diff --git a/bkps/wrt-bkp-10.0.2.210.sh b/bkps/wrt-bkp-10.0.2.210.sh new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/bkps/wrt-bkp-10.0.2.210.sh @@ -0,0 +1 @@ + diff --git a/bkps/wrt-bkp-172.16.1.1.sh b/bkps/wrt-bkp-172.16.1.1.sh new file mode 100644 index 0000000..294ee65 --- /dev/null +++ b/bkps/wrt-bkp-172.16.1.1.sh @@ -0,0 +1,779 @@ + +#hostname= Buran_rod +#DISTRIB_DESCRIPTION='OpenWrt 21.02.1 r16325-88151b8303' +#profile = xiaomi_mi-router-3g +#target = ramips +#soc = mt7621 +#arch = mipsel_24kc +#Xiaomi Mi Router 3G custom default settings +#---------------------------------------------------- +#Generating cmd for install pkg +#---------------------------------------------------- +opkg install luci-proto-wireguard +opkg install iwinfo +opkg install cgi-io +opkg install luci-lib-base +opkg install opkg +opkg install luci-app-opkg +opkg install ubus +opkg install rpcd +opkg install luci-lib-ip +opkg install libubus-lua +opkg install kmod-nf-reject6 +opkg install libiwinfo-lua +opkg install luci-mod-system +opkg install kmod-nf-flow +opkg install kmod-lib-crc-ccitt +opkg install getrandom +opkg install kmod-gre +opkg install luci-theme-bootstrap +opkg install kmod-pppoe +opkg install kmod-pppox +opkg install luci-app-wireguard +opkg install kmod-ipt-conntrack +opkg install kmod-nf-reject +opkg install base-files +opkg install kmod-nf-nat +opkg install netifd +opkg install uboot-envtools +opkg install dnsmasq +opkg install ubusd +opkg install luci-mod-status +opkg install kmod-pptp +opkg install kmod-usb3 +opkg install firewall +opkg install luci-app-firewall +opkg install kmod-nf-ipt +opkg install tcpdump +opkg install ubi-utils +opkg install kmod-ip6tables +opkg install odhcp6c +opkg install fstools +opkg install iptables-mod-ipopt +opkg install uci +opkg install lua +opkg install luci-ssl +opkg install dropbear +opkg install rpcd-mod-file +opkg install mtd +opkg install odhcpd-ipv6only +opkg install libiwinfo-data +opkg install rpcd-mod-luci +opkg install urandom-seed +opkg install luci-proto-ppp +opkg install luci-mod-admin-full +opkg install ppp +opkg install luci-base +opkg install kmod-leds-gpio +opkg install kmod-gpio-button-hotplug +opkg install logd +opkg install kmod-mt7603 +opkg install ppp-mod-pptp +opkg install kmod-wireguard +opkg install wireguard-tools +opkg install luci-proto-ipv6 +opkg install iptables +opkg install kmod-nf-nathelper-extra +opkg install jshn +opkg install kmod-ipt-core +opkg install kmod-ppp +opkg install uhttpd +opkg install kmod-nf-conntrack +opkg install iptables-mod-conntrack-extra +opkg install usign +opkg install ip6tables +opkg install kmod-nf-ipt6 +opkg install luci-lib-nixio +opkg install liblucihttp-lua +opkg install luci-lib-jsonc +opkg install luci +opkg install kmod-nf-conntrack6 +opkg install kmod-usb-ledtrig-usbport +opkg install ubox +opkg install kernel +opkg install rpcd-mod-iwinfo +opkg install kmod-mt76x2 +opkg install luci-mod-network +opkg install kmod-mppe +opkg install lldpd +opkg install uhttpd-mod-ubus +opkg install fwtool +opkg install jsonfilter +opkg install hostapd-common +opkg install kmod-ipt-offload +opkg install urngd +opkg install kmod-slhc +opkg install iptables-mod-quota2 +opkg install rpcd-mod-rrdns +opkg install ppp-mod-pppoe +opkg install kmod-ipt-nat +#---------------------------------------------------- +#Generating configuration Xiaomi Mi Router 3G +#---------------------------------------------------- +uci -q batch << EOI +set dhcp.@dnsmasq[0]=dnsmasq +set dhcp.@dnsmasq[0].domainneeded='1' +set dhcp.@dnsmasq[0].localise_queries='1' +set dhcp.@dnsmasq[0].rebind_protection='1' +set dhcp.@dnsmasq[0].rebind_localhost='1' +set dhcp.@dnsmasq[0].expandhosts='1' +set dhcp.@dnsmasq[0].authoritative='1' +set dhcp.@dnsmasq[0].readethers='1' +set dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases' +set dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.d/resolv.conf.auto' +set dhcp.@dnsmasq[0].localservice='1' +set dhcp.@dnsmasq[0].ednspacket_max='1232' +set dhcp.@dnsmasq[0].local='/pair.lan/' +set dhcp.@dnsmasq[0].domain='pair.lan' +set dhcp.@dnsmasq[0].server='/lan/10.0.254.1' +set dhcp.@dnsmasq[0].address='/lampa.bb.lan/192.168.16.91' '/service.kapka.ru/10.0.254.1' '/service.lan/10.0.254.1' '/loc/10.0.254.1' '/lan/10.0.254.1' +set dhcp.lan=dhcp +set dhcp.lan.interface='lan' +set dhcp.lan.start='100' +set dhcp.lan.limit='150' +set dhcp.lan.leasetime='12h' +set dhcp.lan.dhcpv4='server' +set dhcp.lan.ra_flags='none' +set dhcp.wan=dhcp +set dhcp.wan.interface='wan' +set dhcp.wan.ignore='1' +set dhcp.wan.start='100' +set dhcp.wan.limit='150' +set dhcp.wan.leasetime='12h' +set dhcp.wan.ra_flags='none' +set dhcp.odhcpd=odhcpd +set dhcp.odhcpd.maindhcp='0' +set dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd' +set dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update' +set dhcp.odhcpd.loglevel='4' +set dhcp.@host[0]=host +set dhcp.@host[0].name='NPIB41BE2' +set dhcp.@host[0].ip='172.16.1.203' +set dhcp.@host[0].mac='3C:4A:92:B4:1B:E2' +commit dhcp +set dropbear.@dropbear[0]=dropbear +set dropbear.@dropbear[0].PasswordAuth='on' +set dropbear.@dropbear[0].RootPasswordAuth='on' +set dropbear.@dropbear[0].Port='22' +commit dropbear +set firewall.@defaults[0]=defaults +set firewall.@defaults[0].input='ACCEPT' +set firewall.@defaults[0].output='ACCEPT' +set firewall.@defaults[0].forward='REJECT' +set firewall.@defaults[0].synflood_protect='1' +set firewall.lan=zone +set firewall.lan.name='lan' +set firewall.lan.network='lan' +set firewall.lan.input='ACCEPT' +set firewall.lan.output='ACCEPT' +set firewall.lan.forward='ACCEPT' +set firewall.wan=zone +set firewall.wan.name='wan' +set firewall.wan.input='REJECT' +set firewall.wan.output='ACCEPT' +set firewall.wan.forward='REJECT' +set firewall.wan.masq='1' +set firewall.wan.mtu_fix='1' +set firewall.wan.network='wan' 'wan6' 'inet' '' +set firewall.@forwarding[0]=forwarding +set firewall.@forwarding[0].src='lan' +set firewall.@forwarding[0].dest='wan' +set firewall.@rule[0]=rule +set firewall.@rule[0].name='Allow-DHCP-Renew' +set firewall.@rule[0].src='wan' +set firewall.@rule[0].proto='udp' +set firewall.@rule[0].dest_port='68' +set firewall.@rule[0].target='ACCEPT' +set firewall.@rule[0].family='ipv4' +set firewall.@rule[1]=rule +set firewall.@rule[1].name='Allow-Ping' +set firewall.@rule[1].src='wan' +set firewall.@rule[1].proto='icmp' +set firewall.@rule[1].icmp_type='echo-request' +set firewall.@rule[1].family='ipv4' +set firewall.@rule[1].target='ACCEPT' +set firewall.@rule[2]=rule +set firewall.@rule[2].name='Allow-IGMP' +set firewall.@rule[2].src='wan' +set firewall.@rule[2].proto='igmp' +set firewall.@rule[2].family='ipv4' +set firewall.@rule[2].target='ACCEPT' +set firewall.@rule[3]=rule +set firewall.@rule[3].name='Allow-DHCPv6' +set firewall.@rule[3].src='wan' +set firewall.@rule[3].proto='udp' +set firewall.@rule[3].src_ip='fc00::/6' +set firewall.@rule[3].dest_ip='fc00::/6' +set firewall.@rule[3].dest_port='546' +set firewall.@rule[3].family='ipv6' +set firewall.@rule[3].target='ACCEPT' +set firewall.@rule[4]=rule +set firewall.@rule[4].name='Allow-MLD' +set firewall.@rule[4].src='wan' +set firewall.@rule[4].proto='icmp' +set firewall.@rule[4].src_ip='fe80::/10' +set firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0' +set firewall.@rule[4].family='ipv6' +set firewall.@rule[4].target='ACCEPT' +set firewall.@rule[5]=rule +set firewall.@rule[5].name='Allow-ICMPv6-Input' +set firewall.@rule[5].src='wan' +set firewall.@rule[5].proto='icmp' +set firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement' +set firewall.@rule[5].limit='1000/sec' +set firewall.@rule[5].family='ipv6' +set firewall.@rule[5].target='ACCEPT' +set firewall.@rule[6]=rule +set firewall.@rule[6].name='Allow-ICMPv6-Forward' +set firewall.@rule[6].src='wan' +set firewall.@rule[6].dest='*' +set firewall.@rule[6].proto='icmp' +set firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' +set firewall.@rule[6].limit='1000/sec' +set firewall.@rule[6].family='ipv6' +set firewall.@rule[6].target='ACCEPT' +set firewall.@rule[7]=rule +set firewall.@rule[7].name='Allow-IPSec-ESP' +set firewall.@rule[7].src='wan' +set firewall.@rule[7].dest='lan' +set firewall.@rule[7].proto='esp' +set firewall.@rule[7].target='ACCEPT' +set firewall.@rule[8]=rule +set firewall.@rule[8].name='Allow-ISAKMP' +set firewall.@rule[8].src='wan' +set firewall.@rule[8].dest='lan' +set firewall.@rule[8].dest_port='500' +set firewall.@rule[8].proto='udp' +set firewall.@rule[8].target='ACCEPT' +set firewall.@rule[9]=rule +set firewall.@rule[9].name='Support-UDP-Traceroute' +set firewall.@rule[9].src='wan' +set firewall.@rule[9].dest_port='33434:33689' +set firewall.@rule[9].proto='udp' +set firewall.@rule[9].family='ipv4' +set firewall.@rule[9].target='REJECT' +set firewall.@rule[9].enabled='false' +set firewall.@include[0]=include +set firewall.@include[0].path='/etc/firewall.user' +set firewall.@zone[2]=zone +set firewall.@zone[2].name='wg' +set firewall.@zone[2].input='ACCEPT' +set firewall.@zone[2].output='ACCEPT' +set firewall.@zone[2].forward='REJECT' +set firewall.@zone[2].network='wg13' 'WG5' +set firewall.@forwarding[1]=forwarding +set firewall.@forwarding[1].src='wg' +set firewall.@forwarding[1].dest='lan' +set firewall.@forwarding[2]=forwarding +set firewall.@forwarding[2].src='wg' +set firewall.@forwarding[2].dest='wan' +set firewall.@forwarding[3]=forwarding +set firewall.@forwarding[3].src='lan' +set firewall.@forwarding[3].dest='wg' +commit firewall +set luci.main=core +set luci.main.lang='auto' +set luci.main.mediaurlbase='/luci-static/bootstrap' +set luci.main.resourcebase='/luci-static/resources' +set luci.main.ubuspath='/ubus/' +set luci.flash_keep=extern +set luci.flash_keep.uci='/etc/config/' +set luci.flash_keep.dropbear='/etc/dropbear/' +set luci.flash_keep.openvpn='/etc/openvpn/' +set luci.flash_keep.passwd='/etc/passwd' +set luci.flash_keep.opkg='/etc/opkg.conf' +set luci.flash_keep.firewall='/etc/firewall.user' +set luci.flash_keep.uploads='/lib/uci/upload/' +set luci.languages=internal +set luci.sauth=internal +set luci.sauth.sessionpath='/tmp/luci-sessions' +set luci.sauth.sessiontime='3600' +set luci.ccache=internal +set luci.ccache.enable='1' +set luci.themes=internal +set luci.themes.Bootstrap='/luci-static/bootstrap' +set luci.apply=internal +set luci.apply.rollback='90' +set luci.apply.holdoff='4' +set luci.apply.timeout='5' +set luci.apply.display='1.5' +set luci.diag=internal +set luci.diag.dns='openwrt.org' +set luci.diag.ping='openwrt.org' +set luci.diag.route='openwrt.org' +commit luci +set network.loopback=interface +set network.loopback.device='lo' +set network.loopback.proto='static' +set network.loopback.ipaddr='127.0.0.1' +set network.loopback.netmask='255.0.0.0' +set network.globals=globals +set network.globals.packet_steering='1' +set network.globals.ula_prefix='fd1f:8333:f39f::/48' +set network.