summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatthew Treinish <mtreinish@kortar.org>2016-07-18 18:18:51 -0400
committerMatthew Treinish <mtreinish@kortar.org>2016-07-18 18:18:51 -0400
commitc5f32fc7a483ba662c90d93e58d73c6aedbaf3ef (patch)
tree5df61d4e13f2b7d0d150d693586293e5ab41e12e
parentbc4053f2e6695c2f64a256a63e70eeea7fcc3c3d (diff)
Add basic setup formula to module
This commit adds a config template and the basic setup we need for actually installing and configuring mosquitto. The next step is to fill in the details of the config file and tunables from puppet.
-rw-r--r--manifests/init.pp7
-rw-r--r--manifests/server.pp26
-rw-r--r--metadata.json2
-rw-r--r--templates/mosquitto.conf.erb821
4 files changed, 854 insertions, 2 deletions
diff --git a/manifests/init.pp b/manifests/init.pp
index 67bf07b..d7340fc 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -7,4 +7,9 @@
7# [*sample_parameter*] 7# [*sample_parameter*]
8# Explanation of what this parameter affects and what it defaults to. 8# Explanation of what this parameter affects and what it defaults to.
9# 9#
10class mosquitto {} 10class mosquitto (
11) {
12 package {'mosquitto':
13 ensure => present,
14 }
15}
diff --git a/manifests/server.pp b/manifests/server.pp
new file mode 100644
index 0000000..22afec5
--- /dev/null
+++ b/manifests/server.pp
@@ -0,0 +1,26 @@
1# Copyright 2016 Hewlett-Packard Development Company, L.P.
2#
3# Licensed under the Apache License, Version 2.0 (the "License"); you may
4# not use this file except in compliance with the License. You may obtain
5# a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
11# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
12# License for the specific language governing permissions and limitations
13# under the License.
14
15# == Class: mosquitto
16#
17class mosquitto::server (
18
19) {
20
21file {'/etc/mosquitto/mosquitto.conf':
22 ensure => present,
23 content => template('mosquitto/mosquitto.conf.erb'),
24}
25
26}
diff --git a/metadata.json b/metadata.json
index a36ec34..df72da9 100644
--- a/metadata.json
+++ b/metadata.json
@@ -23,7 +23,7 @@
23 }, 23 },
24 { 24 {
25 "operatingsystem": "Ubuntu", 25 "operatingsystem": "Ubuntu",
26 "operatingsystemrelease": ["14.04"] 26 "operatingsystemrelease": ["16.04"]
27 } 27 }
28 ], 28 ],
29 "dependencies": [ 29 "dependencies": [
diff --git a/templates/mosquitto.conf.erb b/templates/mosquitto.conf.erb
new file mode 100644
index 0000000..f0e1402
--- /dev/null
+++ b/templates/mosquitto.conf.erb
@@ -0,0 +1,821 @@
1# Config file for mosquitto
2#
3# See mosquitto.conf(5) for more information.
4#
5# Default values are shown, uncomment to change.
6#
7# Use the # character to indicate a comment, but only if it is the
8# very first character on the line.
9
10# =================================================================
11# General configuration
12# =================================================================
13
14# Time in seconds to wait before resending an outgoing QoS=1 or
15# QoS=2 message.
16#retry_interval 20
17
18# Time in seconds between updates of the $SYS tree.
19# Set to 0 to disable the publishing of the $SYS tree.
20#sys_interval 10
21
22# Time in seconds between cleaning the internal message store of
23# unreferenced messages. Lower values will result in lower memory
24# usage but more processor time, higher values will have the
25# opposite effect.
26# Setting a value of 0 means the unreferenced messages will be
27# disposed of as quickly as possible.
28#store_clean_interval 10
29
30# Write process id to a file. Default is a blank string which means
31# a pid file shouldn't be written.
32# This should be set to /var/run/mosquitto.pid if mosquitto is
33# being run automatically on boot with an init script and
34# start-stop-daemon or similar.
35#pid_file
36
37# When run as root, drop privileges to this user and its primary
38# group.
39# Leave blank to stay as root, but this is not recommended.
40# If run as a non-root user, this setting has no effect.
41# Note that on Windows this has no effect and so mosquitto should
42# be started by the user you wish it to run as.
43#user mosquitto
44
45# The maximum number of QoS 1 and 2 messages currently inflight per
46# client.
