vernemq.conf.sh

#!/usr/bin/env bash
: ${ENVIRONMENT:=production}
: ${NODE_NAME:="VerneMQ@127.0.0.1"}
: ${AUTH_ANONYMOUS:=off}
: ${LOG_LEVEL:=info}
: ${MAX_CLIENT_ID_SIZE:=345} # 256 * 1.333 = 341,248 -> 345
: ${HOST:=127.0.0.1}
: ${PORT:=1883}
: ${ADAPTER_HOST:=platform}
: ${ADAPTER_PORT:=8080}

: ${WS_ENABLED:=1}
: ${WS_PORT:=8080}

: ${TLS_ENABLED:=0}
: ${TLS_PORT:=8883}
: ${TLS_CIPHERS:=ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256}

: ${HTTP_ENABLED:=0}
: ${HTTP_PORT:=8888}

: ${VERNEMQ_ACCEPT_EULA:=no}

TLS_CAFILE=/etc/vernemq/cacerts.pem
TLS_CERTFILE=/etc/vernemq/cert.pem
TLS_KEYFILE=/etc/vernemq/key.pem

# filter out cipher suites not supported by openssl
#TLS_CIPHERS=$(openssl ciphers -s "$TLS_CIPHERS")

function listeners {
    echo "listener.tcp.default = ${HOST}:${PORT}";
    if [[ "$WS_ENABLED" = "1" ]]; then
        echo "listener.ws.default = ${HOST}:${WS_PORT}"
    fi
    if [[ "$TLS_ENABLED" = "1" ]]; then
        echo "listener.ssl.default = ${HOST}:${TLS_PORT}"
    fi
    if [[ "$HTTP_ENABLED" = "1" ]]; then
        echo "listener.http.default = ${HOST}:${HTTP_PORT}"
    fi
}

function tls_cafile {
    [[ "$TLS_ENABLED" = "1" ]] && echo "listener.ssl.cafile = ${TLS_CAFILE}"
}
function tls_certfile {
    [[ "$TLS_ENABLED" = "1" ]] && echo "listener.ssl.certfile = ${TLS_CERTFILE}"
}
function tls_keyfile {
    [[ "$TLS_ENABLED" = "1" ]] && echo "listener.ssl.keyfile = ${TLS_KEYFILE}"
}

cat <<EOF
## To use this pre-packaged version of VerneMQ you must agree
## to our end user license agreement (EULA).
## The EULA can be found on https://vernemq.com/end-user-license-agreement.
##
## Default: no
##
## Acceptable values:
##   - one of: yes, no
accept_eula = ${VERNEMQ_ACCEPT_EULA}

## Allow anonymous users to connect, default is 'off'. !!NOTE!!
## Enabling this completely disables authentication of the clients and
## should only be used for testing/development purposes or in case
## clients are authenticated by some other means.
##
## Default: off
##
## Acceptable values:
##   - on or off
allow_anonymous = ${AUTH_ANONYMOUS}

## Allow new client connections even when a VerneMQ cluster is inconsistent.
##
## Default: off
##
## Acceptable values:
##   - on or off
allow_register_during_netsplit = off

## Allow message publishs even when a VerneMQ cluster is inconsistent.
##
## Default: off
##
## Acceptable values:
##   - on or off
allow_publish_during_netsplit = off

## Allow new subscriptions even when a VerneMQ cluster is inconsistent.
##
## Default: off
##
## Acceptable values:
##   - on or off
allow_subscribe_during_netsplit = off

## Allow clients to unsubscribe when a VerneMQ cluster is inconsistent.
##
## Default: off
##
## Acceptable values:
##   - on or off
allow_unsubscribe_during_netsplit = off

## Allows a client to logon multiple times using the same client
## id (non-standard behaviour!). This feature is DEPRECATED and will
## be removed in VerneMQ 2.0.
##
## Default: off
##
## Acceptable values:
##   - on or off
allow_multiple_sessions = off

## Client registrations can be either happen in a coordinated or
## uncoordinated fashion. Uncoordinated registrations are faster and
## will cause other clients with the same client-id to be eventually
## disconnected, while coordinated ensures that any other client with
## the same client-id will be immediately disconnected.
##
## Default: on
##
## Acceptable values:
##   - on or off
coordinate_registrations = on

## Set the time in seconds VerneMQ waits before a retry, in case a (QoS=1 or QoS=2) message
## delivery gets no answer.
##
## Default: 20
##
## Acceptable values:
##   - an integer
## retry_interval = 20

## Set the maximum size for client IDs. MQTT v3.1 specifies a
## limit of 23 characters
##
## Default: 100
##
## Acceptable values:
##   - an integer
max_client_id_size = ${MAX_CLIENT_ID_SIZE}

## This option allows persistent clients ( = clean session set to
## false) to be removed if they do not reconnect within 'persistent_client_expiration'.
## This is a non-standard option. As far as the MQTT specification is concerned,
## persistent clients persist forever.
## The expiration period should be an integer followed by one of 'd', 'w', 'm', 'y' for
## day, week, month, and year.
##
## Default: never
##
## Acceptable values:
##   - text
## persistent_client_expiration = 1w

## The maximum delay for a last will message. This setting
## applies only to MQTTv5 sessions and can be used to override the
## value provided by the client.
## The delay can be either 'client' which means the value specified by
## the client is used, or an integer followed by one of 's', 'h' 'd',
## 'w', 'm', 'y' for day, week, month, and year used to cap the value
## provided by the client..
##
## Default: client
##
## Acceptable values:
##   - text
## max_last_will_delay = client