@device[0]=device +set network.@device[0].name='br-lan' +set network.@device[0].type='bridge' +set network.@device[0].ports='lan1' 'lan2' +set network.@device[0].ipv6='0' +set network.lan=interface +set network.lan.device='br-lan' +set network.lan.proto='static' +set network.lan.netmask='255.255.255.0' +set network.lan.ip6assign='60' +set network.lan.ipaddr='172.16.1.1' +set network.lan.delegate='0' +set network.wan=interface +set network.wan.device='wan' +set network.wan.proto='static' +set network.wan.netmask='255.255.255.0' +set network.wan.ipaddr='192.168.57.195' +set network.wan.gateway='192.168.57.129' +set network.wan.dns='10.0.254.1' '192.168.57.129' '9.9.9.9' +set network.wan6=interface +set network.wan6.device='wan' +set network.wan6.auto='0' +set network.wan6.proto='none' +set network.wg13=interface +set network.wg13.proto='wireguard' +set network.wg13.delegate='0' +set network.wg13.addresses='10.0.2.14/30' +set network.wg13.private_key='aP5OOWFJpVkC0qzxrBSja7bj+52mrx27XjiQArq1uHw=' +set network.@wireguard_wg13[0]=wireguard_wg13 +set network.@wireguard_wg13[0].public_key='Ez/9FgQK3VL6knCnCF95A2VTh9lsuMH6HClAy4LMAUQ=' +set network.@wireguard_wg13[0].description='muromec' +set network.@wireguard_wg13[0].allowed_ips='0.0.0.0/0' +set network.@wireguard_wg13[0].endpoint_host='muromec.kapka.ru' +set network.@wireguard_wg13[0].endpoint_port='12013' +set network.inet=interface +set network.inet.proto='pptp' +set network.inet.username='pp_SviridovSP' +set network.inet.password='123456' +set network.inet.ipv6='0' +set network.inet.delegate='0' +set network.inet.mtu='1460' +set network.inet.server='192.168.39.1' +set network.inet.auto='0' +set network.@device[1]=device +set network.@device[1].name='eth0' +set network.@device[1].ipv6='0' +set network.@device[2]=device +set network.@device[2].name='wan' +set network.@device[2].macaddr='74:d0:2b:67:0a:0d' +set network.@device[2].ipv6='0' +set network.@wireguard_wg5[0]=wireguard_wg5 +set network.@wireguard_wg5[0].description='reut' +set network.@wireguard_wg5[0].allowed_ips='0.0.0.0/0' +set network.WG5=interface +set network.WG5.proto='wireguard' +set network.WG5.addresses='10.0.1.6/30' +set network.WG5.private_key='oCJWf4QTd4fhgs1iosYq0tmNMvyshqjcJr5AcXXN3XA=' +set network.@wireguard_WG5[0]=wireguard_WG5 +set network.@wireguard_WG5[0].description='turbo.kapka.ru' +set network.@wireguard_WG5[0].endpoint_host='turbo.kapka.ru' +set network.@wireguard_WG5[0].endpoint_port='12105' +set network.@wireguard_WG5[0].allowed_ips='0.0.0.0/0' +set network.@wireguard_WG5[0].public_key='uu5qWom+kaIS/LEakW7wjlFYWPtLrv+5+qxZY1S82mc=' +set network.@wireguard_WG5[0].preshared_key='IOF3+lT+4x/hvKfgFwFC7Nly8UnUwy7Grl6w1IC3r1k=' +commit network +set rpcd.@rpcd[0]=rpcd +set rpcd.@rpcd[0].socket='/var/run/ubus/ubus.sock' +set rpcd.@rpcd[0].timeout='30' +set rpcd.@login[0]=login +set rpcd.@login[0].username='root' +set rpcd.@login[0].password='$p$root' +set rpcd.@login[0].read='*' +set rpcd.@login[0].write='*' +commit rpcd +set system.@system[0]=system +set system.@system[0].ttylogin='0' +set system.@system[0].log_size='64' +set system.@system[0].urandom_seed='0' +set system.@system[0].compat_version='1.1' +set system.@system[0].hostname='Buran_rod' +set system.@system[0].zonename='Etc/GMT+3' +set system.@system[0].timezone='<-03>3' +set system.@system[0].log_proto='udp' +set system.@system[0].conloglevel='8' +set system.@system[0].cronloglevel='5' +set system.ntp=timeserver +set system.ntp.server='0.openwrt.pool.ntp.org' '1.openwrt.pool.ntp.org' '2.openwrt.pool.ntp.org' '3.openwrt.pool.ntp.org' +commit system +set ubootenv.@ubootenv[0]=ubootenv +set ubootenv.@ubootenv[0].dev='/dev/mtd1' +set ubootenv.@ubootenv[0].offset='0x0' +set ubootenv.@ubootenv[0].envsize='0x1000' +set ubootenv.@ubootenv[0].secsize='0x20000' +commit ubootenv +set ucitrack.@network[0]=network +set ucitrack.@network[0].init='network' +set ucitrack.@network[0].affects='dhcp' +set ucitrack.@wireless[0]=wireless +set ucitrack.@wireless[0].affects='network' +set ucitrack.@firewall[0]=firewall +set ucitrack.@firewall[0].init='firewall' +set ucitrack.@firewall[0].affects='luci-splash' 'qos' 'miniupnpd' +set ucitrack.@olsr[0]=olsr +set ucitrack.@olsr[0].init='olsrd' +set ucitrack.@dhcp[0]=dhcp +set ucitrack.@dhcp[0].init='dnsmasq' +set ucitrack.@dhcp[0].affects='odhcpd' +set ucitrack.@odhcpd[0]=odhcpd +set ucitrack.@odhcpd[0].init='odhcpd' +set ucitrack.@dropbear[0]=dropbear +set ucitrack.@dropbear[0].init='dropbear' +set ucitrack.@httpd[0]=httpd +set ucitrack.@httpd[0].init='httpd' +set ucitrack.@fstab[0]=fstab +set ucitrack.@fstab[0].exec='/sbin/block mount' +set ucitrack.@qos[0]=qos +set ucitrack.@qos[0].init='qos' +set ucitrack.@system[0]=system +set ucitrack.@system[0].init='led' +set ucitrack.@system[0].exec='/etc/init.d/log reload' +set ucitrack.@system[0].affects='luci_statistics' 'dhcp' +set ucitrack.@luci_splash[0]=luci_splash +set ucitrack.@luci_splash[0].init='luci_splash' +set ucitrack.@upnpd[0]=upnpd +set ucitrack.@upnpd[0].init='miniupnpd' +set ucitrack.@ntpclient[0]=ntpclient +set ucitrack.@ntpclient[0].init='ntpclient' +set ucitrack.@samba[0]=samba +set ucitrack.@samba[0].init='samba' +set ucitrack.@tinyproxy[0]=tinyproxy +set ucitrack.@tinyproxy[0].init='tinyproxy' +commit ucitrack +set uhttpd.main=uhttpd +set uhttpd.main.listen_http='0.0.0.0:80' '[::]:80' +set uhttpd.main.listen_https='0.0.0.0:443' '[::]:443' +set uhttpd.main.redirect_https='0' +set uhttpd.main.home='/www' +set uhttpd.main.rfc1918_filter='1' +set uhttpd.main.max_requests='3' +set uhttpd.main.max_connections='100' +set uhttpd.main.cert='/etc/uhttpd.crt' +set uhttpd.main.key='/etc/uhttpd.key' +set uhttpd.main.cgi_prefix='/cgi-bin' +set uhttpd.main.lua_prefix='/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua' +set uhttpd.main.script_timeout='60' +set uhttpd.main.network_timeout='30' +set uhttpd.main.http_keepalive='20' +set uhttpd.main.tcp_keepalive='1' +set uhttpd.main.ubus_prefix='/ubus' +set uhttpd.defaults=cert +set uhttpd.defaults.days='730' +set uhttpd.defaults.key_type='ec' +set uhttpd.defaults.bits='2048' +set uhttpd.defaults.ec_curve='P-256' +set uhttpd.defaults.country='ZZ' +set uhttpd.defaults.state='Somewhere' +set uhttpd.defaults.location='Unknown' +set uhttpd.defaults.commonname='OpenWrt' +commit uhttpd +set wireless.radio0=wifi-device +set wireless.radio0.type='mac80211' +set wireless.radio0.channel='11' +set wireless.radio0.hwmode='11g' +set wireless.radio0.path='1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0' +set wireless.radio0.htmode='HT20' +set wireless.radio0.cell_density='0' +set wireless.default_radio0=wifi-iface +set wireless.default_radio0.device='radio0' +set wireless.default_radio0.network='lan' +set wireless.default_radio0.mode='ap' +set wireless.default_radio0.key='23637387581' +set wireless.default_radio0.encryption='sae-mixed' +set wireless.default_radio0.ssid='Buran' +set wireless.radio1=wifi-device +set wireless.radio1.type='mac80211' +set wireless.radio1.channel='36' +set wireless.radio1.hwmode='11a' +set wireless.radio1.path='1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0' +set wireless.radio1.htmode='VHT80' +set wireless.radio1.cell_density='0' +set wireless.default_radio1=wifi-iface +set wireless.default_radio1.device='radio1' +set wireless.default_radio1.network='lan' +set wireless.default_radio1.mode='ap' +set wireless.default_radio1.ssid='Buran-5G' +set wireless.default_radio1.encryption='sae-mixed' +set wireless.default_radio1.key='23637387581' +commit wireless +EOI +#---------------------------------------------------- +#Generating conf file +#---------------------------------------------------- +# WARNING: /etc/mosquitto не существует +#Gen file /etc/bird.conf + +mkdir -p "/etc" +cat << 'CFGEOF' > "/etc/bird.conf" +#FIG FILE IS NOT A COMPLETE DOCUMENTATION +# PLEASE LOOK IN THE BIRD DOCUMENTATION FOR MORE INFO + +# However, most of options used here are just for example +# and will be removed in real-life configs. + +log syslog all; + +# Override router ID +router id 172.16.1.1; + +# Turn on global debugging of all protocols +#debug protocols all; + + + + +ipv4 table bgpban; +ipv4 table ospfmy; +#ipv4 table master; + + +# Define a route filter... +# filter test_filter { +# if net ~ 10.0.0.0/16 then accept; +# else reject; +# } +filter fltOSPF { + if net = 192.168.0.0/16 then reject; + if net = 172.16.0.0/12 then reject; + else accept; +} + + +# The direct protocol automatically generates device routes to all network +# interfaces. Can exist in as many instances as you wish if you want to +# populate multiple routing tables with device routes. Because device routes +# are handled by Linux kernel, this protocol is usually not needed. +protocol direct { + interface "-wan","-3g-wan1", "*"; # Restrict network interfaces it works with + ipv4;# { +# table ospfmy; +# table bgpban; +#import where net !=0.0.0.0/0; +#export where net !=0.0.0.0/0; +# }; +#debug all; +} + +# This pseudo-protocol watches all interface up/down events. +protocol device { + scan time 10; # Scan interfaces every 10 seconds +} + +# Static routes (again, there can be multiple instances, so that you +# can disable/enable various groups of static routes on the fly). +#protocol static { +# export all; # Default is export none +# route 0.0.0.0/0 via 62.168.0.13; +# route 10.0.0.0/8 reject; +# route 192.168.0.0/16 reject; +#} + + +#protocol rip { +# disabled; +# import all; +# export all; +# export filter test_filter; + +# port 1520; +# period 7; +# infinity 16; +# garbage time 60; +# interface "*" { mode broadcast; }; +# honor neighbor; +# honor always; +# honor never; +# authentication none; +#} + + + + +######################### OSPF + +# This pseudo-protocol performs synchronization between BIRD's routing +# tables and the kernel. You can run multiple instances of the kernel +# protocol and synchronize different kernel tables with different BIRD tables. + +protocol kernel ospfMyKern { + ipv4 { + table ospfmy; +# table bgpban; +# import filter fltOSPF; +# import all; +# import where source != RTS_DEVICE; +# export where source != RTS_DEVICE && net !