47# This includes messages that are partway through handshakes and
48# those that are being retried. Defaults to 20. Set to 0 for no
49# maximum. Setting to 1 will guarantee in-order delivery of QoS 1
50# and 2 messages.
51#max_inflight_messages 20
52
53# The maximum number of QoS 1 and 2 messages to hold in a queue
54# above those that are currently in-flight. Defaults to 100. Set
55# to 0 for no maximum (not recommended).
56# See also queue_qos0_messages.
57#max_queued_messages 100
58
59# Set to true to queue messages with QoS 0 when a persistent client is
60# disconnected. These messages are included in the limit imposed by
61# max_queued_messages.
62# Defaults to false.
63# This is a non-standard option for the MQTT v3.1 spec but is allowed in
64# v3.1.1.
65#queue_qos0_messages false
66
67# This option sets the maximum publish payload size that the broker will allow.
68# Received messages that exceed this size will not be accepted by the broker.
69# The default value is 0, which means that all valid MQTT messages are
70# accepted. MQTT imposes a maximum payload size of 268435455 bytes.
71#message_size_limit 0
72
73# This option controls whether a client is allowed to connect with a zero
74# length client id or not. This option only affects clients using MQTT v3.1.1
75# and later. If set to false, clients connecting with a zero length client id
76# are disconnected. If set to true, clients will be allocated a client id by
77# the broker. This means it is only useful for clients with clean session set
78# to true.
79#allow_zero_length_clientid true
80
81# If allow_zero_length_clientid is true, this option allows you to set a prefix
82# to automatically generated client ids to aid visibility in logs.
83#auto_id_prefix
84
85# This option allows persistent clients (those with clean session set to false)
86# to be removed if they do not reconnect within a certain time frame.
87#
88# This is a non-standard option in MQTT V3.1 but allowed in MQTT v3.1.1.
89#
90# Badly designed clients may set clean session to false whilst using a randomly
91# generated client id. This leads to persistent clients that will never
92# reconnect. This option allows these clients to be removed.
93#
94# The expiration period should be an integer followed by one of h d w m y for
95# hour, day, week, month and year respectively. For example
96#
97# persistent_client_expiration 2m
98# persistent_client_expiration 14d
99# persistent_client_expiration 1y
100#
101# The default if not set is to never expire persistent clients.
102#persistent_client_expiration
103
104# If a client is subscribed to multiple subscriptions that overlap, e.g. foo/#
105# and foo/+/baz , then MQTT expects that when the broker receives a message on
106# a topic that matches both subscriptions, such as foo/bar/baz, then the client
107# should only receive the message once.
108# Mosquitto keeps track of which clients a message has been sent to in order to
109# meet this requirement. The allow_duplicate_messages option allows this
110# behaviour to be disabled, which may be useful if you have a large number of
111# clients subscribed to the same set of topics and are very concerned about
112# minimising memory usage.
113# It can be safely set to true if you know in advance that your clients will
114# never have overlapping subscriptions, otherwise your clients must be able to
115# correctly deal with duplicate messages even when then have QoS=2.
116#allow_duplicate_messages false
117
118# The MQTT specification requires that the QoS of a message delivered to a
119# subscriber is never upgraded to match the QoS of the subscription. Enabling
120# this option changes this behaviour. If upgrade_outgoing_qos is set true,
121# messages sent to a subscriber will always match the QoS of its subscription.
122# This is a non-standard option explicitly disallowed by the spec.
123#upgrade_outgoing_qos false
124
125# =================================================================
126# Default listener
127# =================================================================
128
129# IP address/hostname to bind the default listener to. If not
130# given, the default listener will not be bound to a specific
131# address and so will be accessible to all network interfaces.
132# bind_address ip-address/host name
133#bind_address
134
135# Port to use for the default listener.
136#port 1883
137
138# The maximum number of client connections to allow. This is
139# a per listener setting.
140# Default is -1, which means unlimited connections.
141# Note that other process limits mean that unlimited connections
142# are not really possible. Typically the default maximum number of
143# connections possible is around 1024.
144#max_connections -1
145
146# Choose the protocol to use when listening.
147# This can be either mqtt or websockets.
148# Websockets support is currently disabled by default at compile time.
149# Certificate based TLS may be used with websockets, except that
150# only the cafile, certfile, keyfile and ciphers options are supported.