## The maximum number of QoS 1 or 2 messages that can be in the process of being
## transmitted simultaneously. This includes messages currently going through handshakes
## and messages that are being retried. Defaults to 20. Set to 0 for no maximum. If set
## to 1, this will guarantee in-order delivery of messages.
##
## Default: 20
##
## Acceptable values:
##   - an integer
max_inflight_messages = 20

## The maximum number of messages to hold in the queue above
## those messages that are currently in flight. Defaults to 1000. This affects
## messages of any QoS. Set to -1 for no maximum (not recommended).
## This option allows to control how a specific client session can deal
## with message bursts. As a general rule of thumb set
## this number a bit higher than the expected message rate a single consumer is
## required to process. Note that setting this value to 0 will totally block
## delivery from any queue.
##
## Default: 1000
##
## Acceptable values:
##   - an integer
max_online_messages = 1000

## The maximum number of QoS 1 or 2 messages to hold in the offline queue.
## Defaults to 1000. Set to -1 for no maximum (not recommended). Set to 0
## if no messages should be stored offline.
##
## Default: 1000
##
## Acceptable values:
##   - an integer
max_offline_messages = 1000

## This option sets the maximum MQTT size that VerneMQ will
## allow.  Messages that exceed this size will not be accepted by
## VerneMQ. The default value is 0, which means that all valid MQTT
## messages are accepted. MQTT imposes a maximum payload size of
## 268435455 bytes.
##
## Default: 0
##
## Acceptable values:
##   - an integer
max_message_size = 0

## If a message is published with a QoS lower than the QoS of the subscription it is
## delivered to, VerneMQ can upgrade the outgoing QoS. This is a non-standard option.
##
## Default: off
##
## Acceptable values:
##   - on or off
upgrade_outgoing_qos = off

## listener.tcp.buffer_sizes is an list of three integers
## (sndbuf,recbuf,buffer) specifying respectively the kernel TCP send
## buffer, the kernel TCP receive buffer and the user-level buffer
## size in the erlang driver.
## It is recommended to have val(user-level buffer) >= val(receive
## buffer) to avoid performance issues because of unnecessary copying.
## If not set, the operating system defaults are used.
## This option can be set on the protocol level by:
## - listener.tcp.buffer_sizes
## - listener.ssl.buffer_sizes
## or on the listener level by:
## - listener.tcp.my_tcp_listener.buffer_sizes
## - listener.ssl.my_ssl_listener.buffer_sizes
##
## Acceptable values:
##   - text
## listener.tcp.buffer_sizes = 4096,16384,32768

## listener.max_connections is an integer or 'infinity' defining
## the maximum number of concurrent connections. This option can be overridden
## on the protocol level by:
## - listener.tcp.max_connections
## - listener.ssl.max_connections
## - listener.ws.max_connections
## - listener.wss.max_connections
## or on the listener level by:
## - listener.tcp.my_tcp_listener.max_connections
## - listener.ssl.my_ssl_listener.max_connections
## - listener.ws.my_ws_listener.max_connections
## - listener.wss.my_wss_listener.max_connections
##
## Default: 10000
##
## Acceptable values:
##   - an integer
##   - the text "infinity"
listener.max_connections = 10000

## Set the maximum frame in bytes that a WebSocket connection is allowed to
## send. If the client tries to send more in one frame, the server will disconnect it.
##
## Default: 268435456
##
## Acceptable values:
##   - an integer
##   - the text "infinity"
max_ws_frame_size = 268435456

## Set the nr of acceptors waiting to concurrently accept new connections.
## This can be specified either on the protocol level:
## - listener.tcp.nr_of_acceptors
## - listener.ssl.nr_of_acceptors
## - listener.ws.nr_of_acceptors
## - listener.wss.nr_of_acceptors
## or on the listener level:
## - listener.tcp.my_tcp_listener.nr_of_acceptors
## - listener.ssl.my_ssl_listener.nr_of_acceptors
## - listener.ws.my_ws_listener.nr_of_acceptors
## - listener.wss.my_wss_listener.nr_of_acceptors
##
## Default: 10
##
## Acceptable values:
##   - an integer
listener.nr_of_acceptors = 10

## 'listener.tcp.my_listener.allow_anonymous_override' configures whether
## this listener is allowed to override the global allow_anonymous setting.
## The setting has one single purpose: to give a listener the capability to switch off
## all authentication plugins. (that is override a global allow_anonymous=off with a per-listener allow_anonymous=on).
## Specifically, it can allow TLS listeners to disable internal authentication (using only client certificates as
## authentication) while keeping all the other MQTT listeners safe.
## global | listener | Result for listener:  (on = anonymous access allowed)
## on     | on       | on
## off    | on       | on
## off    | off      | off
## on     | off      | on
## Both values are simply OR'ed together. Please note that this does not allow you to globally allow anonymous access, and
## then selectively switch off single listeners!
## - listener.tcp.my_listener.allow_anonymous_override
## - listener.ssl.my_listener.allow_anonymous_override
## Allowed values are 'on' or 'off'. The default value for an unconfigured listener will be 'off'.
##
## Default: off
##
## Acceptable values:
##   - on or off
## listener.tcp.name.allow_anonymous_override = off

