Should be added as .vault_pass in project toplevel.
The firmware units establish a reverse SSH tunnel to the gateway machine. This lets one connect even if the firmware devices are not directly reachable on the internet, ie behind NAT on 4G or WiFi/Ethernet.
One can connect via the gateway as 'jumphost' by adding a SSH config like:
Host door1.dlock.trygvis.io
User USERNAME
ProxyCommand=ssh dlock.trygvis.io nc localhost 2001
Where 2001 is 2000+$devicenumber
Then test it using
ssh -t door2.dlock.trygvis.io bash
ansible-playbook firmware.yml -l dlock-0
ansible-playbook gateway.yml
ansible-playbook bootstrap.yml --extra-vars "hosts=dlock-99.local user=trygvis"
certbot register --agree-tos -m $EMAIL
certbot certonly -d $DOMAIN --webroot --webroot-path /var/www/html
python
from passlib.apache import HtpasswdFile
ht = HtpasswdFile("/etc/mosquitto/conf.d/dlock.passwords")
ht.users()
ht.check_password("dlock-gateway", "foo")