151#protocol mqtt
152
153# When a listener is using the websockets protocol, it is possible to serve
154# http data as well. Set http_dir to a directory which contains the files you
155# wish to serve. If this option is not specified, then no normal http
156# connections will be possible.
157#http_dir
158
159# Set use_username_as_clientid to true to replace the clientid that a client
160# connected with with its username. This allows authentication to be tied to
161# the clientid, which means that it is possible to prevent one client
162# disconnecting another by using the same clientid.
163# If a client connects with no username it will be disconnected as not
164# authorised when this option is set to true.
165# Do not use in conjunction with clientid_prefixes.
166# See also use_identity_as_username.
167#use_username_as_clientid
168
169# -----------------------------------------------------------------
170# Certificate based SSL/TLS support
171# -----------------------------------------------------------------
172# The following options can be used to enable SSL/TLS support for
173# this listener. Note that the recommended port for MQTT over TLS
174# is 8883, but this must be set manually.
175#
176# See also the mosquitto-tls man page.
177
178# At least one of cafile or capath must be defined. They both
179# define methods of accessing the PEM encoded Certificate
180# Authority certificates that have signed your server certificate
181# and that you wish to trust.
182# cafile defines the path to a file containing the CA certificates.
183# capath defines a directory that will be searched for files
184# containing the CA certificates. For capath to work correctly, the
185# certificate files must have ".crt" as the file ending and you must run
186# "c_rehash <path to capath>" each time you add/remove a certificate.
187#cafile
188#capath
189
190# Path to the PEM encoded server certificate.
191#certfile
192
193# Path to the PEM encoded keyfile.
194#keyfile
195
196# This option defines the version of the TLS protocol to use for this listener.
197# The default value allows v1.2, v1.1 and v1.0, if they are all supported by
198# the version of openssl that the broker was compiled against. For openssl >=
199# 1.0.1 the valid values are tlsv1.2 tlsv1.1 and tlsv1. For openssl < 1.0.1 the
200# valid values are tlsv1.
201#tls_version
202
203# By default a TLS enabled listener will operate in a similar fashion to a
204# https enabled web server, in that the server has a certificate signed by a CA
205# and the client will verify that it is a trusted certificate. The overall aim
206# is encryption of the network traffic. By setting require_certificate to true,
207# the client must provide a valid certificate in order for the network
208# connection to proceed. This allows access to the broker to be controlled
209# outside of the mechanisms provided by MQTT.
210#require_certificate false
211
212# If require_certificate is true, you may set use_identity_as_username to true
213# to use the CN value from the client certificate as a username. If this is
214# true, the password_file option will not be used for this listener.
215#use_identity_as_username false
216
217# If you have require_certificate set to true, you can create a certificate
218# revocation list file to revoke access to particular client certificates. If
219# you have done this, use crlfile to point to the PEM encoded revocation file.
220#crlfile
221
222# If you wish to control which encryption ciphers are used, use the ciphers
223# option. The list of available ciphers can be optained using the "openssl
224# ciphers" command and should be provided in the same format as the output of
225# that command.
226# If unset defaults to DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH
227#ciphers DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH
228
229# -----------------------------------------------------------------
230# Pre-shared-key based SSL/TLS support
231# -----------------------------------------------------------------
232# The following options can be used to enable PSK based SSL/TLS support for
233# this listener. Note that the recommended port for MQTT over TLS is 8883, but
234# this must be set manually.
235#
236# See also the mosquitto-tls man page and the "Certificate based SSL/TLS
237# support" section. Only one of certificate or PSK encryption support can be
238# enabled for any listener.
239
240# The psk_hint option enables pre-shared-key support for this listener and also
241# acts as an identifier for this listener. The hint is sent to clients and may
242# be used locally to aid authentication. The hint is a free form string that
243# doesn't have much meaning in itself, so feel free to be creative.
244# If this option is provided, see psk_file to define the pre-shared keys to be
245# used or create a security plugin to handle them.
246#psk_hint
247
248# Set use_identity_as_username to have the psk identity sent by the client used
249# as its username. Authentication will be carried out using the PSK rather than
250# the MQTT username/password and so password_file will not be used for this
251# listener.