##
## Default: off
##
## Acceptable values:
##   - on or off
## listener.ssl.name.allow_anonymous_override = off

## 'listener.tcp.allowed_protocol_versions' configures which
## protocol versions are allowed for an MQTT listener. The allowed
## protocol versions can be specified the tcp, websocket or ssl level:
## - listener.tcp.allowed_protocol_versions
## - listener.ws.allowed_protocol_versions
## - listener.wss.allowed_protocol_versions
## - listener.ssl.allowed_protocol_versions
## or for a specific listener:
## - listener.tcp.my_tcp_listener.allowed_protocol_versions
## - listener.ws.my_ws_listener.allowed_protocol_versions
## - listener.wss.my_ws_listener.allowed_protocol_versions
## - listener.ssl.my_ws_listener.allowed_protocol_versions
## Allowed values are 3 (MQTT 3.1), 4 (MQTT 3.1.1), 5 (MQTT 5.0), 131
## (MQTT 3.1 bridge), 132 (MQTT 3.1.1 bridge).
##
## Default: 3,4,5,131
##
## Acceptable values:
##   - text
## listener.tcp.allowed_protocol_versions = 3,4,5

## listener.vmq.clustering is the IP address and TCP port that
## the broker will bind to accept connections from other cluster
## nodes e.g:
## - listener.vmq.clustering = 0.0.0.0:18883
## This also works for SSL listeners:
## - listener.vmqs.clustering = 0.0.0.0:18884
##
## Default: 0.0.0.0:44053
##
## Acceptable values:
##   - an IP/port pair, e.g. 127.0.0.1:10011
listener.vmq.clustering = 0.0.0.0:44053

## listener.http.default is the IP address and TCP port that
## the broker will bind to accept HTTP connections
## - listener.http.default = 0.0.0.0:8888
## This also works for SSL listeners:
## - listener.https.default= 0.0.0.0:8889
##
## Default: 127.0.0.1:8888
##
## Acceptable values:
##   - an IP/port pair, e.g. 127.0.0.1:10011
#listener.http.default = 127.0.0.1:8888

## The cafile is used to define the path to a file containing
## the PEM encoded CA certificates that are trusted. Set the cafile
## on the protocol level or on the listener level:
## - listener.ssl.cafile
## - listener.wss.cafile
## or on the listener level:
## - listener.ssl.my_ssl_listener.cafile
## - listener.wss.my_wss_listener.cafile
##
## Default:
##
## Acceptable values:
##   - the path to a file
## listener.ssl.cafile = /etc/vernemq/cacerts.pem
# $(tls_cafile)

##
## Default:
##
## Acceptable values:
##   - the path to a file
## listener.https.cafile = /etc/vernemq/cacerts.pem

## Set the path to the PEM encoded server certificate
## on the protocol level or on the listener level:
## - listener.ssl.certfile
## - listener.wss.certfile
## or on the listener level:
## - listener.ssl.my_ssl_listener.certfile
## - listener.wss.my_wss_listener.certfile
##
## Default:
##
## Acceptable values:
##   - the path to a file
$(tls_certfile)

##
## Default:
##
## Acceptable values:
##   - the path to a file
## listener.https.certfile = /etc/vernemq/cert.pem

## Set the path to the PEM encoded key file on the protocol
## level or on the listener level:
## - listener.ssl.keyfile
## - listener.wss.keyfile
## or on the listener level:
## - listener.ssl.my_ssl_listener.keyfile
## - listener.wss.my_wss_listener.keyfile
##
## Default:
##
## Acceptable values:
##   - the path to a file
$(tls_keyfile)

##
## Default:
##
## Acceptable values:
##   - the path to a file
## listener.vmqs.keyfile = /etc/vernemq/key.pem

##
## Default:
##
## Acceptable values:
##   - the path to a file
## listener.https.keyfile = /etc/vernemq/key.pem

## Set the list of allowed ciphers (each separated with a colon,
## e.g. "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384"),
## on the protocol level or on the listener level. Reasonable defaults
## are used if nothing is specified:
## - listener.ssl.ciphers
## - listener.wss.ciphers
## or on the listener level:
## - listener.ssl.my_ssl_listener.ciphers
## - listener.wss.my_wss_listener.ciphers
##
## Default:
##
## Acceptable values:
##   - text
#listener.ssl.ciphers = ${TLS_CIPHERS}

##
## Default:
##
## Acceptable values:
##   - text
## listener.vmqs.ciphers =

##
## Default:
##
## Acceptable values:
##   - text
## listener.https.ciphers =

## Set the list of allowed elliptical curves (each separated with a colon,
## e.g. "[sect571k1,secp521r1,brainpoolP512r1]"), on the protocol level or on the listener level.
## All known curves are used if nothing is specified.
## - listener.ssl.eccs
## - listener.wss.eccs
## or on the listener level:
## - listener.ssl.my_ssl_listener.eccs
## - listener.wss.my_wss_listener.eccs
##
## Default:
##
## Acceptable values:
##   - text
## listener.ssl.eccs = [brainpoolP384r1, secp384r1, sect283k1]

##
## Default:
##
## Acceptable values:
##   - text
## listener.vmqs.eccs = [brainpoolP384r1, secp384r1, sect283k1]

##
## Default:
##
## Acceptable values:
##   - text
## listener.https.eccs = [brainpoolP384r1, secp384r1, sect283k1]

## If you have 'listener.ssl.require_certificate' set to true,
## you can create a certificate revocation list file to revoke access
## to particular client certificates. If you have done this, use crlfile
## to point to the PEM encoded revocation file. This can be done on the
## protocol level or on the listener level.
## - listener.ssl.crlfile
## - listener.wss.crlfile
## or on the listener level:
## - listener.ssl.my_ssl_listener.crlfile
## - listener.wss.my_wss_listener.crlfile
##
## Default:
##
## Acceptable values:
##   - the path to a file
## listener.ssl.crlfile =

## Enable this option if you want to use SSL client certificates
## to authenticate your clients. This can be done on the protocol level
## or on the listener level.
## - listener.ssl.require_certificate
## - listener.wss.require_certificate
## or on the listener level:
## - listener.ssl.my_ssl_listener.require_certificate
## - listener.wss.my_wss_listener.require_certificate
##
## Default: off
##
## Acceptable values:
##   - on or off
## listener.ssl.require_certificate = off

