feature(project): add etc/emqx.d

.gitignore

@@ -12,33 +12,24 @@ ebin
 test/ebin/*.beam
 .exrc
 plugins/*/ebin
-log/
 *.swp
 *.so
 .erlang.mk/
 cover/
-emqx.d
 eunit.coverdata
 test/ct.cover.spec
-logs
 ct.coverdata
 .idea/
-emqx.iml
-_rel/
 data/
 _build
 .rebar3
 rebar3.crashdump
 .DS_Store
-emqx.iml
-bbmustache/
 etc/gen.emqx.conf
 compile_commands.json
 cuttlefish
-rebar.lock
 xrefr
-erlang.mk
 *.coverdata
 etc/emqx.conf.rendered
 Mnesia.*/
-*.DS_Store
+*.DS_Store

etc/emqx.d/acl.conf

@@ -0,0 +1,26 @@
+%%--------------------------------------------------------------------
+%% [ACL](https://docs.emqx.io/broker/v3/en/config.html)
+%%
+%% -type(who() :: all | binary() |
+%%                {ipaddr, esockd_access:cidr()} |
+%%                {client, binary()} |
+%%                {user, binary()}).
+%%
+%% -type(access() :: subscribe | publish | pubsub).
+%%
+%% -type(topic() :: binary()).
+%%
+%% -type(rule() :: {allow, all} |
+%%                 {allow, who(), access(), list(topic())} |
+%%                 {deny, all} |
+%%                 {deny, who(), access(), list(topic())}).
+%%--------------------------------------------------------------------
+
+{allow, {user, "dashboard"}, subscribe, ["$SYS/#"]}.
+
+{allow, {ipaddr, "127.0.0.1"}, pubsub, ["$SYS/#", "#"]}.
+
+{deny, all, subscribe, ["$SYS/#", {eq, "#"}]}.
+
+{allow, all}.
+

etc/emqx.d/emqx_auth_clientid.conf

@@ -0,0 +1,18 @@
+##--------------------------------------------------------------------
+## ClientId Authentication Plugin
+##--------------------------------------------------------------------
+
+## Examples
+##auth.client.1.clientid = id
+##auth.client.1.password = passwd
+##auth.client.2.clientid = dev:devid
+##auth.client.2.password = passwd2
+##auth.client.3.clientid = app:appid
+##auth.client.3.password = passwd3
+##auth.client.4.clientid = client~!@#$%^&*()_+
+##auth.client.4.password = passwd~!@#$%^&*()_+
+
+## Password hash.
+##
+## Value: plain | md5 | sha | sha256
+auth.client.password_hash = sha256