252#use_identity_as_username false
253
254# When using PSK, the encryption ciphers used will be chosen from the list of
255# available PSK ciphers. If you want to control which ciphers are available,
256# use the "ciphers" option. The list of available ciphers can be optained
257# using the "openssl ciphers" command and should be provided in the same format
258# as the output of that command.
259#ciphers
260
261# =================================================================
262# Extra listeners
263# =================================================================
264
265# Listen on a port/ip address combination. By using this variable
266# multiple times, mosquitto can listen on more than one port. If
267# this variable is used and neither bind_address nor port given,
268# then the default listener will not be started.
269# The port number to listen on must be given. Optionally, an ip
270# address or host name may be supplied as a second argument. In
271# this case, mosquitto will attempt to bind the listener to that
272# address and so restrict access to the associated network and
273# interface. By default, mosquitto will listen on all interfaces.
274# Note that for a websockets listener it is not possible to bind to a host
275# name.
276# listener port-number [ip address/host name]
277#listener
278
279# The maximum number of client connections to allow. This is
280# a per listener setting.
281# Default is -1, which means unlimited connections.
282# Note that other process limits mean that unlimited connections
283# are not really possible. Typically the default maximum number of
284# connections possible is around 1024.
285#max_connections -1
286
287# The listener can be restricted to operating within a topic hierarchy using
288# the mount_point option. This is achieved be prefixing the mount_point string
289# to all topics for any clients connected to this listener. This prefixing only
290# happens internally to the broker; the client will not see the prefix.
291#mount_point
292
293# Choose the protocol to use when listening.
294# This can be either mqtt or websockets.
295# Certificate based TLS may be used with websockets, except that only the
296# cafile, certfile, keyfile and ciphers options are supported.
297#protocol mqtt
298
299# When a listener is using the websockets protocol, it is possible to serve
300# http data as well. Set http_dir to a directory which contains the files you
301# wish to serve. If this option is not specified, then no normal http
302# connections will be possible.
303#http_dir
304
305# Set use_username_as_clientid to true to replace the clientid that a client
306# connected with with its username. This allows authentication to be tied to
307# the clientid, which means that it is possible to prevent one client
308# disconnecting another by using the same clientid.
309# If a client connects with no username it will be disconnected as not
310# authorised when this option is set to true.
311# Do not use in conjunction with clientid_prefixes.
312# See also use_identity_as_username.
313#use_username_as_clientid
314
315# -----------------------------------------------------------------
316# Certificate based SSL/TLS support
317# -----------------------------------------------------------------
318# The following options can be used to enable certificate based SSL/TLS support
319# for this listener. Note that the recommended port for MQTT over TLS is 8883,
320# but this must be set manually.
321#
322# See also the mosquitto-tls man page and the "Pre-shared-key based SSL/TLS
323# support" section. Only one of certificate or PSK encryption support can be
324# enabled for any listener.
325
326# At least one of cafile or capath must be defined to enable certificate based
327# TLS encryption. They both define methods of accessing the PEM encoded
328# Certificate Authority certificates that have signed your server certificate
329# and that you wish to trust.
330# cafile defines the path to a file containing the CA certificates.
331# capath defines a directory that will be searched for files
332# containing the CA certificates. For capath to work correctly, the
333# certificate files must have ".crt" as the file ending and you must run
334# "c_rehash <path to capath>" each time you add/remove a certificate.
335#cafile
336#capath
337
338# Path to the PEM encoded server certificate.
339#certfile
340
341# Path to the PEM encoded keyfile.
342#keyfile
343
344# By default an TLS enabled listener will operate in a similar fashion to a
345# https enabled web server, in that the server has a certificate signed by a CA
346# and the client will verify that it is a trusted certificate. The overall aim
347# is encryption of the network traffic. By setting require_certificate to true,
348# the client must provide a valid certificate in order for the network
349# connection to proceed. This allows access to the broker to be controlled
350# outside of the mechanisms provided by MQTT.
351#require_certificate false
352
353# If require_certificate is true, you may set use_identity_as_username to true
354# to use the CN value from the client certificate as a username. If this is
355# true, the password_file option will not be used for this listener.
356#use_identity_as_username false
357
358# If you have require_certificate set to true, you can create a certificate
359# revocation list file to revoke access to particular client certificates. If
360# you have done this, use crlfile to point to the PEM encoded revocation file.
361#crlfile
362
363# If you wish to control which encryption ciphers are used, use the ciphers
364# option. The list of available ciphers can be optained using the "openssl
365# ciphers" command and should be provided in the same format as the output of
366# that command.