##
## Default: off
##
## Acceptable values:
##   - on or off
## listener.vmqs.require_certificate = off

##
## Default: off
##
## Acceptable values:
##   - on or off
## listener.https.require_certificate = off

## Configure the TLS protocol version (tlsv1, tlsv1.1, or tlsv1.2) to be
##
## Default: tlsv1.2
##
## Acceptable values:
##   - text
## listener.ssl.tls_version = tlsv1.2

##
## Default: tlsv1.2
##
## Acceptable values:
##   - text
## listener.vmqs.tls_version = tlsv1.2

##
## Default: tlsv1.2
##
## Acceptable values:
##   - text
## listener.https.tls_version = tlsv1.2

## If 'listener.ssl.require_certificate' is enabled, you may enable
## 'listener.ssl.use_identity_as_username' to use the CN value from the client
## certificate as a username. If enabled other authentication plugins are not
## considered. The option can be specified either for all SSL listeners or for
## a specific listener:
## - listener.ssl.use_identity_as_username
## - listener.wss.use_identity_as_username
## or on the listener level:
## - listener.ssl.my_ssl_listener.use_identity_as_username
## - listener.wss.my_wss_listener.use_identity_as_username
##
## Default: off
##
## Acceptable values:
##   - on or off
## listener.ssl.use_identity_as_username = off

## Enable the \$SYSTree Reporter.
##
## Default: on
##
## Acceptable values:
##   - on or off
systree_enabled = on

## The integer number of milliseconds between updates of the \$SYS subscription hierarchy,
## which provides status information about the broker. If unset, defaults to 20 seconds.
## Set to 0 to disable publishing the \$SYS hierarchy completely.
##
## Default: 20000
##
## Acceptable values:
##   - an integer
systree_interval = 20000

## Enable the Graphite Reporter. Ensure to also configure a
## proper graphite.host
##
## Default: off
##
## Acceptable values:
##   - on or off
graphite_enabled = off

## the graphite server host name
##
## Default: localhost
##
## Acceptable values:
##   - text
graphite_host = localhost

## the tcp port of the graphite server
##
## Default: 2003
##
## Acceptable values:
##   - an integer
graphite_port = 2003

## the interval we push metrics to the graphite server in ms
##
## Default: 20000
##
## Acceptable values:
##   - an integer
graphite_interval = 20000

## set the prefix that is applied to all metrics reported to graphite
##
## Default:
##
## Acceptable values:
##   - text
## graphite_prefix = my-prefix

## the graphite server api key, e.g. used by hostedgraphite.com
##
## Default:
##
## Acceptable values:
##   - text
## graphite_api_key = My-Api-Key

## Distribution policy for shared subscriptions. Default is
## 'prefer_local' which will ensure that local subscribers will be
## used if any are available. 'local_only' will select a random local
## subscriber if any are available. 'random' will randomly choose
## between all available subscribers.
##
## Default: prefer_local
##
## Acceptable values:
##   - text
shared_subscription_policy = prefer_local

## plugins.<plugin> enables/disables a plugin.
## Plugin specific settings are set via the plugin itself, i.e., to
## set the 'file' setting for the myplugin plugin, add a line like:
## myplugin.file = /path/to/file
##
## Acceptable values:
##   - on or off
## plugins.name = on

## plugins.<name>.path defines the location of the plugin
## associated with <name>. This is needed for plugins that are not
## shipped with VerneMQ.
##
## Acceptable values:
##   - the path to a directory
## plugins.mypluginname.path = /path/to/myplugin

## plugins.<name>.priority defines the load order of the
## plugins. Plugins are loaded by priority. If no priority is given
## the load order is undefined. Prioritized plugins will always be
## loaded before plugins with no defined priority.
##
## Acceptable values:
##   - an integer
## plugins.mypluginname.priority = 5

## File based authentication plugin.
##
## Default: on
##
## Acceptable values:
##   - on or off
plugins.vmq_passwd = off

## File based authorization plugin.
##
## Default: on
##
## Acceptable values:
##   - on or off
plugins.vmq_acl = off

## Lua based plugins.
##
## Default: off
##
## Acceptable values:
##   - on or off
plugins.vmq_diversity = off

## Webhook based plugins.
##
## Default: off
##
## Acceptable values:
##   - on or off
plugins.vmq_webhooks = off

## The VerneMQ bridge plugin.
##
## Default: off
##
## Acceptable values:
##   - on or off
plugins.vmq_bridge = off

## Limits the maximum topic depth
##
## Default: 10
##
## Acceptable values:
##   - an integer
topic_max_depth = 10

## Specifies the metadata plugin that is used for storing and replicating
## VerneMQ metadata objects such as MQTT subscriptions and retained messages.
## The default is kept at \`vmq_plumtree\` for compatibility with existing deployments.
## For new cluster deployments, the recommendation is to use 'vmq_swc' from the
## beginning. Note that the 2 protocols are not compatible, so clusters can't be
## mixed.
##
## Default: vmq_swc
##
## Acceptable values:
##   - one of: vmq_plumtree, vmq_swc
metadata_plugin = vmq_swc

## Set the path to an access control list file.
##
## Default: /etc/vernemq/vmq.acl
##
## Acceptable values:
##   - the path to a file
vmq_acl.acl_file = /etc/vernemq/vmq.acl

## set the acl reload interval in seconds, the value 0 disables
## the automatic reloading of the acl file.
##
## Default: 10
##
## Acceptable values:
##   - an integer
vmq_acl.acl_reload_interval = 10