etc/emqx.d/emqx_auth_http.conf

@@ -0,0 +1,162 @@
+##--------------------------------------------------------------------
+## HTTP Auth/ACL Plugin
+##--------------------------------------------------------------------
+
+##--------------------------------------------------------------------
+## Authentication request.
+
+## HTTP URL API path for authentication request
+##
+## Value: URL
+##
+## Examples: http://127.0.0.1:8991/mqtt/auth, https://[::1]:8991/mqtt/auth
+auth.http.auth_req = http://127.0.0.1:8991/mqtt/auth
+
+## Value: post | get
+auth.http.auth_req.method = post
+
+## It only works when method=post
+## Value: json | x-www-form-urlencoded
+auth.http.auth_req.content_type = x-www-form-urlencoded
+
+## Variables:
+##  - %u: username
+##  - %c: clientid
+##  - %a: ipaddress
+##  - %r: protocol
+##  - %P: password
+##  - %p: sockport of server accepted
+##  - %C: common name of client TLS cert
+##  - %d: subject of client TLS cert
+##
+## Value: Params
+auth.http.auth_req.params = clientid=%c,username=%u,password=%P
+
+##--------------------------------------------------------------------
+## Superuser request.
+
+## HTTP URL API path for Superuser request
+##
+## Value: URL
+##
+## Examples: http://127.0.0.1:8991/mqtt/superuser, https://[::1]:8991/mqtt/superuser
+#auth.http.super_req = http://127.0.0.1:8991/mqtt/superuser
+
+## Value: post | get
+#auth.http.super_req.method = post
+
+## It only works when method=pos
+## Value: json | x-www-form-urlencoded
+#auth.http.super_req.content_type = x-www-form-urlencoded
+
+## Variables:
+##  - %u: username
+##  - %c: clientid
+##  - %a: ipaddress
+##  - %r: protocol
+##  - %P: password
+##  - %p: sockport of server accepted
+##  - %C: common name of client TLS cert
+##  - %d: subject of client TLS cert
+##
+## Value: Params
+#auth.http.super_req.params = clientid=%c,username=%u
+
+##--------------------------------------------------------------------
+## ACL request.
+
+## HTTP URL API path for ACL request
+##
+## Value: URL
+##
+## Examples: http://127.0.0.1:8991/mqtt/acl, https://[::1]:8991/mqtt/acl
+auth.http.acl_req = http://127.0.0.1:8991/mqtt/acl
+
+## Value: post | get
+auth.http.acl_req.method = get
+
+## It only works when method=post
+## Value: json | x-www-form-urlencoded
+auth.http.acl_req.content_type = x-www-form-urlencoded
+
+## Variables:
+##  - %A: 1 | 2, 1 = sub, 2 = pub
+##  - %u: username
+##  - %c: clientid
+##  - %a: ipaddress
+##  - %r: protocol
+##  - %m: mountpoint
+##  - %t: topic
+##
+## Value: Params
+auth.http.acl_req.params = access=%A,username=%u,clientid=%c,ipaddr=%a,topic=%t,mountpoint=%m
+
+##------------------------------------------------------------------------------
+## Http Reqeust options
+
+## Time-out time for the http request, 0 is never timeout.
+##
+## Value: Duration
+## -h: hour, e.g. '2h' for 2 hours
+## -m: minute, e.g. '5m' for 5 minutes
+## -s: second, e.g. '30s' for 30 seconds
+##
+## Default: 0
+## auth.http.request.timeout = 0
+
+## Connection time-out time, used during the initial request
+## when the client is connecting to the server
+##
+## Value: Duration
+##
+## Default is same with the timeout option
+## auth.http.request.connect_timeout = 0
+
+## Re-send http reuqest times
+##
+## Value: integer
+##
+## Default: 3
+auth.http.request.retry_times = 3
+
+## The interval for re-sending the http request
+##
+## Value: Duration
+##
+## Default: 1s
+auth.http.request.retry_interval = 1s
+
+## The 'Exponential Backoff' mechanism for re-sending request. The actually
+## re-send time interval is `interval * backoff ^ times`
+##
+## Value: float
+##
+## Default: 2.0
+auth.http.request.retry_backoff = 2.0
+
+##------------------------------------------------------------------------------
+## SSL options
+
+## Path to the file containing PEM-encoded CA certificates. The CA certificates
+## are used during server authentication and when building the client certificate chain.
+##
+## Value: File
+## auth.http.ssl.cacertfile = {{ platform_etc_dir }}/certs/ca.pem
+
+## The path to a file containing the client's certificate.
+##
+## Value: File
+## auth.http.ssl.certfile = {{ platform_etc_dir }}/certs/client-cert.pem
+
+## Path to a file containing the client's private PEM-encoded key.
+##
+## Value: File
+## auth.http.ssl.keyfile = {{ platform_etc_dir }}/certs/client-key.pem
+
+##--------------------------------------------------------------------
+## HTTP Request Headers
+##
+## Example: auth.http.header.Accept-Encoding = *
+##
+## Value: String
+## auth.http.header.Accept = */*

etc/emqx.d/emqx_auth_jwt.conf

@@ -0,0 +1,39 @@
+##--------------------------------------------------------------------
+## JWT Auth Plugin
+##--------------------------------------------------------------------
+
+## HMAC Hash Secret.
+##
+## Value: String
+auth.jwt.secret = emqxsecret
+
+## From where the JWT string can be got
+##
+## Value: username | password
+## Default: password
+auth.jwt.from = password
+
+## RSA or ECDSA public key file.
+##
+## Value: File
+## auth.jwt.pubkey = etc/certs/jwt_public_key.pem
+
+## Enable to verify claims fields
+##
+## Value: on | off
+auth.jwt.verify_claims = off
+
+## The checklist of claims to validate
+##
+## Value: String
+## auth.jwt.verify_claims.$name = expected
+##
+## Variables:
+##  - %u: username
+##  - %c: clientid
+# auth.jwt.verify_claims.username = %u
+
+## The Signature format
+##   - `der`: The erlang default format
+##   - `raw`: Compatible with others platform maybe
+#auth.jwt.signature_format = der