367#ciphers
368
369# -----------------------------------------------------------------
370# Pre-shared-key based SSL/TLS support
371# -----------------------------------------------------------------
372# The following options can be used to enable PSK based SSL/TLS support for
373# this listener. Note that the recommended port for MQTT over TLS is 8883, but
374# this must be set manually.
375#
376# See also the mosquitto-tls man page and the "Certificate based SSL/TLS
377# support" section. Only one of certificate or PSK encryption support can be
378# enabled for any listener.
379
380# The psk_hint option enables pre-shared-key support for this listener and also
381# acts as an identifier for this listener. The hint is sent to clients and may
382# be used locally to aid authentication. The hint is a free form string that
383# doesn't have much meaning in itself, so feel free to be creative.
384# If this option is provided, see psk_file to define the pre-shared keys to be
385# used or create a security plugin to handle them.
386#psk_hint
387
388# Set use_identity_as_username to have the psk identity sent by the client used
389# as its username. Authentication will be carried out using the PSK rather than
390# the MQTT username/password and so password_file will not be used for this
391# listener.
392#use_identity_as_username false
393
394# When using PSK, the encryption ciphers used will be chosen from the list of
395# available PSK ciphers. If you want to control which ciphers are available,
396# use the "ciphers" option. The list of available ciphers can be optained
397# using the "openssl ciphers" command and should be provided in the same format
398# as the output of that command.
399#ciphers
400
401# =================================================================
402# Persistence
403# =================================================================
404
405# If persistence is enabled, save the in-memory database to disk
406# every autosave_interval seconds. If set to 0, the persistence
407# database will only be written when mosquitto exits. See also
408# autosave_on_changes.
409# Note that writing of the persistence database can be forced by
410# sending mosquitto a SIGUSR1 signal.
411#autosave_interval 1800
412
413# If true, mosquitto will count the number of subscription changes, retained
414# messages received and queued messages and if the total exceeds
415# autosave_interval then the in-memory database will be saved to disk.
416# If false, mosquitto will save the in-memory database to disk by treating
417# autosave_interval as a time in seconds.
418#autosave_on_changes false
419
420# Save persistent message data to disk (true/false).
421# This saves information about all messages, including
422# subscriptions, currently in-flight messages and retained
423# messages.
424# retained_persistence is a synonym for this option.
425#persistence false
426
427# The filename to use for the persistent database, not including
428# the path.
429#persistence_file mosquitto.db
430
431# Location for persistent database. Must include trailing /
432# Default is an empty string (current directory).
433# Set to e.g. /var/lib/mosquitto/ if running as a proper service on Linux or
434# similar.
435#persistence_location
436
437# =================================================================
438# Logging
439# =================================================================
440
441# Places to log to. Use multiple log_dest lines for multiple
442# logging destinations.
443# Possible destinations are: stdout stderr syslog topic file
444#
445# stdout and stderr log to the console on the named output.
446#
447# syslog uses the userspace syslog facility which usually ends up
448# in /var/log/messages or similar.
449#
450# topic logs to the broker topic '$SYS/broker/log/<severity>',
451# where severity is one of D, E, W, N, I, M which are debug, error,
452# warning, notice, information and message. Message type severity is used by
453# the subscribe/unsubscribe log_types and publishes log messages to
454# $SYS/broker/log/M/susbcribe or $SYS/broker/log/M/unsubscribe.
455#
456# The file destination requires an additional parameter which is the file to be
457# logged to, e.g. "log_dest file /var/log/mosquitto.log". The file will be
458# closed and reopened when the broker receives a HUP signal. Only a single file
459# destination may be configured.
460#
461# Note that if the broker is running as a Windows service it will default to
462# "log_dest none" and neither stdout nor stderr logging is available.
463# Use "log_dest none" if you wish to disable logging.
464#log_dest stderr
465
466# If using syslog logging (not on Windows), messages will be logged to the
467# "daemon" facility by default. Use the log_facility option to choose which of
468# local0 to local7 to log to instead. The option value should be an integer
469# value, e.g. "log_facility 5" to use local5.
470#log_facility
471
472# Types of messages to log. Use multiple log_type lines for logging
473# multiple types of messages.
474# Possible types are: debug, error, warning, notice, information,
475# none, subscribe, unsubscribe, websockets, all.