=0.0.0.0/0; + export all; + }; + learn; # Learn all alien routes from the kernel +# persist; # Don't remove routes on bird shutdown + scan time 60; # Scan kernel routing table every 20 seconds +# import none; # Default is import all +# import all; +# export all; # Default is export none +# device routes yes; + kernel table 10; +# merge paths switch 16; + metric 10; +#debug all; +} + + +protocol kernel bgpbanKern { + ipv4 { + table bgpban; +# import all; + export all; + }; + learn; # Learn all alien routes from the kernel +# persist; # Don't remove routes on bird shutdown + scan time 60; # Scan kernel routing table every 20 seconds +# import none; # Default is import all +# import all; +# export all; # Default is export none +# device routes yes; + kernel table 11; +# merge paths switch 16; + metric 10; +} + +#protocol kernel { +# ipv4 { +# table master4; +## export all; +#import all; +# }; +# persist; +# learn; +# scan time 60; +# kernel table 254; +#} + +protocol pipe { + table ospfmy; + peer table master4; +# peer table bgpban; + import where net !=0.0.0.0/0; + +export where net !=0.0.0.0/0; + +#export all; +#export where source != RTS_DEVICE; +#debug all; +} + + +protocol ospf ASWG { +# disabled; + ipv4 { + table ospfmy; +# import filter fltOSPF; + import all; + export all; + }; +# import all; +# export all; +# import filter { print ">>>>>>imp net accepted:", net; accept; }; +# export filter { print ">>>>>>exp net accepted:", net; accept; }; + +# export where source = RTS_STATIC; + + area 0 { +# networks { +# 10.0.1.0/24; +# 10.0.2.0/24; +# }; + + interface "wg13" { #9 + cost 60; + hello 10; + retransmit 5; + wait 40; + dead 40; + type pointopoint; + priority 30; +# authentication simple; +# password "pass"; + }; + + interface "wg5" { + cost 5; + hello 10; + retransmit 5; + wait 40; + dead 40; + type pointopoint; + priority 5; +# authentication simple; +# password "pass"; + }; + + + }; +} + + + + +#########################BGP +# This pseudo-protocol performs synchronization between BIRD's routing +# tables and the kernel. You can run multiple instances of the kernel +# protocol and synchronize different kernel tables with different BIRD tables. +#protocol kernel { +# table bgpban; +# learn; # Learn all alien routes from the kernel +# persist; # Don't remove routes on bird shutdown +# scan time 60; # Scan kernel routing table every 20 seconds +# import none; # Default is import all +# import all; +# export all; # Default is export none +#} + + + +protocol bgp { +# disabled; + ipv4 { + table bgpban; + import all; + export all; + }; +# import all; +# export all; +# export where source = RTS_STATIC; + + local as 65014; + neighbor 10.0.2.13 as 65013; +# multihop 20 via 10.0.2.9; +# multihop; + +# hold time 240; +# startup hold time 240; +# connect retry time 120; +# keepalive time 80; # defaults to hold time / 3 +# start delay time 5; # How long do we wait before initial connect +# error wait time 60, 300;# Minimum and maximum time we wait after an error (when consecutive +# # errors occur, we increase the delay exponentially ... +# error forget time 300; # ... until this timeout expires) +# disable after error; # Disable the protocol automatically when an error occurs +# next hop self; # Disable next hop processing and always advertise our local address as nexthop +# source address 62.168.0.14; # What local address we use for the TCP connection +# password "secret" # Password used for MD5 authentication +# rr client; # I am a route reflector and the neighor is my client +# rr cluster id 1.0.0.1 # Use this value for cluster id instead of my router id +# }; +} + +CFGEOF + +# WARNING: /etc/bird4.conf не существует +#---------------------------------------------------- +#Generating cron +#---------------------------------------------------- + +#save config to muromec +0 3 * * 1 sh /root/bkpscript/backup_script.sh + + diff --git a/bkps/wrt-bkp-172.16.11.4.sh b/bkps/wrt-bkp-172.16.11.4.sh new file mode 100644 index 0000000..8b232d0 --- /dev/null +++ b/bkps/wrt-bkp-172.16.11.4.sh @@ -0,0 +1,1409 @@ + +#hostname= Buran-stya.reut.loc +#DISTRIB_DESCRIPTION='OpenWrt 22.03.5 r20134-5f15225c1e' +#profile = xiaomi_mi-router-3g-v2 +#target = ramips +#soc = mt7621 +#arch = mipsel_24kc +#Xiaomi Mi Router 3G v2 custom default settings +#---------------------------------------------------- +#Generating cmd for install pkg +#---------------------------------------------------- +opkg install iwinfo +opkg install cgi-io +opkg install luci-lib-base +opkg install opkg +opkg install luci-app-opkg +opkg install ubus +opkg install rpcd +opkg install luci-lib-ip +opkg install kmod-nft-fib +opkg install kmod-nfnetlink +opkg install libubus-lua +opkg install kmod-crypto-hash +opkg install kmod-nf-reject6 +opkg install libiwinfo-lua +opkg install luci-mod-system +opkg install kmod-nf-flow +opkg install kmod-lib-crc-ccitt +opkg install getrandom +opkg install ucode-mod-ubus +opkg install luci-theme-bootstrap +opkg install kmod-pppoe +opkg install kmod-pppox +opkg install kmod-nf-reject +opkg install procd-ujail +opkg install base-files +opkg install kmod-nf-nat +opkg install kmod-crypto-crc32c +opkg install ucode-mod-uci +opkg install netifd +opkg install dnsmasq +opkg install ubusd +opkg install kmod-lib-crc32c +opkg install luci-mod-status +opkg install kmod-nft-nat +opkg install luci-app-firewall +opkg install tcpdump +opkg install ubi-utils +opkg install odhcp6c +opkg install fstools +opkg install uci +opkg install lua +opkg install ucode-mod-fs +opkg install luci-ssl +opkg install dropbear +opkg install rpcd-mod-file +opkg install mtd +opkg install odhcpd-ipv6only +opkg install procd-seccomp +opkg install libiwinfo-data +opkg install ucode +opkg install rpcd-mod-luci +opkg install kmod-nf-log +opkg install urandom-seed +opkg install luci-proto-ppp +opkg install luci-mod-admin-full +opkg install ppp +opkg install luci-base +opkg install kmod-leds-gpio +opkg install kmod-gpio-button-hotplug +opkg install logd +opkg install kmod-mt7603 +opkg install kmod-nf-log6 +opkg install luci-proto-ipv6 +opkg install jshn +opkg install kmod-ppp +opkg install kmod-nft-offload +opkg install uhttpd +opkg install kmod-nf-conntrack +opkg install usign +opkg install luci-lib-nixio +opkg install liblucihttp-lua +opkg install luci-app-cjdns +opkg install luci-lib-jsonc +opkg install luci +opkg install kmod-nf-conntrack6 +opkg install ubox +opkg install kernel +opkg install rpcd-mod-iwinfo +opkg install kmod-mt76x2 +opkg install luci-mod-network +opkg install kmod-nft-core +opkg install lldpd +opkg install uhttpd-mod-ubus +opkg install fwtool +opkg install jsonfilter +opkg install urngd +opkg install kmod-slhc +opkg install rpcd-mod-rrdns +opkg install ppp-mod-pppoe +#---------------------------------------------------- +#Generating configuration Xiaomi Mi Router 3G v2 +#---------------------------------------------------- +uci -q batch << EOI +set cjdns.cjdns=cjdns +set cjdns.cjdns.ipv6='fc36:cd0c:2f16:b9e9:0596:309e:f084:e935' +set cjdns.cjdns.admin_password='NONE' +set cjdns.cjdns.admin_port='11234' +set cjdns.cjdns.public_key='ck50thjtn4z2pbyr4l07kxu5t7xsuu5v2flmpbl9zfckml0umqv0.k' +set cjdns.cjdns.private_key='bf25ea52b09eb0fb0da610ab3793c7256d41119ec2634d5abc10dc84b7c6d8a8' +set cjdns.cjdns.admin_address='127.0.0.1' +set cjdns.cjdns.seccomp='1' +set cjdns.cjdns.tun_device='tuncjdns' +set cjdns.@udp_interface[0]=udp_interface +set cjdns.@udp_interface[0].port='25724' +set cjdns.@udp_interface[0].address='0.0.0.0' +set cjdns.@udp_interface[1]=udp_interface +set cjdns.@udp_interface[1].port='25724' +set cjdns.@udp_interface[1].address='[::]' +set cjdns.@password[0]=password +set cjdns.@password[0].password='sysjky8j121tfszy6kcsycj461ndbg3' +set cjdns.@password[0].user='default-login' +set cjdns.@eth_interface[0]=eth_interface +set cjdns.@eth_interface[0].beacon='2' +set cjdns.@eth_interface[0].bind='br-lan' +commit cjdns +set dhcp.@dnsmasq[0]=dnsmasq +set dhcp.@dnsmasq[0].domainneeded='1' +set dhcp.@dnsmasq[0].boguspriv='1' +set dhcp.@dnsmasq[0].filterwin2k='0' +set dhcp.@dnsmasq[0].localise_queries='1' +set dhcp.@dnsmasq[0].rebind_protection='1' +set dhcp.@dnsmasq[0].rebind_localhost='1' +set dhcp.@dnsmasq[0].local='/lan/' +set dhcp.@dnsmasq[0].domain='lan' +set dhcp.@dnsmasq[0].expandhosts='1' +set dhcp.@dnsmasq[0].nonegcache='0' +set dhcp.@dnsmasq[0].authoritative='1' +set dhcp.@dnsmasq[0].readethers='1' +set dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases' +set dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.d/resolv.conf.auto' +set dhcp.@dnsmasq[0].nonwildcard='1' +set dhcp.@dnsmasq[0].localservice='1' +set dhcp.@dnsmasq[0].ednspacket_max='1232' +set dhcp.lan=dhcp +set dhcp.lan.interface='lan' +set dhcp.lan.dhcpv4='server' +set dhcp.lan.ignore='1' +set dhcp.lan.ra_management='1' +set dhcp.lan.start='100' +set dhcp.lan.limit='150' +set dhcp.lan.leasetime='12h' +set dhcp.wan=dhcp +set dhcp.wan.interface='wan' +set dhcp.wan.ignore='1' +set dhcp.odhcpd=odhcpd +set dhcp.odhcpd.maindhcp='0' +set dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd' +set dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update' +set dhcp.odhcpd.loglevel='4' +commit dhcp +set dropbear.@dropbear[0]=dropbear +set dropbear.@dropbear[0].PasswordAuth='on' +set dropbear.@dropbear[0].RootPasswordAuth='on' +set dropbear.@dropbear[0].Port='22' +commit dropbear +set firewall.@defaults[0]=defaults +set firewall.@defaults[0].syn_flood='1' +set firewall.@defaults[0].input='ACCEPT' +set firewall.@defaults[0].output='ACCEPT' +set firewall.@defaults[0].forward='REJECT' +set firewall.@zone[0]=zone +set firewall.@zone[0].name='lan' +set firewall.@zone[0].input='ACCEPT' +set firewall.@zone[0].output='ACCEPT' +set firewall.@zone[0].forward='ACCEPT' +set firewall.@zone[0].network='lan' +set firewall.@zone[1]=zone +set firewall.@zone[1].name='wan' +set firewall.@zone[1].input='REJECT' +set firewall.@zone[1].output='ACCEPT' +set firewall.@zone[1].forward='REJECT' +set firewall.@zone[1].masq='1' +set firewall.@zone[1].mtu_fix='1' +set firewall.