## Set the path to a password file.
##
## Default: /etc/vernemq/vmq.passwd
##
## Acceptable values:
##   - the path to a file
vmq_passwd.password_file = /etc/vernemq/vmq.passwd

## set the password reload interval in seconds, the value 0
## disables the automatic reloading of the password file.
##
## Default: 10
##
## Acceptable values:
##   - an integer
vmq_passwd.password_reload_interval = 10

## Configure the vmq_diversity plugin script dir. The script dir
## is searched for Lua scripts which are automatically loaded when the
## plugin is enabled.
##
## Default: /usr/share/vernemq/lua
##
## Acceptable values:
##   - the path to a directory
vmq_diversity.script_dir = /usr/share/vernemq/lua

##
## Default: off
##
## Acceptable values:
##   - on or off
vmq_diversity.auth_postgres.enabled = off

##
## Default: localhost
##
## Acceptable values:
##   - text
## vmq_diversity.postgres.host = localhost

##
## Default: 5432
##
## Acceptable values:
##   - an integer
## vmq_diversity.postgres.port = 5432

##
## Default: root
##
## Acceptable values:
##   - text
## vmq_diversity.postgres.user = root

##
## Default: password
##
## Acceptable values:
##   - text
## vmq_diversity.postgres.password = password

##
## Default: vernemq_db
##
## Acceptable values:
##   - text
## vmq_diversity.postgres.database = vernemq_db

## Specify if the postgresql driver should use TLS or not.
##
## Default: off
##
## Acceptable values:
##   - on or off
vmq_diversity.postgres.ssl = off

## The cafile is used to define the path to a file containing
## the PEM encoded CA certificates that are trusted.
##
## Default:
##
## Acceptable values:
##   - the path to a file
## vmq_diversity.postgres.cafile = /etc/vernemq/cafile.pem

## Set the path to the PEM encoded server certificate.
##
## Default:
##
## Acceptable values:
##   - the path to a file
## vmq_diversity.postgres.certfile = /etc/vernemq/cert.pem

## Set the path to the PEM encoded key file.
##
## Default:
##
## Acceptable values:
##   - the path to a file
## vmq_diversity.postgres.keyfile = /etc/vernemq/keyfile.pem

## The password hashing method to use in PostgreSQL:
##
## Default: crypt
##
## Acceptable values:
##   - one of: crypt, bcrypt
vmq_diversity.postgres.password_hash_method = crypt

##
## Default: off
##
## Acceptable values:
##   - on or off
vmq_diversity.auth_cockroachdb.enabled = off

##
## Default: localhost
##
## Acceptable values:
##   - text
## vmq_diversity.cockroachdb.host = localhost

##
## Default: 5432
##
## Acceptable values:
##   - an integer
## vmq_diversity.cockroachdb.port = 5432

##
## Default: root
##
## Acceptable values:
##   - text
## vmq_diversity.cockroachdb.user = root

##
## Default: password
##
## Acceptable values:
##   - text
## vmq_diversity.cockroachdb.password = password

##
## Default: vernemq_db
##
## Acceptable values:
##   - text
## vmq_diversity.cockroachdb.database = vernemq_db

## Specify if the cockroachdb driver should use TLS or not.
##
## Default: on
##
## Acceptable values:
##   - on or off
vmq_diversity.cockroachdb.ssl = on

## The cafile is used to define the path to a file containing
## the PEM encoded CA certificates that are trusted.
##
## Default:
##
## Acceptable values:
##   - the path to a file
## vmq_diversity.cockroachdb.cafile = /etc/vernemq/cafile.pem

## Set the path to the PEM encoded server certificate.
##
## Default:
##
## Acceptable values:
##   - the path to a file
## vmq_diversity.cockroachdb.certfile = /etc/vernemq/cert.pem

## Set the path to the PEM encoded key file.
##
## Default:
##
## Acceptable values:
##   - the path to a file
## vmq_diversity.cockroachdb.keyfile = /etc/vernemq/keyfile.pem

## The password hashing method to use in CockroachDB:
##
## Default: bcrypt
##
## Acceptable values:
##   - one of: sha256, bcrypt
vmq_diversity.cockroachdb.password_hash_method = bcrypt

##
## Default: off
##
## Acceptable values:
##   - on or off
vmq_diversity.auth_mysql.enabled = off

##
## Default: localhost
##
## Acceptable values:
##   - text
## vmq_diversity.mysql.host = localhost

##
## Default: 3306
##
## Acceptable values:
##   - an integer
## vmq_diversity.mysql.port = 3306

##
## Default: root
##
## Acceptable values:
##   - text
## vmq_diversity.mysql.user = root

##
## Default: password
##
## Acceptable values:
##   - text
## vmq_diversity.mysql.password = password

##
## Default: vernemq_db
##
## Acceptable values:
##   - text
## vmq_diversity.mysql.database = vernemq_db

## The password hashing method to use in MySQL:
## password: Default for compatibility, deprecated since MySQL 5.7.6 and not
## usable with MySQL 8.0.11+.
## Docs: https://dev.mysql.com/doc/refman/5.7/en/encryption-functions.html#function_password
## md5: Calculates an MD5 128-bit checksum of the password.
## Docs: https://dev.mysql.com/doc/refman/8.0/en/encryption-functions.html#function_md5
## sha1: Calculates the SHA-1 160-bit checksum for the password.
## Docs: https://dev.mysql.com/doc/refman/8.0/en/encryption-functions.html#function_sha1
## sha256: Calculates the SHA-2 hash of the password, using 256 bits.
## Works only if MySQL has been configured with SSL support.
## Docs: https://dev.mysql.com/doc/refman/8.0/en/encryption-functions.html#function_sha2
##
## Default: password
##
## Acceptable values:
##   - one of: password, md5, sha1, sha256
vmq_diversity.mysql.password_hash_method = password