476# Note that debug type messages are for decoding the incoming/outgoing
477# network packets. They are not logged in "topics".
478#log_type error
479#log_type warning
480#log_type notice
481#log_type information
482
483# Change the websockets logging level. This is a global option, it is not
484# possible to set per listener. This is an integer that is interpreted by
485# libwebsockets as a bit mask for its lws_log_levels enum. See the
486# libwebsockets documentation for more details. "log_type websockets" must also
487# be enabled.
488#websockets_log_level 0
489
490# If set to true, client connection and disconnection messages will be included
491# in the log.
492#connection_messages true
493
494# If set to true, add a timestamp value to each log message.
495#log_timestamp true
496
497# =================================================================
498# Security
499# =================================================================
500
501# If set, only clients that have a matching prefix on their
502# clientid will be allowed to connect to the broker. By default,
503# all clients may connect.
504# For example, setting "secure-" here would mean a client "secure-
505# client" could connect but another with clientid "mqtt" couldn't.
506#clientid_prefixes
507
508# Boolean value that determines whether clients that connect
509# without providing a username are allowed to connect. If set to
510# false then a password file should be created (see the
511# password_file option) to control authenticated client access.
512# Defaults to true.
513#allow_anonymous true
514
515# In addition to the clientid_prefixes, allow_anonymous and TLS
516# authentication options, username based authentication is also
517# possible. The default support is described in "Default
518# authentication and topic access control" below. The auth_plugin
519# allows another authentication method to be used.
520# Specify the path to the loadable plugin and see the
521# "Authentication and topic access plugin options" section below.
522#auth_plugin
523
524# -----------------------------------------------------------------
525# Default authentication and topic access control
526# -----------------------------------------------------------------
527
528# Control access to the broker using a password file. This file can be
529# generated using the mosquitto_passwd utility. If TLS support is not compiled
530# into mosquitto (it is recommended that TLS support should be included) then
531# plain text passwords are used, in which case the file should be a text file
532# with lines in the format:
533# username:password
534# The password (and colon) may be omitted if desired, although this
535# offers very little in the way of security.
536#
537# See the TLS client require_certificate and use_identity_as_username options
538# for alternative authentication options.
539#password_file
540
541# Access may also be controlled using a pre-shared-key file. This requires
542# TLS-PSK support and a listener configured to use it. The file should be text
543# lines in the format:
544# identity:key
545# The key should be in hexadecimal format without a leading "0x".
546#psk_file
547
548# Control access to topics on the broker using an access control list
549# file. If this parameter is defined then only the topics listed will
550# have access.
551# If the first character of a line of the ACL file is a # it is treated as a
552# comment.
553# Topic access is added with lines of the format:
554#
555# topic [read|write|readwrite] <topic>
556#
557# The access type is controlled using "read", "write" or "readwrite". This
558# parameter is optional (unless <topic> contains a space character) - if not
559# given then the access is read/write. <topic> can contain the + or #
560# wildcards as in subscriptions.
561#
562# The first set of topics are applied to anonymous clients, assuming
563# allow_anonymous is true. User specific topic ACLs are added after a
564# user line as follows:
565#
566# user <username>
567#
568# The username referred to here is the same as in password_file. It is
569# not the clientid.
570#
571#
572# If is also possible to define ACLs based on pattern substitution within the
573# topic. The patterns available for substition are:
574#
575# %c to match the client id of the client
576# %u to match the username of the client
577#
578# The substitution pattern must be the only text for that level of hierarchy.
579#
580# The form is the same as for the topic keyword, but using pattern as the
581# keyword.
582# Pattern ACLs apply to all users even if the "user" keyword has previously
583# been given.
584#
585# If using bridges with usernames and ACLs, connection messages can be allowed
586# with the following pattern:
587# pattern write $SYS/broker/connection/%c/state
588#
589# pattern [read|write|readwrite] <topic>
590#
591# Example:
592#
593# pattern write sensor/%u/data
594#
595#acl_file
596
597# -----------------------------------------------------------------
598# Authentication and topic access plugin options
599# -----------------------------------------------------------------
600
601# If the auth_plugin option above is used, define options to pass to the
602# plugin here as described by the plugin instructions. All options named
603# using the format auth_opt_* will be passed to the plugin, for example:
604#
605# auth_opt_db_host
606# auth_opt_db_port
607# auth_opt_db_username
608# auth_opt_db_password
609
610
611# =================================================================
612# Bridges
613# =================================================================
614
615# A bridge is a way of connecting multiple MQTT brokers together.