@zone[1].network='wan' 'wan6' +set firewall.@forwarding[0]=forwarding +set firewall.@forwarding[0].src='lan' +set firewall.@forwarding[0].dest='wan' +set firewall.@rule[0]=rule +set firewall.@rule[0].name='Allow-DHCP-Renew' +set firewall.@rule[0].src='wan' +set firewall.@rule[0].proto='udp' +set firewall.@rule[0].dest_port='68' +set firewall.@rule[0].target='ACCEPT' +set firewall.@rule[0].family='ipv4' +set firewall.@rule[1]=rule +set firewall.@rule[1].name='Allow-Ping' +set firewall.@rule[1].src='wan' +set firewall.@rule[1].proto='icmp' +set firewall.@rule[1].icmp_type='echo-request' +set firewall.@rule[1].family='ipv4' +set firewall.@rule[1].target='ACCEPT' +set firewall.@rule[2]=rule +set firewall.@rule[2].name='Allow-IGMP' +set firewall.@rule[2].src='wan' +set firewall.@rule[2].proto='igmp' +set firewall.@rule[2].family='ipv4' +set firewall.@rule[2].target='ACCEPT' +set firewall.@rule[3]=rule +set firewall.@rule[3].name='Allow-DHCPv6' +set firewall.@rule[3].src='wan' +set firewall.@rule[3].proto='udp' +set firewall.@rule[3].src_ip='fc00::/6' +set firewall.@rule[3].dest_ip='fc00::/6' +set firewall.@rule[3].dest_port='546' +set firewall.@rule[3].family='ipv6' +set firewall.@rule[3].target='ACCEPT' +set firewall.@rule[4]=rule +set firewall.@rule[4].name='Allow-MLD' +set firewall.@rule[4].src='wan' +set firewall.@rule[4].proto='icmp' +set firewall.@rule[4].src_ip='fe80::/10' +set firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0' +set firewall.@rule[4].family='ipv6' +set firewall.@rule[4].target='ACCEPT' +set firewall.@rule[5]=rule +set firewall.@rule[5].name='Allow-ICMPv6-Input' +set firewall.@rule[5].src='wan' +set firewall.@rule[5].proto='icmp' +set firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement' +set firewall.@rule[5].limit='1000/sec' +set firewall.@rule[5].family='ipv6' +set firewall.@rule[5].target='ACCEPT' +set firewall.@rule[6]=rule +set firewall.@rule[6].name='Allow-ICMPv6-Forward' +set firewall.@rule[6].src='wan' +set firewall.@rule[6].dest='*' +set firewall.@rule[6].proto='icmp' +set firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' +set firewall.@rule[6].limit='1000/sec' +set firewall.@rule[6].family='ipv6' +set firewall.@rule[6].target='ACCEPT' +set firewall.@rule[7]=rule +set firewall.@rule[7].name='Allow-IPSec-ESP' +set firewall.@rule[7].src='wan' +set firewall.@rule[7].dest='lan' +set firewall.@rule[7].proto='esp' +set firewall.@rule[7].target='ACCEPT' +set firewall.@rule[8]=rule +set firewall.@rule[8].name='Allow-ISAKMP' +set firewall.@rule[8].src='wan' +set firewall.@rule[8].dest='lan' +set firewall.@rule[8].dest_port='500' +set firewall.@rule[8].proto='udp' +set firewall.@rule[8].target='ACCEPT' +set firewall.@rule[9]=rule +set firewall.@rule[9].name='Support-UDP-Traceroute' +set firewall.@rule[9].src='wan' +set firewall.@rule[9].dest_port='33434:33689' +set firewall.@rule[9].proto='udp' +set firewall.@rule[9].family='ipv4' +set firewall.@rule[9].target='REJECT' +set firewall.@rule[9].enabled='false' +set firewall.@include[0]=include +set firewall.@include[0].path='/etc/firewall.user' +set firewall.@zone[2]=zone +set firewall.@zone[2].name='cjdns' +set firewall.@zone[2].input='REJECT' +set firewall.@zone[2].output='ACCEPT' +set firewall.@zone[2].forward='REJECT' +set firewall.@zone[2].conntrack='1' +set firewall.@zone[2].family='ipv6' +set firewall.@rule[10]=rule +set firewall.@rule[10].name='Allow-ICMPv6-cjdns' +set firewall.@rule[10].src='cjdns' +set firewall.@rule[10].proto='icmp' +set firewall.@rule[10].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' +set firewall.@rule[10].limit='1000/sec' +set firewall.@rule[10].family='ipv6' +set firewall.@rule[10].target='ACCEPT' +set firewall.@rule[11]=rule +set firewall.@rule[11].enabled='0' +set firewall.@rule[11].name='Allow-SSH-cjdns' +set firewall.@rule[11].src='cjdns' +set firewall.@rule[11].proto='tcp' +set firewall.@rule[11].dest_port='22' +set firewall.@rule[11].target='ACCEPT' +set firewall.@rule[12]=rule +set firewall.@rule[12].enabled='0' +set firewall.@rule[12].name='Allow-HTTP-cjdns' +set firewall.@rule[12].src='cjdns' +set firewall.@rule[12].proto='tcp' +set firewall.@rule[12].dest_port='80' +set firewall.@rule[12].target='ACCEPT' +set firewall.@rule[13]=rule +set firewall.@rule[13].name='Allow-cjdns-wan' +set firewall.@rule[13].src='wan' +set firewall.@rule[13].proto='udp' +set firewall.@rule[13].dest_port='25724' +set firewall.@rule[13].target='ACCEPT' +commit firewall +set lldpd.config=lldpd +set lldpd.config.enable_cdp='1' +set lldpd.config.enable_fdp='1' +set lldpd.config.enable_sonmp='1' +set lldpd.config.enable_edp='1' +set lldpd.config.lldp_class='4' +set lldpd.config.lldp_location='2:FR:6:Commercial Rd:3:Roseville:19:4' +set lldpd.config.interface='loopback' 'lan' +commit lldpd +set luci.main=core +set luci.main.lang='auto' +set luci.main.mediaurlbase='/luci-static/bootstrap' +set luci.main.resourcebase='/luci-static/resources' +set luci.main.ubuspath='/ubus/' +set luci.flash_keep=extern +set luci.flash_keep.uci='/etc/config/' +set luci.flash_keep.dropbear='/etc/dropbear/' +set luci.flash_keep.openvpn='/etc/openvpn/' +set luci.flash_keep.passwd='/etc/passwd' +set luci.flash_keep.opkg='/etc/opkg.conf' +set luci.flash_keep.firewall='/etc/firewall.user' +set luci.flash_keep.uploads='/lib/uci/upload/' +set luci.languages=internal +set luci.sauth=internal +set luci.sauth.sessionpath='/tmp/luci-sessions' +set luci.sauth.sessiontime='3600' +set luci.ccache=internal +set luci.ccache.enable='1' +set luci.themes=internal +set luci.themes.Bootstrap='/luci-static/bootstrap' +set luci.themes.BootstrapDark='/luci-static/bootstrap-dark' +set luci.themes.BootstrapLight='/luci-static/bootstrap-light' +set luci.apply=internal +set luci.apply.rollback='90' +set luci.apply.holdoff='4' +set luci.apply.timeout='5' +set luci.apply.display='1.5' +set luci.diag=internal +set luci.diag.dns='openwrt.org' +set luci.diag.ping='openwrt.org' +set luci.diag.route='openwrt.org' +commit luci +set mosquitto.owrt=owrt +set mosquitto.owrt.use_uci='0' +set mosquitto.mosquitto=mosquitto +set mosquitto.persistence=persistence +commit mosquitto +set network.loopback=interface +set network.loopback.proto='static' +set network.loopback.ipaddr='127.0.0.1' +set network.loopback.netmask='255.0.0.0' +set network.loopback.device='lo' +set network.globals=globals +set network.globals.packet_steering='1' +set network.globals.ula_prefix='fd53:2eb9:6809::/48' +set network.lan=interface +set network.lan.proto='static' +set network.lan.netmask='255.255.255.0' +set network.lan.ip6assign='60' +set network.lan.ipaddr='172.16.11.4' +set network.lan.gateway='172.16.11.1' +set network.lan.dns='1.1.1.1' +set network.lan.device='br-lan' +set network.wan=interface +set network.wan.proto='none' +set network.wan.device='ban' +set network.wan6=interface +set network.wan6.proto='none' +set network.wan6.device='ban' +set network.@device[0]=device +set network.@device[0].name='br-lan' +set network.@device[0].type='bridge' +set network.@device[0].ports='lan1' 'lan2' 'wan' +set network.@device[0].ipv6='0' +commit network +set rpcd.@rpcd[0]=rpcd +set rpcd.@rpcd[0].socket='/var/run/ubus/ubus.sock' +set rpcd.@rpcd[0].timeout='30' +set rpcd.@login[0]=login +set rpcd.@login[0].username='root' +set rpcd.@login[0].password='$p$root' +set rpcd.@login[0].read='*' +set rpcd.@login[0].write='*' +commit rpcd +set system.@system[0]=system +set system.@system[0].ttylogin='0' +set system.@system[0].log_size='64' +set system.@system[0].urandom_seed='0' +set system.@system[0].compat_version='1.1' +set system.@system[0].zonename='Europe/Moscow' +set system.@system[0].timezone='MSK-3' +set system.@system[0].log_proto='udp' +set system.@system[0].conloglevel='8' +set system.@system[0].cronloglevel='5' +set system.@system[0].hostname='Buran-stya.reut.loc' +set system.ntp=timeserver +set system.ntp.server='0.openwrt.pool.ntp.org' '1.openwrt.pool.ntp.org' '2.openwrt.pool.ntp.org' '3.openwrt.pool.ntp.org' +commit system +set ucitrack.@network[0]=network +set ucitrack.@network[0].init='network' +set ucitrack.@network[0].affects='dhcp' +set ucitrack.@wireless[0]=wireless +set ucitrack.@wireless[0].affects='network' +set ucitrack.@firewall[0]=firewall +set ucitrack.@firewall[0].init='firewall' +set ucitrack.@firewall[0].affects='luci-splash' 'qos' 'miniupnpd' +set ucitrack.@olsr[0]=olsr +set ucitrack.@olsr[0].init='olsrd' +set ucitrack.@dhcp[0]=dhcp +set ucitrack.@dhcp[0].init='dnsmasq' +set ucitrack.@dhcp[0].affects='odhcpd' +set ucitrack.@odhcpd[0]=odhcpd +set ucitrack.@odhcpd[0].init='odhcpd' +set ucitrack.@dropbear[0]=dropbear +set ucitrack.@dropbear[0].init='dropbear' +set ucitrack.@httpd[0]=httpd +set ucitrack.@httpd[0].init='httpd' +set ucitrack.@fstab[0]=fstab +set ucitrack.@fstab[0].exec='/sbin/block mount' +set ucitrack.@qos[0]=qos +set ucitrack.@qos[0].init='qos' +set ucitrack.@system[0]=system +set ucitrack.@system[0].init='led' +set ucitrack.@system[0].exec='/etc/init.d/log reload' +set ucitrack.@system[0].affects='luci_statistics' 'dhcp' +set ucitrack.@luci_splash[0]=luci_splash +set ucitrack.@luci_splash[0].init='luci_splash' +set ucitrack.@upnpd[0]=upnpd +set ucitrack.@upnpd[0].init='miniupnpd' +set ucitrack.@ntpclient[0]=ntpclient +set ucitrack.@ntpclient[0].init='ntpclient' +set ucitrack.@samba[0]=samba +set ucitrack.@samba[0].init='samba' +set ucitrack.@tinyproxy[0]=tinyproxy +set ucitrack.@tinyproxy[0].init='tinyproxy' +set ucitrack.@cjdns[0]=cjdns +set ucitrack.