Admin User (Vollzugriff)"
+create_user "$MQTT_PANEL_USERNAME" "$MQTT_PANEL_PASSWORD" "Panel User (für Web Dashboard)"
+create_user "$MQTT_TESTUSER_USERNAME" "$MQTT_TESTUSER_PASSWORD" "Test User"
+create_user "$MQTT_DEVICE1_USERNAME" "$MQTT_DEVICE1_PASSWORD" "Device1 User"
+create_user "$MQTT_DEVICE2_USERNAME" "$MQTT_DEVICE2_PASSWORD" "Device2 User"
+create_user "$MQTT_MONITOR_USERNAME" "$MQTT_MONITOR_PASSWORD" "Monitor User (Read-Only)"

 echo ""
 echo "================================================"
@@ -137,15 +144,14 @@ echo "  - $MQTT_MONITOR_USERNAME (Read-Only)"
 echo ""
 echo "⚠️  Passwörter sind in der .env Datei definiert"
 echo ""
-echo "Mosquitto neu laden..."
-docker exec mosquitto mosquitto -c /mosquitto/config/mosquitto.conf &

-echo ""
+$COMPOSE_CMD restart mosquitto >/dev/null
+
 echo "🚀 MQTT Broker läuft auf:"
 echo "   - MQTT: localhost:1883"
 echo "   - WebSocket: ws://localhost:9001"
-echo "   - Web Dashboard: http://localhost:8080"
+echo "   - Web Dashboard: http://localhost:5000"
 echo ""
 echo "📡 Öffentliches Topic ohne Authentifizierung:"
-echo "   - public/*"
+echo "   - public/* (read-only)"
 echo ""
--- a/test-mqtt.sh
+++ b/test-mqtt.sh
@@ -1,69 +1,73 @@
 #!/bin/bash

-# MQTT Test Script - Sendet Test-Nachrichten an verschiedene Topics
-# ===================================================================
+set -euo pipefail
+
+COMPOSE_CMD=${COMPOSE_CMD:-"docker compose"}
+CONTAINER_NAME="mosquitto"
+
+if [ ! -f .env ]; then
+    echo "❌ Fehler: .env nicht gefunden. Bitte kopiere .env.example und setze die Passwörter."
+    exit 1
+fi
+
+set -a
+source .env
+set +a
+
+ADMIN_USER=${MQTT_ADMIN_USERNAME:-}
+ADMIN_PASS=${MQTT_ADMIN_PASSWORD:-}
+
+if [ -z "$ADMIN_USER" ] || [ -z "$ADMIN_PASS" ]; then
+    echo "❌ Fehler: MQTT_ADMIN_USERNAME und MQTT_ADMIN_PASSWORD müssen in .env gesetzt sein."
+    exit 1
+fi
+
+if ! docker ps --format '{{.Names}}' | grep -qx "$CONTAINER_NAME"; then
+    echo "❌ Fehler: Mosquitto Container läuft nicht!"
+    echo "   Starte mit: docker compose up -d"
+    exit 1
+fi
+
+publish() {
+    local topic=$1
+    local payload=$2
+    echo "   → $topic : $payload"
+    $COMPOSE_CMD exec -T "$CONTAINER_NAME" mosquitto_pub -h localhost -t "$topic" -m "$payload" -u "$ADMIN_USER" -P "$ADMIN_PASS"
+}

 echo "================================================"
 echo "MQTT Server Test"
 echo "================================================"
 echo ""

-# Prüfe ob Container läuft
-if ! docker ps | grep -q mosquitto; then
-    echo "❌ Fehler: Mosquitto Container läuft nicht!"
-    echo "   Starte mit: docker-compose up -d"
-    exit 1
-fi
-
 echo "📡 Sende Test-Nachrichten..."
 echo ""

-# Test 1: Öffentliches Topic (OHNE Authentifizierung)
-echo "1️⃣  Öffentliches Topic (ohne Auth): public/message"
-docker exec mosquitto mosquitto_pub -h localhost -t "public/message" -m "Hallo von public!"
-echo "   ✅ Gesendet"
-echo ""
+echo "1️⃣  Temperature Sensor: sensors/temperature"
+publish "sensors/temperature" "22.5"

-# Test 2: Temperature Sensor (MIT Authentifizierung)
-echo "2️⃣  Temperature Sensor: sensors/temperature"
-docker exec mosquitto mosquitto_pub -h localhost -t "sensors/temperature" -m "22.5" -u admin -P admin123
-echo "   ✅ Gesendet: 22.5°C"
-echo ""
+echo "2️⃣  Humidity Sensor: sensors/humidity"
+publish "sensors/humidity" "65"

-# Test 3: Humidity Sensor
-echo "3️⃣  Humidity Sensor: sensors/humidity"
-docker exec mosquitto mosquitto_pub -h localhost -t "sensors/humidity" -m "65" -u admin -P admin123
-echo "   ✅ Gesendet: 65%"
-echo ""
+echo "3️⃣  CPU Usage: system/cpu"
+publish "system/cpu" "45"

-# Test 4: CPU Usage
-echo "4️⃣  CPU Usage: system/cpu"
-docker exec mosquitto mosquitto_pub -h localhost -t "system/cpu" -m "45" -u admin -P admin123
-echo "   ✅ Gesendet: 45%"
-echo ""
+echo "4️⃣  Device Power: devices/device1/power"
+publish "devices/device1/power" "ON"

-# Test 5: Device Power Toggle
-echo "5️⃣  Device Power: devices/device1/power"
-docker exec mosquitto mosquitto_pub -h localhost -t "devices/device1/power" -m "ON" -u admin -P admin123
-echo "   ✅ Gesendet: ON"
-echo ""
-
-# Test 6: Device Brightness
-echo "6️⃣  Device Brightness: devices/device1/brightness"
-docker exec mosquitto mosquitto_pub -h localhost -t "devices/device1/brightness" -m "75" -u admin -P admin123
-echo "   ✅ Gesendet: 75%"
-echo ""
+echo "5️⃣  Device Brightness: devices/device1/brightness"
+publish "devices/device1/brightness" "75"

 echo "================================================"
 echo "✅ Test abgeschlossen!"
 echo "================================================"
 echo ""
-echo "🌐 Öffne das Dashboard: http://localhost:8080"
+echo "🌐 Öffne das Dashboard: http://localhost:5000"
 echo "   Die Test-Daten sollten jetzt in den Widgets sichtbar sein."
 echo ""
 echo "📊 Subscribe auf alle Topics:"
-echo "   docker exec mosquitto mosquitto_sub -h localhost -t '#' -v -u admin -P admin123"
+echo "   $COMPOSE_CMD exec -T mosquitto mosquitto_sub -h localhost -t '#' -v -u $ADMIN_USER -P <ADMIN_PASSWORD>"
 echo ""
 echo "📡 Subscribe auf öffentliche Topics (ohne Auth):"
-echo "   docker exec mosquitto mosquitto_sub -h localhost -t 'public/#' -v"
+echo "   $COMPOSE_CMD exec -T mosquitto mosquitto_sub -h localhost -t 'public/#' -v"
 echo ""