etc/emqx.d/emqx_auth_mnesia.conf

@@ -0,0 +1,20 @@
+## Examples:
+##auth.mnesia.1.login = admin
+##auth.mnesia.1.password = public
+##auth.mnesia.1.is_superuser = true
+##auth.mnesia.2.login = feng@emqtt.io
+##auth.mnesia.2.password = public
+##auth.mnesia.2.is_superuser = false
+##auth.mnesia.3.login = name~!@#$%^&*()_+
+##auth.mnesia.3.password = pwsswd~!@#$%^&*()_+
+##auth.mnesia.3.is_superuser = false
+
+## Password hash.
+##
+## Value: plain | md5 | sha | sha256 
+auth.mnesia.password_hash = sha256
+
+## Auth as username or auth as clientid.
+##
+## Value: username | clientid
+auth.mnesia.as = username

etc/emqx.d/emqx_auth_mysql.conf

@@ -0,0 +1,116 @@
+##--------------------------------------------------------------------
+## MySQL Auth/ACL Plugin
+##--------------------------------------------------------------------
+
+## MySQL server address.
+##
+## Value: Port | IP:Port
+##
+## Examples: 3306, 127.0.0.1:3306, localhost:3306
+auth.mysql.server = 127.0.0.1:3306
+
+## MySQL pool size.
+##
+## Value: Number
+auth.mysql.pool = 8
+
+## MySQL username.
+##
+## Value: String
+## auth.mysql.username =
+
+## MySQL password.
+##
+## Value: String
+## auth.mysql.password =
+
+## MySQL database.
+##
+## Value: String
+auth.mysql.database = mqtt
+
+## MySQL query timeout
+##
+## Value: Duration
+## auth.mysql.query_timeout = 5s
+
+## Variables: %u = username, %c = clientid
+
+## Authentication query.
+##
+## Note that column names should be 'password' and 'salt' (if used).
+## In case column names differ in your DB - please use aliases,
+## e.g. "my_column_name as password".
+##
+## Value: SQL
+##
+## Variables:
+##  - %u: username
+##  - %c: clientid
+##  - %C: common name of client TLS cert
+##  - %d: subject of client TLS cert
+##
+auth.mysql.auth_query = select password from mqtt_user where username = '%u' limit 1
+## auth.mysql.auth_query = select password_hash as password from mqtt_user where username = '%u' limit 1
+
+## Password hash.
+##
+## Value: plain | md5 | sha | sha256 | bcrypt
+auth.mysql.password_hash = sha256
+
+## sha256 with salt prefix
+## auth.mysql.password_hash = salt,sha256
+
+## bcrypt with salt only prefix
+## auth.mysql.password_hash = salt,bcrypt
+
+## sha256 with salt suffix
+## auth.mysql.password_hash = sha256,salt
+
+## pbkdf2 with macfun iterations dklen
+## macfun: md4, md5, ripemd160, sha, sha224, sha256, sha384, sha512
+## auth.mysql.password_hash = pbkdf2,sha256,1000,20
+
+## Superuser query.
+##
+## Value: SQL
+##
+## Variables:
+##  - %u: username
+##  - %c: clientid
+##  - %C: common name of client TLS cert
+##  - %d: subject of client TLS cert
+##
+auth.mysql.super_query = select is_superuser from mqtt_user where username = '%u' limit 1
+
+## ACL query.
+##
+## Value: SQL
+##
+## Variables:
+##  - %a: ipaddr
+##  - %u: username
+##  - %c: clientid
+##
+## Note: You can add the 'ORDER BY' statement to control the rules match order
+auth.mysql.acl_query = select allow, ipaddr, username, clientid, access, topic from mqtt_acl where ipaddr = '%a' or username = '%u' or username = '$all' or clientid = '%c'
+
+## Mysql ssl configuration.
+##
+## Value: on | off
+auth.mysql.ssl = off
+
+## CA certificate.
+##
+## Value: File
+## auth.mysql.ssl.cafile  = path to your ca file
+
+## Client ssl certificate.
+##
+## Value: File
+## auth.mysql.ssl.certfile = path to your clientcert file
+
+## Client ssl keyfile.
+##
+## Value: File
+## auth.mysql.ssl.keyfile = path to your clientkey file

etc/emqx.d/emqx_auth_username.conf

@@ -0,0 +1,16 @@
+##--------------------------------------------------------------------
+## Username Authentication Plugin
+##--------------------------------------------------------------------
+
+## Examples:
+##auth.user.1.username = admin
+##auth.user.1.password = public
+##auth.user.2.username = feng@emqtt.io
+##auth.user.2.password = public
+##auth.user.3.username = name~!@#$%^&*()_+
+##auth.user.3.password = pwsswd~!@#$%^&*()_+
+
+## Password hash.
+##
+## Value: plain | md5 | sha | sha256 
+auth.user.password_hash = sha256