@cjdns[0].init='cjdns' +commit ucitrack +set uhttpd.main=uhttpd +set uhttpd.main.listen_http='0.0.0.0:80' '[::]:80' +set uhttpd.main.listen_https='0.0.0.0:443' '[::]:443' +set uhttpd.main.redirect_https='0' +set uhttpd.main.home='/www' +set uhttpd.main.rfc1918_filter='1' +set uhttpd.main.max_requests='3' +set uhttpd.main.max_connections='100' +set uhttpd.main.cert='/etc/uhttpd.crt' +set uhttpd.main.key='/etc/uhttpd.key' +set uhttpd.main.cgi_prefix='/cgi-bin' +set uhttpd.main.lua_prefix='/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua' +set uhttpd.main.script_timeout='60' +set uhttpd.main.network_timeout='30' +set uhttpd.main.http_keepalive='20' +set uhttpd.main.tcp_keepalive='1' +set uhttpd.main.ubus_prefix='/ubus' +set uhttpd.defaults=cert +set uhttpd.defaults.days='730' +set uhttpd.defaults.key_type='ec' +set uhttpd.defaults.bits='2048' +set uhttpd.defaults.ec_curve='P-256' +set uhttpd.defaults.country='ZZ' +set uhttpd.defaults.state='Somewhere' +set uhttpd.defaults.location='Unknown' +set uhttpd.defaults.commonname='OpenWrt' +commit uhttpd +set wireless.radio0=wifi-device +set wireless.radio0.type='mac80211' +set wireless.radio0.hwmode='11g' +set wireless.radio0.path='1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0' +set wireless.radio0.htmode='HT20' +set wireless.radio0.cell_density='0' +set wireless.radio0.country='RU' +set wireless.radio0.channel='auto' +set wireless.radio1=wifi-device +set wireless.radio1.type='mac80211' +set wireless.radio1.hwmode='11a' +set wireless.radio1.path='1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0' +set wireless.radio1.cell_density='0' +set wireless.radio1.country='RU' +set wireless.radio1.channel='auto' +set wireless.radio1.htmode='VHT80' +set wireless.default_radio1=wifi-iface +set wireless.default_radio1.device='radio1' +set wireless.default_radio1.network='lan' +set wireless.default_radio1.mode='ap' +set wireless.default_radio1.key='23637387581' +set wireless.default_radio1.encryption='sae-mixed' +set wireless.default_radio1.ssid='Buran' +set wireless.default_radio1.ieee80211r='1' +set wireless.default_radio1.mobility_domain='f453' +set wireless.default_radio1.ft_over_ds='1' +set wireless.default_radio1.ft_psk_generate_local='1' +set wireless.default_radio1.wpa_disable_eapol_key_retries='1' +set wireless.default_radio1.skip_inactivity_poll='1' +set wireless.wifinet2=wifi-iface +set wireless.wifinet2.device='radio0' +set wireless.wifinet2.mode='ap' +set wireless.wifinet2.network='lan' +set wireless.wifinet2.key='23637387581' +set wireless.wifinet2.ssid='Buran' +set wireless.wifinet2.encryption='sae-mixed' +set wireless.wifinet2.ieee80211r='1' +set wireless.wifinet2.mobility_domain='af53' +set wireless.wifinet2.ft_over_ds='0' +set wireless.wifinet2.ft_psk_generate_local='1' +set wireless.wifinet2.wpa_disable_eapol_key_retries='1' +set wireless.wifinet2.skip_inactivity_poll='1' +commit wireless +EOI +#---------------------------------------------------- +#Generating conf file +#---------------------------------------------------- +mkdir -p "/etc/mosquitto" + +mkdir -p "/etc/mosquitto" + +#Gen file /etc/mosquitto/mosquitto.conf + +mkdir -p "/etc/mosquitto" +cat << 'CFGEOF' > "/etc/mosquitto/mosquitto.conf" +# Config file for mosquitto +# +# See mosquitto.conf(5) for more information. +# +# Default values are shown, uncomment to change. +# +# Use the # character to indicate a comment, but only if it is the +# very first character on the line. + +# ================================================================= +# General configuration +# ================================================================= + +# Use per listener security settings. +# +# It is recommended this option be set before any other options. +# +# If this option is set to true, then all authentication and access control +# options are controlled on a per listener basis. The following options are +# affected: +# +# password_file acl_file psk_file auth_plugin auth_opt_* allow_anonymous +# auto_id_prefix allow_zero_length_clientid +# +# Note that if set to true, then a durable client (i.e. with clean session set +# to false) that has disconnected will use the ACL settings defined for the +# listener that it was most recently connected to. +# +# The default behaviour is for this to be set to false, which maintains the +# setting behaviour from previous versions of mosquitto. +#per_listener_settings false + + +# This option controls whether a client is allowed to connect with a zero +# length client id or not. This option only affects clients using MQTT v3.1.1 +# and later. If set to false, clients connecting with a zero length client id +# are disconnected. If set to true, clients will be allocated a client id by +# the broker. This means it is only useful for clients with clean session set +# to true. +#allow_zero_length_clientid true + +# If allow_zero_length_clientid is true, this option allows you to set a prefix +# to automatically generated client ids to aid visibility in logs. +# Defaults to 'auto-' +#auto_id_prefix auto- + +# This option affects the scenario when a client subscribes to a topic that has +# retained messages. It is possible that the client that published the retained +# message to the topic had access at the time they published, but that access +# has been subsequently removed. If check_retain_source is set to true, the +# default, the source of a retained message will be checked for access rights +# before it is republished. When set to false, no check will be made and the +# retained message will always be published. This affects all listeners. +#check_retain_source true + +# QoS 1 and 2 messages will be allowed inflight per client until this limit +# is exceeded. Defaults to 0. (No maximum) +# See also max_inflight_messages +#max_inflight_bytes 0 + +# The maximum number of QoS 1 and 2 messages currently inflight per +# client. +# This includes messages that are partway through handshakes and +# those that are being retried. Defaults to 20. Set to 0 for no +# maximum. Setting to 1 will guarantee in-order delivery of QoS 1 +# and 2 messages. +#max_inflight_messages 20 + +# For MQTT v5 clients, it is possible to have the server send a "server +# keepalive" value that will override the keepalive value set by the client. +# This is intended to be used as a mechanism to say that the server will +# disconnect the client earlier than it anticipated, and that the client should +# use the new keepalive value. The max_keepalive option allows you to specify +# that clients may only connect with keepalive less than or equal to this +# value, otherwise they will be sent a server keepalive telling them to use +# max_keepalive. This only applies to MQTT v5 clients. The maximum value +# allowable is 65535. Do not set below 10. +#max_keepalive 65535 + +# For MQTT v5 clients, it is possible to have the server send a "maximum packet +# size" value that will instruct the client it will not accept MQTT packets +# with size greater than max_packet_size bytes. This applies to the full MQTT +# packet, not just the payload. Setting this option to a positive value will +# set the maximum packet size to that number of bytes. If a client sends a +# packet which is larger than this value, it will be disconnected. This applies +# to all clients regardless of the protocol version they are using, but v3.1.1 +# and earlier clients will of course not have received the maximum packet size +# information. Defaults to no limit. Setting below 20 bytes is forbidden +# because it is likely to interfere with ordinary client operation, even with +# very small payloads. +#max_packet_size 0 + +# QoS 1 and 2 messages above those currently in-flight will be queued per +# client until this limit is exceeded. Defaults to 0. (No maximum) +# See also max_queued_messages. +# If both max_queued_messages and max_queued_bytes are specified, packets will +# be queued until the first limit is reached. +#max_queued_bytes 0 + +# Set the maximum QoS supported. Clients publishing at a QoS higher than +# specified here will be disconnected. +#max_qos 2 + +# The maximum number of QoS 1 and 2 messages to hold in a queue per client +# above those that are currently in-flight. Defaults to 1000. Set +# to 0 for no maximum (not recommended). +# See also queue_qos0_messages. +# See also max_queued_bytes. +#max_queued_messages 1000 +# +# This option sets the maximum number of heap memory bytes that the broker will +# allocate, and hence sets a hard limit on memory use by the broker. Memory +# requests that exceed this value will be denied. The effect will vary +# depending on what has been denied. If an incoming message is being processed, +# then the message will be dropped and the publishing client will be +# disconnected. If an outgoing message is being sent, then the individual +# message will be dropped and the receiving client will be disconnected. +# Defaults to no limit. +#memory_limit 0 + +# This option sets the maximum publish payload size that the broker will allow. +# Received messages that exceed this size will not be accepted by the broker. +# The default value is 0, which means that all valid MQTT messages are +# accepted. MQTT imposes a maximum payload size of 268435455 bytes. +#message_size_limit 0 + +# This option allows persistent clients (those with clean session set to false) +# to be removed if they do not reconnect within a certain time frame. +# +# This is a non-standard option in MQTT V3.1 but allowed in MQTT v3.1.1. +# +# Badly designed clients may set clean session to false whilst using a randomly +# generated client id. This leads to persistent clients that will never +# reconnect. This option allows these clients to be removed. +# +# The expiration period should be an integer followed by one of h d w m y for +# hour, day, week, month and year respectively. For example +# +# persistent_client_expiration 2m +# persistent_client_expiration 14d +# persistent_client_expiration 1y +# +# The default if not set is to never expire persistent clients. +#persistent_client_expiration + +# Write process id to a file. Default is a blank string which means +# a pid file shouldn't be written. +# This should be set to /var/run/mosquitto.pid if mosquitto is +# being run automatically on boot with an init script and +# start-stop-daemon or similar. +#pid_file + +# Set to true to queue messages with QoS 0 when a persistent client is +# disconnected. These messages are included in the limit imposed by +# max_queued_messages and max_queued_bytes +# Defaults to false. +# This is a non-standard option for the MQTT v3.1 spec but is allowed in +# v3.1.1. +#queue_qos0_messages false + +# Set to false to disable retained message support. If a client publishes a +# message with the retain bit set, it will be disconnected if this is set to +# false. +#retain_available true + +# Disable Nagle's algorithm on client sockets. This has the effect of reducing +# latency of individual messages at the potential cost of increasing the number +# of packets being sent. +#set_tcp_nodelay false + +# Time in seconds between updates of the $SYS tree. +# Set to 0 to disable the publishing of the $SYS tree. +#sys_interval 10 + +# The MQTT specification requires that the QoS of a message delivered to a +# subscriber is never upgraded