616# Create a new bridge using the "connection" option as described below. Set
617# options for the bridges using the remaining parameters. You must specify the
618# address and at least one topic to subscribe to.
619# Each connection must have a unique name.
620# The address line may have multiple host address and ports specified. See
621# below in the round_robin description for more details on bridge behaviour if
622# multiple addresses are used.
623# The direction that the topic will be shared can be chosen by
624# specifying out, in or both, where the default value is out.
625# The QoS level of the bridged communication can be specified with the next
626# topic option. The default QoS level is 0, to change the QoS the topic
627# direction must also be given.
628# The local and remote prefix options allow a topic to be remapped when it is
629# bridged to/from the remote broker. This provides the ability to place a topic
630# tree in an appropriate location.
631# For more details see the mosquitto.conf man page.
632# Multiple topics can be specified per connection, but be careful
633# not to create any loops.
634# If you are using bridges with cleansession set to false (the default), then
635# you may get unexpected behaviour from incoming topics if you change what
636# topics you are subscribing to. This is because the remote broker keeps the
637# subscription for the old topic. If you have this problem, connect your bridge
638# with cleansession set to true, then reconnect with cleansession set to false
639# as normal.
640#connection <name>
641#address <host>[:<port>] [<host>[:<port>]]
642#topic <topic> [[[out | in | both] qos-level] local-prefix remote-prefix]
643
644# Set the version of the MQTT protocol to use with for this bridge. Can be one
645# of mqttv31 or mqttv311. Defaults to mqttv31.
646#bridge_protocol_version mqttv31
647
648# If a bridge has topics that have "out" direction, the default behaviour is to
649# send an unsubscribe request to the remote broker on that topic. This means
650# that changing a topic direction from "in" to "out" will not keep receiving
651# incoming messages. Sending these unsubscribe requests is not always
652# desirable, setting bridge_attempt_unsubscribe to false will disable sending
653# the unsubscribe request.
654#bridge_attempt_unsubscribe true
655
656# If the bridge has more than one address given in the address/addresses
657# configuration, the round_robin option defines the behaviour of the bridge on
658# a failure of the bridge connection. If round_robin is false, the default
659# value, then the first address is treated as the main bridge connection. If
660# the connection fails, the other secondary addresses will be attempted in
661# turn. Whilst connected to a secondary bridge, the bridge will periodically
662# attempt to reconnect to the main bridge until successful.
663# If round_robin is true, then all addresses are treated as equals. If a
664# connection fails, the next address will be tried and if successful will
665# remain connected until it fails
666#round_robin false
667
668# Set the client id to use on the remote end of this bridge connection. If not
669# defined, this defaults to 'name.hostname' where name is the connection name
670# and hostname is the hostname of this computer.
671# This replaces the old "clientid" option to avoid confusion. "clientid"
672# remains valid for the time being.
673#remote_clientid
674
675# Set the clientid to use on the local broker. If not defined, this defaults to
676# 'local.<clientid>'. If you are bridging a broker to itself, it is important
677# that local_clientid and clientid do not match.
678#local_clientid
679
680# Set the clean session variable for this bridge.
681# When set to true, when the bridge disconnects for any reason, all
682# messages and subscriptions will be cleaned up on the remote
683# broker. Note that with cleansession set to true, there may be a
684# significant amount of retained messages sent when the bridge
685# reconnects after losing its connection.
686# When set to false, the subscriptions and messages are kept on the
687# remote broker, and delivered when the bridge reconnects.
688#cleansession false
689
690# If set to true, publish notification messages to the local and remote brokers
691# giving information about the state of the bridge connection. Retained
692# messages are published to the topic $SYS/broker/connection/<clientid>/state
693# unless the notification_topic option is used.
694# If the message is 1 then the connection is active, or 0 if the connection has
695# failed.
696#notifications true
697
698# Choose the topic on which notification messages for this bridge are
699# published. If not set, messages are published on the topic
700# $SYS/broker/connection/<clientid>/state
701#notification_topic
702
703# Set the keepalive interval for this bridge connection, in
704# seconds.