##
## Default: off
##
## Acceptable values:
##   - on or off
vmq_diversity.auth_mongodb.enabled = off

##
## Default: localhost
##
## Acceptable values:
##   - text
## vmq_diversity.mongodb.host = localhost

##
## Default: 27017
##
## Acceptable values:
##   - an integer
## vmq_diversity.mongodb.port = 27017

##
## Acceptable values:
##   - text
## vmq_diversity.mongodb.login =

##
## Acceptable values:
##   - text
## vmq_diversity.mongodb.password =

##
## Default: admin
##
## Acceptable values:
##   - text
## vmq_diversity.mongodb.auth_source =

##
## Acceptable values:
##   - text
## vmq_diversity.mongodb.database =

## Specify if the mongodb driver should use TLS or not.
##
## Default: off
##
## Acceptable values:
##   - on or off
vmq_diversity.mongodb.ssl = off

## The cafile is used to define the path to a file containing
## the PEM encoded CA certificates that are trusted.
##
## Default:
##
## Acceptable values:
##   - the path to a file
## vmq_diversity.mongodb.cafile = /etc/vernemq/cafile.pem

## Set the path to the PEM encoded server certificate.
##
## Default:
##
## Acceptable values:
##   - the path to a file
## vmq_diversity.mongodb.certfile = /etc/vernemq/cert.pem

## Set the path to the PEM encoded key file.
##
## Default:
##
## Acceptable values:
##   - the path to a file
## vmq_diversity.mongodb.keyfile = /etc/vernemq/keyfile.pem

##
## Default: off
##
## Acceptable values:
##   - on or off
vmq_diversity.auth_redis.enabled = off

##
## Default: localhost
##
## Acceptable values:
##   - text
## vmq_diversity.redis.host = localhost

##
## Default: 6379
##
## Acceptable values:
##   - an integer
## vmq_diversity.redis.port = 6379

##
## Default:
##
## Acceptable values:
##   - text
## vmq_diversity.redis.password =

##
## Default: 0
##
## Acceptable values:
##   - an integer
## vmq_diversity.redis.database = 0

##
## Default: localhost
##
## Acceptable values:
##   - text
## vmq_diversity.memcache.host = localhost

##
## Default: 11211
##
## Acceptable values:
##   - an integer
## vmq_diversity.memcache.port = 11211

## vmq_diversity.<name>.file = <file> loads a specific lua
## script when \`vmq_diversity\` starts. The scripts are loaded in the
## order defined by the names given, i.e., the script with <name>
## 'script1' is started before the plugin with <name> 'script2'.
## Scripts loaded like this are loaded after the scripts in the
## default script dir.
##
## Acceptable values:
##   - the path to a file
## vmq_diversity.script1.file = path/to/my/script.lua

## The pool_size specifies how many bcrypt port operations are
## allowed concurrently. The value \`auto\` will try to detect all
## logical cpus and set the pool size to that number minus 1.
## If the number of logical cpus cannot be detected, a value of 1 is used.
##
## Default: 1
##
## Acceptable values:
##   - an integer
##   - one of: auto
vmq_bcrypt.pool_size = 1

## The pool_size specifies how many bcrypt NIF operations are
## allowed concurrently. The value \`auto\` will try to detect all
## logical cpus and set the pool size to that number minus 1.
## If the number of logical cpus cannot be detected, a value of 1 is used.
##
## Default: 4
##
## Acceptable values:
##   - an integer
##   - one of: auto
vmq_bcrypt.nif_pool_size = 4

## Specifies the max workers to overflow of the bcrypt NIF program pool.
##
## Default: 10
##
## Acceptable values:
##   - an integer
vmq_bcrypt.nif_pool_max_overflow = 10

## Specifies the number of bcrypt log rounds, defining the hashing complexity.
##
## Default: 12
##
## Acceptable values:
##   - an integer
vmq_bcrypt.default_log_rounds = 12

## Specify where bcrypt is called as an Erlang port or NIF
##
## Default: port
##
## Acceptable values:
##   - one of: nif, port
vmq_bcrypt.mechanism = port

## To configure and register a webhook a hook and an endpoint
## need to be configured and this is achieved by associating both with
## a name. vmq_webhooks.<name>.hook = <hook> associates the hook
## <hook> with the name <name>. Webhooks are registered in the order
## of the name given to it. Therefore a webhook with name 'webhook1'
## is registered before a webhook with the name 'webhook2'.
##
## Acceptable values:
##   - one of: auth_on_register, auth_on_publish, auth_on_subscribe, on_register, on_publish, on_subscribe, on_unsubscribe, on_deliver, on_offline_message, on_client_wakeup, on_client_offline, on_client_gone, on_session_expired, auth_on_register_m5, auth_on_publish_m5, auth_on_subscribe_m5, on_register_m5, on_publish_m5, on_subscribe_m5, on_unsubscribe_m5, on_deliver_m5, on_auth_m5
## vmq_webhooks.webhook1.hook = auth_on_register

## Associate an endpoint with a name.
##
## Acceptable values:
##   - text
## vmq_webhooks.webhook1.endpoint = http://localhost/myendpoints

## Configure TLS version for HTTPS webhook calls
## HTTPS webhooks.
##
## Default: tlsv1.2
##
## Acceptable values:
##   - text
## vmq_webhooks.tls_version = tlsv1.2