to match the QoS of the subscription. Enabling +# this option changes this behaviour. If upgrade_outgoing_qos is set true, +# messages sent to a subscriber will always match the QoS of its subscription. +# This is a non-standard option explicitly disallowed by the spec. +#upgrade_outgoing_qos false + +# When run as root, drop privileges to this user and its primary +# group. +# Set to root to stay as root, but this is not recommended. +# If set to "mosquitto", or left unset, and the "mosquitto" user does not exist +# then it will drop privileges to the "nobody" user instead. +# If run as a non-root user, this setting has no effect. +# Note that on Windows this has no effect and so mosquitto should be started by +# the user you wish it to run as. +#user mosquitto + +# ================================================================= +# Listeners +# ================================================================= + +# Listen on a port/ip address combination. By using this variable +# multiple times, mosquitto can listen on more than one port. If +# this variable is used and neither bind_address nor port given, +# then the default listener will not be started. +# The port number to listen on must be given. Optionally, an ip +# address or host name may be supplied as a second argument. In +# this case, mosquitto will attempt to bind the listener to that +# address and so restrict access to the associated network and +# interface. By default, mosquitto will listen on all interfaces. +# Note that for a websockets listener it is not possible to bind to a host +# name. +# +# On systems that support Unix Domain Sockets, it is also possible +# to create a # Unix socket rather than opening a TCP socket. In +# this case, the port number should be set to 0 and a unix socket +# path must be provided, e.g. +# listener 0 /tmp/mosquitto.sock +# +# listener port-number [ip address/host name/unix socket path] +#listener +listener 1883 172.16.11.4 + +# By default, a listener will attempt to listen on all supported IP protocol +# versions. If you do not have an IPv4 or IPv6 interface you may wish to +# disable support for either of those protocol versions. In particular, note +# that due to the limitations of the websockets library, it will only ever +# attempt to open IPv6 sockets if IPv6 support is compiled in, and so will fail +# if IPv6 is not available. +# +# Set to `ipv4` to force the listener to only use IPv4, or set to `ipv6` to +# force the listener to only use IPv6. If you want support for both IPv4 and +# IPv6, then do not use the socket_domain option. +# +#socket_domain + +# Bind the listener to a specific interface. This is similar to +# the [ip address/host name] part of the listener definition, but is useful +# when an interface has multiple addresses or the address may change. It is +# valid to use this with the [ip address/host name] part of the listener +# definition, but take care that the interface you are binding to contains the +# address you are binding to, otherwise you will not be able to connect. +# Only available on Linux and requires elevated privileges. +# +# Example: bind_interface eth0 +#bind_interface + +# When a listener is using the websockets protocol, it is possible to serve +# http data as well. Set http_dir to a directory which contains the files you +# wish to serve. If this option is not specified, then no normal http +# connections will be possible. +#http_dir + +# The maximum number of client connections to allow. This is +# a per listener setting. +# Default is -1, which means unlimited connections. +# Note that other process limits mean that unlimited connections +# are not really possible. Typically the default maximum number of +# connections possible is around 1024. +#max_connections -1 + +# The listener can be restricted to operating within a topic hierarchy using +# the mount_point option. This is achieved be prefixing the mount_point string +# to all topics for any clients connected to this listener. This prefixing only +# happens internally to the broker; the client will not see the prefix. +#mount_point + +# Choose the protocol to use when listening. +# This can be either mqtt or websockets. +# Certificate based TLS may be used with websockets, except that only the +# cafile, certfile, keyfile, ciphers, and ciphers_tls13 options are supported. +#protocol mqtt + +# Set use_username_as_clientid to true to replace the clientid that a client +# connected with with its username. This allows authentication to be tied to +# the clientid, which means that it is possible to prevent one client +# disconnecting another by using the same clientid. +# If a client connects with no username it will be disconnected as not +# authorised when this option is set to true. +# Do not use in conjunction with clientid_prefixes. +# See also use_identity_as_username. +#use_username_as_clientid + +# Change the websockets headers size. This is a global option, it is not +# possible to set per listener. This option sets the size of the buffer used in +# the libwebsockets library when reading HTTP headers. If you are passing large +# header data such as cookies then you may need to increase this value. If left +# unset, or set to 0, then the default of 1024 bytes will be used. +#websockets_headers_size + +# ----------------------------------------------------------------- +# Certificate based SSL/TLS support +# ----------------------------------------------------------------- +# The following options can be used to enable certificate based SSL/TLS support +# for this listener. Note that the recommended port for MQTT over TLS is 8883, +# but this must be set manually. +# +# See also the mosquitto-tls man page and the "Pre-shared-key based SSL/TLS +# support" section. Only one of certificate or PSK encryption support can be +# enabled for any listener. + +# Both of certfile and keyfile must be defined to enable certificate based +# TLS encryption. + +# Path to the PEM encoded server certificate. +#certfile + +# Path to the PEM encoded keyfile. +#keyfile + +# If you wish to control which encryption ciphers are used, use the ciphers +# option. The list of available ciphers can be optained using the "openssl +# ciphers" command and should be provided in the same format as the output of +# that command. This applies to TLS 1.2 and earlier versions only. Use +# ciphers_tls1.3 for TLS v1.3. +#ciphers + +# Choose which TLS v1.3 ciphersuites are used for this listener. +# Defaults to "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" +#ciphers_tls1.3 + +# If you have require_certificate set to true, you can create a certificate +# revocation list file to revoke access to particular client certificates. If +# you have done this, use crlfile to point to the PEM encoded revocation file. +#crlfile + +# To allow the use of ephemeral DH key exchange, which provides forward +# security, the listener must load DH parameters. This can be specified with +# the dhparamfile option. The dhparamfile can be generated with the command +# e.g. "openssl dhparam -out dhparam.pem 2048" +#dhparamfile + +# By default an TLS enabled listener will operate in a similar fashion to a +# https enabled web server, in that the server has a certificate signed by a CA +# and the client will verify that it is a trusted certificate. The overall aim +# is encryption of the network traffic. By setting require_certificate to true, +# the client must provide a valid certificate in order for the network +# connection to proceed. This allows access to the broker to be controlled +# outside of the mechanisms provided by MQTT. +#require_certificate false + +# cafile and capath define methods of accessing the PEM encoded +# Certificate Authority certificates that will be considered trusted when +# checking incoming client certificates. +# cafile defines the path to a file containing the CA certificates. +# capath defines a directory that will be searched for files +# containing the CA certificates. For capath to work correctly, the +# certificate files must have ".crt" as the file ending and you must run +# "openssl rehash " each time you add/remove a certificate. +#cafile +#capath + + +# If require_certificate is true, you may set use_identity_as_username to true +# to use the CN value from the client certificate as a username. If this is +# true, the password_file option will not be used for this listener. +#use_identity_as_username false + +# ----------------------------------------------------------------- +# Pre-shared-key based SSL/TLS support +# ----------------------------------------------------------------- +# The following options can be used to enable PSK based SSL/TLS support for +# this listener. Note that the recommended port for MQTT over TLS is 8883, but +# this must be set manually. +# +# See also the mosquitto-tls man page and the "Certificate based SSL/TLS +# support" section. Only one of certificate or PSK encryption support can be +# enabled for any listener. + +# The psk_hint option enables pre-shared-key support for this listener and also +# acts as an identifier for this listener. The hint is sent to clients and may +# be used locally to aid authentication. The hint is a free form string that +# doesn't have much meaning in itself, so feel free to be creative. +# If this option is provided, see psk_file to define the pre-shared keys to be +# used or create a security plugin to handle them. +#psk_hint + +# When using PSK, the encryption ciphers used will be chosen from the list of +# available PSK ciphers. If you want to control which ciphers are available, +# use the "ciphers" option. The list of available ciphers can be optained +# using the "openssl ciphers" command and should be provided in the same format +# as the output of that command. +#ciphers + +# Set use_identity_as_username to have the psk identity sent by the client used +# as its username. Authentication will be carried out using the PSK rather than +# the MQTT username/password and so password_file will not be used for this +# listener. +#use_identity_as_username false + + +# ================================================================= +# Persistence +# ================================================================= + +# If persistence is enabled, save the in-memory database to disk +# every autosave_interval seconds. If set to 0, the