etc/emqx.d/emqx_recon.conf

@@ -0,0 +1,4 @@
+##--------------------------------------------------------------------
+## Recon Plugin
+##--------------------------------------------------------------------
+

etc/emqx.d/emqx_retainer.conf

@@ -0,0 +1,41 @@
+##--------------------------------------------------------------------
+## EMQ X Retainer
+##--------------------------------------------------------------------
+
+## Where to store the retained messages.
+##
+## Notice that all nodes in the same cluster have to be configured to
+## use the same storage_type.
+##
+## Value: ram | disc | disc_only
+##  - ram: memory only
+##  - disc: both memory and disc
+##  - disc_only: disc only
+##
+## Default: ram
+retainer.storage_type = ram
+
+## Maximum number of retained messages. 0 means no limit.
+##
+## Value: Number >= 0
+retainer.max_retained_messages = 0
+
+## Maximum retained message size.
+##
+## Value: Bytes
+retainer.max_payload_size = 1MB
+
+## Expiry interval of the retained messages. Never expire if the value is 0.
+##
+## Value: Duration
+##  - h: hour
+##  - m: minute
+##  - s: second
+##
+## Examples:
+##  - 2h:  2 hours
+##  - 30m: 30 minutes
+##  - 20s: 20 seconds
+##
+## Defaut: 0
+retainer.expiry_interval = 0

etc/emqx.d/emqx_rule_engine.conf

@@ -0,0 +1,42 @@
+##====================================================================
+## Rule Engine for EMQ X R4.0
+##====================================================================
+
+rule_engine.ignore_sys_message = on
+
+## Event Messages
+##
+## If enabled (on), rule engine publishes the event as an MQTT message
+## with topic='$events/<event-name>' on the occurrence of an emqx event.
+##
+## If disabled, rule engine stops publishing the event messages, but
+## the event message can still be processed by the rule SQL. e.g. rule SQL:
+##
+##   SELECT * FROM "$events/client_connected"
+##
+## will still work even if 'rule_engine.events.client_connected' is set to 'off'
+##
+## EMQ Event to event message mapping:
+##
+##   - client.connected      -> $events/client_connected
+##   - client.disconnected   -> $events/client_disconnected
+##   - session.subscribed    -> $events/session_subscribed
+##   - session.unsubscribed  -> $events/session_unsubscribed
+##   - message.delivered     -> $events/message_delivered
+##   - message.acked         -> $events/message_acked
+##   - message.dropped       -> $events/message_dropped
+##
+## Config Value Format: Toggle, QoS-Level
+##
+## Toggle: on/off
+##
+## QoS-Level: qos0/qos1/qos2
+
+#rule_engine.events.client_connected = on, qos1
+rule_engine.events.client_connected = off
+rule_engine.events.client_disconnected = off
+rule_engine.events.session_subscribed = off
+rule_engine.events.session_unsubscribed = off
+rule_engine.events.message_delivered = off
+rule_engine.events.message_acked = off
+rule_engine.events.message_dropped = off

etc/emqx.d/emqx_sn.conf

@@ -0,0 +1,53 @@
+##--------------------------------------------------------------------
+## MQTT-SN
+##--------------------------------------------------------------------
+
+## The UDP port which emq-sn is listening on.
+##
+## Value: IP:Port | Port
+##
+## Examples: 1884, 127.0.0.1:1884, ::1:1884
+mqtt.sn.port = 1884
+
+## The duration that emqx-sn broadcast ADVERTISE message through.
+##
+## Value: Duration
+mqtt.sn.advertise_duration = 15m
+
+## The MQTT-SN Gateway id in ADVERTISE message.
+##
+## Value: Number
+mqtt.sn.gateway_id = 1
+
+## To control whether write statistics data into ETS table for dashbord to read.
+##
+## Value: on | off
+mqtt.sn.enable_stats = off
+
+## To control whether accept and process the received publish message with qos=-1.
+##
+## Value: on | off
+mqtt.sn.enable_qos3 = off
+
+## MQTT SN idle timeout, specified in seconds.
+##
+## Value: Duration
+mqtt.sn.idle_timeout = 30s
+
+## The pre-defined topic name corresponding to the pre-defined topic id of N.
+## Note that the pre-defined topic id of 0 is reserved.
+mqtt.sn.predefined.topic.0 = reserved
+mqtt.sn.predefined.topic.1 = /predefined/topic/name/hello
+mqtt.sn.predefined.topic.2 = /predefined/topic/name/nice
+
+## Default username for MQTT-SN. This parameter is optional. If specified,
+## emq-sn will connect EMQ core with this username. It is useful if any auth
+## plug-in is enabled.
+##
+## Value: String
+mqtt.sn.username = mqtt_sn_user
+
+## This parameter is optional. Pair with username above.
+##
+## Value: String
+mqtt.sn.password = abc