## Specify the address and port of the bridge to connect to. Several
## bridges can configured by using different bridge names (e.g. br0). If the
## connection supports SSL encryption bridge.ssl.<name> can be used.
##
## Acceptable values:
##   - text
## vmq_bridge.tcp.br0 = 127.0.0.1:1889

## Set the clean session option for the bridge. By default this is disabled,
## which means that all subscriptions on the remote broker are kept in case of
## the network connection dropping. If enabled, all subscriptions and messages
## on the remote broker will be cleaned up if the connection drops.
##
## Default: off
##
## Acceptable values:
##   - on or off
## vmq_bridge.tcp.br0.cleansession = off

## Set the client id for this bridge connection. If not defined, this
## defaults to 'name.hostname', where name is the connection name and hostname
## is the hostname of this computer.
##
## Default: auto
##
## Acceptable values:
##   - text
## vmq_bridge.tcp.br0.client_id = auto

## Set the number of seconds after which the bridge should send a ping if
## no other traffic has occurred.
##
## Default: 60
##
## Acceptable values:
##   - an integer
## vmq_bridge.tcp.br0.keepalive_interval = 60

## Configure a username for the bridge. This is used for authentication
## purposes when connecting to a broker that support MQTT v3.1 and requires a
## username and/or password to connect. See also the password option.
##
## Acceptable values:
##   - text
## vmq_bridge.tcp.br0.username = my_remote_user

## Configure a password for the bridge. This is used for authentication
## purposes when connecting to a broker that support MQTT v3.1 and requires a
## username and/or password to connect. This option is only valid if a username
## is also supplied.
##
## Acceptable values:
##   - text
## vmq_bridge.tcp.br0.password = my_remote_password

## Define one or more topic pattern to be shared between the two brokers.
## Any topics matching the pattern (including wildcards) are shared.
## The following format is used:
## pattern [[[ out | in | both ] qos-level] local-prefix remote-prefix]
## [ out | in | both ]: specifies that this bridge exports messages (out), imports
## messages (in) or shared in both directions (both). If undefined we default to
## export (out).
## qos-level: specifies the publish/subscribe QoS level used for this
## toppic. If undefined we default to QoS 0.
## local-prefix and remote-prefix: For incoming topics, the bridge
## will prepend the pattern with the remote prefix and subscribe to
## the resulting topic on the remote broker.  When a matching
## incoming message is received, the remote prefix will be removed
## from the topic and then the local prefix added.
## For outgoing topics, the bridge will prepend the pattern with the
## local prefix and subscribe to the resulting topic on the local
## broker. When an outgoing message is processed, the local prefix
## will be removed from the topic then the remote prefix added.
## For shared subscriptions topic prefixes are applied only to the
## topic part of the subscription.
##
## Acceptable values:
##   - text
## vmq_bridge.tcp.br0.topic.1 = topic

## Set the amount of time a bridge using the automatic start type will wait
## until attempting to reconnect. Defaults to 30 seconds.
##
## Default: 10
##
## Acceptable values:
##   - an integer
## vmq_bridge.tcp.br0.restart_timeout = 10

## If try_private is enabled, the bridge will attempt to indicate to the
## remote broker that it is a bridge not an ordinary client.
## Note that loop detection for bridges is not yet implemented.
##
## Default: on
##
## Acceptable values:
##   - on or off
## vmq_bridge.tcp.br0.try_private = on

## Set the MQTT protocol version to be used by the bridge.
##
## Default: 3
##
## Acceptable values:
##   - one of: 3, 4
## vmq_bridge.tcp.br0.mqtt_version = on

## Maximum number of outgoing messages the bridge will buffer
## while not connected to the remote broker. Messages published while
## the buffer is full are dropped. A value of 0 means buffering is
## disabled.
##
## Default: 0
##
## Acceptable values:
##   - an integer
## vmq_bridge.tcp.br0.max_outgoing_buffered_messages = 0

## The cafile is used to define the path to a file containing
## the PEM encoded CA certificates that are trusted.
##
## Default:
##
## Acceptable values:
##   - the path to a file
## vmq_bridge.ssl.sbr0.cafile = /etc/vernemq/cacerts.pem

## Set the path to the PEM encoded server certificate.
##
## Default:
##
## Acceptable values:
##   - the path to a file
## vmq_bridge.ssl.sbr0.certfile = /etc/vernemq/cert.pem

## Set the path to the PEM encoded key file.
##
## Default:
##
## Acceptable values:
##   - the path to a file
## vmq_bridge.ssl.sbr0.keyfile = /etc/vernemq/key.pem

## When using certificate based TLS, the bridge will attempt to verify the
## hostname provided in the remote certificate matches the host/address being
## connected to. This may cause problems in testing scenarios, so this option
## may be enabled to disable the hostname verification.
## Setting this option to true means that a malicious third party could
## potentially inpersonate your server, so it should always be disabled in
## production environments.
##
## Default: off
##
## Acceptable values:
##   - on or off
## vmq_bridge.ssl.sbr0.insecure = off

## Configure the TLS protocol version (tlsv1, tlsv1.1, or tlsv1.2) to be
## used for this bridge.
##
## Default: tlsv1.2
##
## Acceptable values:
##   - text
## vmq_bridge.ssl.sbr0.tls_version = tlsv1.2

## Pre-shared-key encryption provides an alternative to certificate based
## encryption. This option specifies the identity used.
##
## Default:
##
## Acceptable values:
##   - text
## vmq_bridge.ssl.sbr0.identity =

## Pre-shared-key encryption provides an alternative to certificate based
## encryption. This option specifies the shared secret used in hexadecimal
## format without leading '0x'.
##
## Default:
##
## Acceptable values:
##   - text
## vmq_bridge.ssl.sbr0.psk =