persistence +# database will only be written when mosquitto exits. See also +# autosave_on_changes. +# Note that writing of the persistence database can be forced by +# sending mosquitto a SIGUSR1 signal. +autosave_interval 86400 # once a day + +# If true, mosquitto will count the number of subscription changes, retained +# messages received and queued messages and if the total exceeds +# autosave_interval then the in-memory database will be saved to disk. +# If false, mosquitto will save the in-memory database to disk by treating +# autosave_interval as a time in seconds. +#autosave_on_changes false + +# Save persistent message data to disk (true/false). +# This saves information about all messages, including +# subscriptions, currently in-flight messages and retained +# messages. +# retained_persistence is a synonym for this option. +#persistence false +persistence true + +# The filename to use for the persistent database, not including +# the path. +#persistence_file mosquitto.db + +# Location for persistent database. Must include trailing / +# Default is an empty string (current directory). +# Set to e.g. /var/lib/mosquitto/ if running as a proper service on Linux or +# similar. +#persistence_location +persistence_location /tmp + +# ================================================================= +# Logging +# ================================================================= + +# Places to log to. Use multiple log_dest lines for multiple +# logging destinations. +# Possible destinations are: stdout stderr syslog topic file dlt +# +# stdout and stderr log to the console on the named output. +# +# syslog uses the userspace syslog facility which usually ends up +# in /var/log/messages or similar. +# +# topic logs to the broker topic '$SYS/broker/log/', +# where severity is one of D, E, W, N, I, M which are debug, error, +# warning, notice, information and message. Message type severity is used by +# the subscribe/unsubscribe log_types and publishes log messages to +# $SYS/broker/log/M/susbcribe or $SYS/broker/log/M/unsubscribe. +# +# The file destination requires an additional parameter which is the file to be +# logged to, e.g. "log_dest file /var/log/mosquitto.log". The file will be +# closed and reopened when the broker receives a HUP signal. Only a single file +# destination may be configured. +# +# The dlt destination is for the automotive `Diagnostic Log and Trace` tool. +# This requires that Mosquitto has been compiled with DLT support. +# +# Note that if the broker is running as a Windows service it will default to +# "log_dest none" and neither stdout nor stderr logging is available. +# Use "log_dest none" if you wish to disable logging. +#log_dest stderr + +# Types of messages to log. Use multiple log_type lines for logging +# multiple types of messages. +# Possible types are: debug, error, warning, notice, information, +# none, subscribe, unsubscribe, websockets, all. +# Note that debug type messages are for decoding the incoming/outgoing +# network packets. They are not logged in "topics". +#log_type error +#log_type warning +#log_type notice +#log_type information + + +# If set to true, client connection and disconnection messages will be included +# in the log. +#connection_messages true + +# If using syslog logging (not on Windows), messages will be logged to the +# "daemon" facility by default. Use the log_facility option to choose which of +# local0 to local7 to log to instead. The option value should be an integer +# value, e.g. "log_facility 5" to use local5. +#log_facility + +# If set to true, add a timestamp value to each log message. +#log_timestamp true + +# Set the format of the log timestamp. If left unset, this is the number of +# seconds since the Unix epoch. +# This is a free text string which will be passed to the strftime function. To +# get an ISO 8601 datetime, for example: +# log_timestamp_format %Y-%m-%dT%H:%M:%S +#log_timestamp_format + +# Change the websockets logging level. This is a global option, it is not +# possible to set per listener. This is an integer that is interpreted by +# libwebsockets as a bit mask for its lws_log_levels enum. See the +# libwebsockets documentation for more details. "log_type websockets" must also +# be enabled. +#websockets_log_level 0 + + +# ================================================================= +# Security +# ================================================================= + +# If set, only clients that have a matching prefix on their +# clientid will be allowed to connect to the broker. By default, +# all clients may connect. +# For example, setting "secure-" here would mean a client "secure- +# client" could connect but another with clientid "mqtt" couldn't. +#clientid_prefixes + +# Boolean value that determines whether clients that connect +# without providing a username are allowed to connect. If set to +# false then a password file should be created (see the +# password_file option) to control authenticated client access. +# +# Defaults to false, unless there are no listeners defined in the configuration +# file, in which case it is set to true, but connections are only allowed from +# the local machine. +#allow_anonymous false +allow_anonymous true + +# ----------------------------------------------------------------- +# Default authentication and topic access control +# ----------------------------------------------------------------- + +# Control access to the broker using a password file. This file can be +# generated using the mosquitto_passwd utility. If TLS support is not compiled +# into mosquitto (it is recommended that TLS support should be included) then +# plain text passwords are used, in which case the file should be a text file +# with lines in the format: +# username:password +# The password (and colon) may be omitted if desired, although this +# offers very little in the way of security. +# +# See the TLS client require_certificate and use_identity_as_username options +# for alternative authentication options. If an auth_plugin is used as well as +# password_file, the auth_plugin check will be made first. +#password_file + +# Access may also be controlled using a pre-shared-key file. This requires +# TLS-PSK support and a listener configured to use it. The file should be text +# lines in the format: +# identity:key +# The key should be in hexadecimal format without a leading "0x". +# If an auth_plugin is used as well, the auth_plugin check will be made first. +#psk_file + +# Control access to topics on the broker using an access control list +# file. If this parameter is defined then only the topics listed will +# have access. +# If the first character of a line of the ACL file is a # it is treated as a +# comment. +# Topic access is added with lines of the format: +# +# topic [read|write|readwrite|deny] +# +# The access type is controlled using "read", "write", "readwrite" or "deny". +# This parameter is optional (unless contains a space character) - if +# not given then the access is read/write. can contain the + or # +# wildcards as in subscriptions. +# +# The "deny" option can used to explicity deny access to a topic that would +# otherwise be granted by a broader read/write/readwrite statement. Any "deny" +# topics are handled before topics that grant read/write access. +# +# The first set of topics are applied to anonymous clients, assuming +# allow_anonymous is true. User specific topic ACLs are added after a +# user line as follows: +# +# user +# +# The username referred to here is the same as in password_file. It is +# not the clientid. +# +# +# If is also possible to define ACLs based on pattern substitution within the +# topic. The patterns available for substition are: +# +# %c to match the client id of the client +# %u to match the username of the client +# +# The substitution pattern must be the only text for that level of hierarchy. +# +# The form is the same as for the topic keyword, but using pattern as the +# keyword. +# Pattern ACLs apply to all users even if the "user" keyword has previously +# been given. +# +# If using bridges with usernames and ACLs, connection messages can be allowed +# with the following pattern: +# pattern write $SYS/broker/connection/%c/state +# +# pattern [read|write|readwrite] +# +# Example: +# +# pattern write sensor/%u/data +# +# If an auth_plugin is used as well as acl_file, the auth_plugin check will be +# made first. +#acl_file + +# ----------------------------------------------------------------- +# External authentication and topic access plugin options +# ----------------------------------------------------------------- + +# External authentication and access control can be supported with the +# auth_plugin option. This is a path to a loadable plugin. See also the +# auth_opt_* options described below. +# +# The auth_plugin option can be specified multiple times to load multiple +# plugins. The plugins will be processed in the order that they are specified +# here. If the auth_plugin option is specified alongside either of +# password_file or acl_file then the plugin checks will be made first. +# +#auth_plugin + +# If the auth_plugin option above is used, define options to pass to the +# plugin here as described by the plugin instructions. All options named +# using the format auth_opt_* will be passed to the plugin, for example: +# +# auth_opt_db_host +# auth_opt_db_port +# auth_opt_db_username +# auth_opt_db_password + + +# ================================================================= +# Bridges +# ================================================================= + +# A bridge is a way of connecting multiple MQTT brokers together. +# Create a new bridge using the "connection" option as described below. Set +# options for the bridges using the remaining parameters. You must specify the +# address and at least one topic to subscribe to. +# +# Each connection must have a unique name. +# +# The address line may have multiple host address and ports specified. See +# below in the round_robin description for more details on bridge behaviour if +# multiple addresses are used. Note that if you use an IPv6 address, then you +# are required to specify a port. +# +# The direction that the topic will be shared can be chosen by +# specifying out, in or both, where the default value is out. +# The QoS level of the bridged communication can be