etc/emqx.d/emqx_telemetry.conf

@@ -0,0 +1,28 @@
+##--------------------------------------------------------------------
+## Telemetry
+##--------------------------------------------------------------------
+
+## Enable telemetry
+##
+## Value: true | false
+##
+## Default: true
+telemetry.enabled = true
+
+## The destination URL for the telemetry data report
+##
+## Value: String
+##
+## Default: https://telemetry.emqx.io/api/telemetry
+telemetry.url = https://telemetry.emqx.io/api/telemetry
+
+## Interval for reporting telemetry data
+##
+## Value: Duration
+## -d: day
+## -h: hour
+## -m: minute
+## -s: second
+##
+## Default: 7d
+telemetry.report_interval = 7d

etc/emqx.d/emqx_web_hook.conf

@@ -0,0 +1,66 @@
+##====================================================================
+## WebHook
+##====================================================================
+
+## The web services URL for Hook request
+##
+## Value: String
+web.hook.api.url = http://127.0.0.1:8080
+
+##--------------------------------------------------------------------
+## HTTP Request Headers
+##
+## The header params what you extra need
+## Format:
+##    web.hook.headers.<param> = your-param
+## Example:
+## 1. web.hook.headers.token = your-token
+## 2. web.hook.headers.other = others-param
+##
+## Value: String
+## web.hook.headers.token = your-token
+
+##--------------------------------------------------------------------
+## Encode message payload field
+##
+## Value: base64 | base62
+## web.hook.encode_payload = base64
+## Mysql ssl configuration.
+##
+## Value: on | off
+## web.hook.ssl = off
+
+##--------------------------------------------------------------------
+## CA certificate.
+##
+## Value: File
+## web.hook.ssl.cafile  = path to your ca file
+## Client ssl certificate.
+##
+## Value: File
+## web.hook.ssl.certfile = path to your clientcert file
+
+##--------------------------------------------------------------------
+## Client ssl keyfile.
+##
+## Value: File
+## web.hook.ssl.keyfile = path to your clientkey file
+
+##--------------------------------------------------------------------
+## Hook Rules
+## These configuration items represent a list of events should be forwarded
+##
+## Format:
+##   web.hook.rule.<HookName>.<No> = <Spec>
+#web.hook.rule.client.connect.1       = {"action": "on_client_connect"}
+#web.hook.rule.client.connack.1       = {"action": "on_client_connack"}
+#web.hook.rule.client.connected.1     = {"action": "on_client_connected"}
+#web.hook.rule.client.disconnected.1  = {"action": "on_client_disconnected"}
+#web.hook.rule.client.subscribe.1     = {"action": "on_client_subscribe"}
+#web.hook.rule.client.unsubscribe.1   = {"action": "on_client_unsubscribe"}
+#web.hook.rule.session.subscribed.1   = {"action": "on_session_subscribed"}
+#web.hook.rule.session.unsubscribed.1 = {"action": "on_session_unsubscribed"}
+#web.hook.rule.session.terminated.1   = {"action": "on_session_terminated"}
+#web.hook.rule.message.publish.1      = {"action": "on_message_publish"}
+#web.hook.rule.message.delivered.1    = {"action": "on_message_delivered"}
+#web.hook.rule.message.acked.1        = {"action": "on_message_acked"}

etc/emqx.d/ssl_dist.conf

@@ -0,0 +1,11 @@
+%% The options in the {server, Opts} tuple are used when calling ssl:ssl_accept/3,
+%% and the options in the {client, Opts} tuple are used when calling ssl:connect/4.
+%%
+%% More information at: http://erlang.org/doc/apps/ssl/ssl_distribution.html
+[{server,
+  [{certfile, "{{ platform_etc_dir }}/certs/cert.pem"},
+   {keyfile, "{{ platform_etc_dir }}/certs/key.pem"},
+   {secure_renegotiate, true},
+   {depth, 0}]},
+ {client,
+  [{secure_renegotiate, true}]}].