## Allow the bridge to open SSL connections to remote broker with wildcard certs
##
## Default: https
##
## Acceptable values:
##   - one of: https
## vmq_bridge.ssl.name.customize_hostname_check = on

## Where to emit the default log messages (typically at 'info'
## severity):
## off: disabled
## file: the file specified by log.console.file
## console: to standard output (seen when using \`vmq attach-direct\`)
## both: log.console.file and standard out.
##
## Default: file
##
## Acceptable values:
##   - one of: off, file, console, both
log.console = file

## The severity level of the console log, default is 'info'.
##
## Default: info
##
## Acceptable values:
##   - one of: debug, info, warning, error
log.console.level = info

## When 'log.console' is set to 'file' or 'both', the file where
## console messages will be logged.
##
## Default: /var/log/vernemq/console.log
##
## Acceptable values:
##   - the path to a file
log.console.file = /var/log/vernemq/console.log

## The file where error messages will be logged.
##
## Default: /var/log/vernemq/error.log
##
## Acceptable values:
##   - the path to a file
log.error.file = /var/log/vernemq/error.log

## When set to 'on', enables log output to syslog.
##
## Default: off
##
## Acceptable values:
##   - on or off
log.syslog = off

## Whether to enable the crash log.
##
## Default: on
##
## Acceptable values:
##   - on or off
log.crash = on

## If the crash log is enabled, the file where its messages will
## be written.
##
## Default: /var/log/vernemq/crash.log
##
## Acceptable values:
##   - the path to a file
log.crash.file = /var/log/vernemq/crash.log

## Maximum size in bytes of individual messages in the crash log
##
## Default: 64KB
##
## Acceptable values:
##   - a byte size with units, e.g. 10GB
log.crash.maximum_message_size = 64KB

## Maximum size of the crash log in bytes, before it is rotated
##
## Default: 10MB
##
## Acceptable values:
##   - a byte size with units, e.g. 10GB
log.crash.size = 10MB

## The schedule on which to rotate the crash log. For more
## information see:
## https://github.com/basho/lager/blob/master/README.md#internal-log-rotation
##
## Default: \$D0
##
## Acceptable values:
##   - text
log.crash.rotation = \$D0

## The number of rotated crash logs to keep. When set to
## 'current', only the current open log file is kept.
##
## Default: 5
##
## Acceptable values:
##   - an integer
##   - the text "current"
log.crash.rotation.keep = 5

## Name of the Erlang node
## Default: VerneMQ@127.0.0.1
## Acceptable values:
## - text
##
## Default: VerneMQ@127.0.0.1
##
## Acceptable values:
##   - text
nodename = ${NODE_NAME}

## Cookie for distributed node communication.  All nodes in the
## same cluster should use the same cookie or they will not be able to
## communicate.
## IMPORTANT!!! SET the cookie to a private value! DO NOT LEAVE AT DEFAULT!
##
## Default: vmq
##
## Acceptable values:
##   - text
distributed_cookie = vmq

## Sets the number of threads in async thread pool, valid range
## is 0-1024. If thread support is available, the default is 64.
## More information at: http://erlang.org/doc/man/erl.html
##
## Default: 64
##
## Acceptable values:
##   - an integer
erlang.async_threads = 64

## The number of concurrent ports/sockets
## Valid range is 1024-134217727
##
## Default: 262144
##
## Acceptable values:
##   - an integer
erlang.max_ports = 262144

## Set scheduler forced wakeup interval. All run queues will be
## scanned each Interval milliseconds. While there are sleeping
## schedulers in the system, one scheduler will be woken for each
## non-empty run queue found. An Interval of zero disables this
## feature, which also is the default.
## This feature is a workaround for lengthy executing native code, and
## native code that do not bump reductions properly.
## More information: http://www.erlang.org/doc/man/erl.html#+sfwi
##
## Acceptable values:
##   - an integer
## erlang.schedulers.force_wakeup_interval = 500

## Enable or disable scheduler compaction of load. By default
## scheduler compaction of load is enabled. When enabled, load
## balancing will strive for a load distribution which causes as many
## scheduler threads as possible to be fully loaded (i.e., not run out
## of work). This is accomplished by migrating load (e.g. runnable
## processes) into a smaller set of schedulers when schedulers
## frequently run out of work. When disabled, the frequency with which
## schedulers run out of work will not be taken into account by the
## load balancing logic.
## More information: http://www.erlang.org/doc/man/erl.html#+scl
##
## Acceptable values:
##   - one of: true, false
## erlang.schedulers.compaction_of_load = false

## Enable or disable scheduler utilization balancing of load. By
## default scheduler utilization balancing is disabled and instead
## scheduler compaction of load is enabled which will strive for a
## load distribution which causes as many scheduler threads as
## possible to be fully loaded (i.e., not run out of work). When
## scheduler utilization balancing is enabled the system will instead
## try to balance scheduler utilization between schedulers. That is,
## strive for equal scheduler utilization on all schedulers.
## More information: http://www.erlang.org/doc/man/erl.html#+sub
##
## Acceptable values:
##   - one of: true, false
## erlang.schedulers.utilization_balancing = true

## This parameter defines the percentage of total server memory
## to assign to LevelDB. LevelDB will dynamically adjust its internal
## cache sizes to stay within this size.  The memory size can
## alternately be assigned as a byte count via leveldb.maximum_memory
## instead.
##
## Default: 70
##
## Acceptable values:
##   - an integer
leveldb.maximum_memory.percent = 70

## listeners
$(listeners)

EOF