705#keepalive_interval 60
706
707# Set the start type of the bridge. This controls how the bridge starts and
708# can be one of three types: automatic, lazy and once. Note that RSMB provides
709# a fourth start type "manual" which isn't currently supported by mosquitto.
710#
711# "automatic" is the default start type and means that the bridge connection
712# will be started automatically when the broker starts and also restarted
713# after a short delay (30 seconds) if the connection fails.
714#
715# Bridges using the "lazy" start type will be started automatically when the
716# number of queued messages exceeds the number set with the "threshold"
717# parameter. It will be stopped automatically after the time set by the
718# "idle_timeout" parameter. Use this start type if you wish the connection to
719# only be active when it is needed.
720#
721# A bridge using the "once" start type will be started automatically when the
722# broker starts but will not be restarted if the connection fails.
723#start_type automatic
724
725# Set the amount of time a bridge using the automatic start type will wait
726# until attempting to reconnect. Defaults to 30 seconds.
727#restart_timeout 30
728
729# Set the amount of time a bridge using the lazy start type must be idle before
730# it will be stopped. Defaults to 60 seconds.
731#idle_timeout 60
732
733# Set the number of messages that need to be queued for a bridge with lazy
734# start type to be restarted. Defaults to 10 messages.
735# Must be less than max_queued_messages.
736#threshold 10
737
738# If try_private is set to true, the bridge will attempt to indicate to the
739# remote broker that it is a bridge not an ordinary client. If successful, this
740# means that loop detection will be more effective and that retained messages
741# will be propagated correctly. Not all brokers support this feature so it may
742# be necessary to set try_private to false if your bridge does not connect
743# properly.
744#try_private true
745
746# Set the username to use when connecting to a broker that requires
747# authentication.
748# This replaces the old "username" option to avoid confusion. "username"
749# remains valid for the time being.
750#remote_username
751
752# Set the password to use when connecting to a broker that requires
753# authentication. This option is only used if remote_username is also set.
754# This replaces the old "password" option to avoid confusion. "password"
755# remains valid for the time being.
756#remote_password
757
758# -----------------------------------------------------------------
759# Certificate based SSL/TLS support
760# -----------------------------------------------------------------
761# Either bridge_cafile or bridge_capath must be defined to enable TLS support
762# for this bridge.
763# bridge_cafile defines the path to a file containing the
764# Certificate Authority certificates that have signed the remote broker
765# certificate.
766# bridge_capath defines a directory that will be searched for files containing
767# the CA certificates. For bridge_capath to work correctly, the certificate
768# files must have ".crt" as the file ending and you must run "c_rehash <path to
769# capath>" each time you add/remove a certificate.
770#bridge_cafile
771#bridge_capath
772
773# Path to the PEM encoded client certificate, if required by the remote broker.
774#bridge_certfile
775
776# Path to the PEM encoded client private key, if required by the remote broker.
777#bridge_keyfile
778
779# When using certificate based encryption, bridge_insecure disables
780# verification of the server hostname in the server certificate. This can be
781# useful when testing initial server configurations, but makes it possible for
782# a malicious third party to impersonate your server through DNS spoofing, for
783# example. Use this option in testing only. If you need to resort to using this
784# option in a production environment, your setup is at fault and there is no
785# point using encryption.
786#bridge_insecure false
787
788# -----------------------------------------------------------------
789# PSK based SSL/TLS support
790# -----------------------------------------------------------------
791# Pre-shared-key encryption provides an alternative to certificate based
792# encryption. A bridge can be configured to use PSK with the bridge_identity
793# and bridge_psk options. These are the client PSK identity, and pre-shared-key
794# in hexadecimal format with no "0x". Only one of certificate and PSK based
795# encryption can be used on one
796# bridge at once.
797#bridge_identity
798#bridge_psk
799
800
801# =================================================================
802# External config files
803# =================================================================
804
805# External configuration files may be included by using the
806# include_dir option. This defines a directory that will be searched
807# for config files. All files that end in '.conf' will be loaded as
808# a configuration file. It is best to have this as the last option
809# in the main file. This option will only be processed from the main
810# configuration file. The directory specified must not contain the
811# main configuration file.
812#include_dir
813
814# =================================================================
815# rsmb options - unlikely to ever be supported
816# =================================================================
817
818#ffdc_output
819#max_log_entries
820#trace_level
821#trace_output