specified with the next +# topic option. The default QoS level is 0, to change the QoS the topic +# direction must also be given. +# +# The local and remote prefix options allow a topic to be remapped when it is +# bridged to/from the remote broker. This provides the ability to place a topic +# tree in an appropriate location. +# +# For more details see the mosquitto.conf man page. +# +# Multiple topics can be specified per connection, but be careful +# not to create any loops. +# +# If you are using bridges with cleansession set to false (the default), then +# you may get unexpected behaviour from incoming topics if you change what +# topics you are subscribing to. This is because the remote broker keeps the +# subscription for the old topic. If you have this problem, connect your bridge +# with cleansession set to true, then reconnect with cleansession set to false +# as normal. +#connection +#address [:] [[:]] +#topic [[[out | in | both] qos-level] local-prefix remote-prefix] + +# If you need to have the bridge connect over a particular network interface, +# use bridge_bind_address to tell the bridge which local IP address the socket +# should bind to, e.g. `bridge_bind_address 192.168.1.10` +#bridge_bind_address +#bridge_bind_address 172.17.10.4 +# If a bridge has topics that have "out" direction, the default behaviour is to +# send an unsubscribe request to the remote broker on that topic. This means +# that changing a topic direction from "in" to "out" will not keep receiving +# incoming messages. Sending these unsubscribe requests is not always +# desirable, setting bridge_attempt_unsubscribe to false will disable sending +# the unsubscribe request. +#bridge_attempt_unsubscribe true + +# Set the version of the MQTT protocol to use with for this bridge. Can be one +# of mqttv50, mqttv311 or mqttv31. Defaults to mqttv311. +#bridge_protocol_version mqttv311 + +# Set the clean session variable for this bridge. +# When set to true, when the bridge disconnects for any reason, all +# messages and subscriptions will be cleaned up on the remote +# broker. Note that with cleansession set to true, there may be a +# significant amount of retained messages sent when the bridge +# reconnects after losing its connection. +# When set to false, the subscriptions and messages are kept on the +# remote broker, and delivered when the bridge reconnects. +#cleansession false + +# Set the amount of time a bridge using the lazy start type must be idle before +# it will be stopped. Defaults to 60 seconds. +#idle_timeout 60 + +# Set the keepalive interval for this bridge connection, in +# seconds. +#keepalive_interval 60 + +# Set the clientid to use on the local broker. If not defined, this defaults to +# 'local.'. If you are bridging a broker to itself, it is important +# that local_clientid and clientid do not match. +#local_clientid + +# If set to true, publish notification messages to the local and remote brokers +# giving information about the state of the bridge connection. Retained +# messages are published to the topic $SYS/broker/connection//state +# unless the notification_topic option is used. +# If the message is 1 then the connection is active, or 0 if the connection has +# failed. +# This uses the last will and testament feature. +#notifications true + +# Choose the topic on which notification messages for this bridge are +# published. If not set, messages are published on the topic +# $SYS/broker/connection//state +#notification_topic + +# Set the client id to use on the remote end of this bridge connection. If not +# defined, this defaults to 'name.hostname' where name is the connection name +# and hostname is the hostname of this computer. +# This replaces the old "clientid" option to avoid confusion. "clientid" +# remains valid for the time being. +#remote_clientid + +# Set the password to use when connecting to a broker that requires +# authentication. This option is only used if remote_username is also set. +# This replaces the old "password" option to avoid confusion. "password" +# remains valid for the time being. +#remote_password + +# Set the username to use when connecting to a broker that requires +# authentication. +# This replaces the old "username" option to avoid confusion. "username" +# remains valid for the time being. +#remote_username + +# Set the amount of time a bridge using the automatic start type will wait +# until attempting to reconnect. +# This option can be configured to use a constant delay time in seconds, or to +# use a backoff mechanism based on "Decorrelated Jitter", which adds a degree +# of randomness to when the restart occurs. +# +# Set a constant timeout of 20 seconds: +# restart_timeout 20 +# +# Set backoff with a base (start value) of 10 seconds and a cap (upper limit) of +# 60 seconds: +# restart_timeout 10 30 +# +# Defaults to jitter with a base of 5 and cap of 30 +#restart_timeout 5 30 + +# If the bridge has more than one address given in the address/addresses +# configuration, the round_robin option defines the behaviour of the bridge on +# a failure of the bridge connection. If round_robin is false, the default +# value, then the first address is treated as the main bridge connection. If +# the connection fails, the other secondary addresses will be attempted in +# turn. Whilst connected to a secondary bridge, the bridge will periodically +# attempt to reconnect to the main bridge until successful. +# If round_robin is true, then all addresses are treated as equals. If a +# connection fails, the next address will be tried and if successful will +# remain connected until it fails +#round_robin false + +# Set the start type of the bridge. This controls how the bridge starts and +# can be one of three types: automatic, lazy and once. Note that RSMB provides +# a fourth start type "manual" which isn't currently supported by mosquitto. +# +# "automatic" is the default start type and means that the bridge connection +# will be started automatically when the broker starts and also restarted +# after a short delay (30 seconds) if the connection fails. +# +# Bridges using the "lazy" start type will be started automatically when the +# number of queued messages exceeds the number set with the "threshold" +# parameter. It will be stopped automatically after the time set by the +# "idle_timeout" parameter. Use this start type if you wish the connection to +# only be active when it is needed. +# +# A bridge using the "once" start type will be started automatically when the +# broker starts but will not be restarted if the connection fails. +#start_type automatic + +# Set the number of messages that need to be queued for a bridge with lazy +# start type to be restarted. Defaults to 10 messages. +# Must be less than max_queued_messages. +#threshold 10 + +# If try_private is set to true, the bridge will attempt to indicate to the +# remote broker that it is a bridge not an ordinary client. If successful, this +# means that loop detection will be more effective and that retained messages +# will be propagated correctly. Not all brokers support this feature so it may +# be necessary to set try_private to false if your bridge does not connect +# properly. +#try_private true + +# Some MQTT brokers do not allow retained messages. MQTT v5 gives a mechanism +# for brokers to tell clients that they do not support retained messages, but +# this is not possible for MQTT v3.1.1 or v3.1. If you need to bridge to a +# v3.1.1 or v3.1 broker that does not support retained messages, set the +# bridge_outgoing_retain option to false. This will remove the retain bit on +# all outgoing messages to that bridge, regardless of any other setting. +#bridge_outgoing_retain true + +# If you wish to restrict the size of messages sent to a remote bridge, use the +# bridge_max_packet_size option. This sets the maximum number of bytes for +# the total message, including headers and payload. +# Note that MQTT v5 brokers may provide their own maximum-packet-size property. +# In this case, the smaller of the two limits will be used. +# Set to 0 for "unlimited". +#bridge_max_packet_size 0 + + +# ----------------------------------------------------------------- +# Certificate based SSL/TLS support +# ----------------------------------------------------------------- +# Either bridge_cafile or bridge_capath must be defined to enable TLS support +# for this bridge. +# bridge_cafile defines the path to a file containing the +# Certificate Authority certificates that have signed the remote broker +# certificate. +# bridge_capath defines a directory that will be searched for files containing +# the CA certificates. For bridge_capath to work correctly, the certificate +# files must have ".crt" as the file ending and you must run "openssl rehash +# " each time you add/remove a certificate. +#bridge_cafile +#bridge_capath + + +# If the remote broker has more than one protocol available on its port, e.g. +# MQTT and WebSockets, then use bridge_alpn to configure which protocol is +# requested. Note that WebSockets support for bridges is not yet available. +#bridge_alpn + +# When using certificate based encryption, bridge_insecure disables +# verification of the server hostname in the server certificate. This can be +# useful when testing initial server configurations, but makes it possible for +# a malicious third party to impersonate your server through DNS spoofing, for +# example. Use this option in testing only. If you need to resort to using this +# option in a production environment, your setup is at fault and there is no +# point using encryption. +#bridge_insecure false + +# Path to the PEM encoded client certificate, if required by the remote broker. +#bridge_certfile + +# Path to the PEM encoded client private key, if required by the remote broker. +#bridge_keyfile + +# ----------------------------------------------------------------- +# PSK based SSL/TLS support +# ----------------------------------------------------------------- +# Pre-shared-key encryption provides an alternative to certificate based +# encryption. A bridge can be configured to use PSK with the bridge_identity +# and bridge_psk options. These are the client PSK identity, and pre-shared-key +# in hexadecimal format with no "0x". Only one of certificate and PSK based +# encryption can be used on one +# bridge at once. +#bridge_identity +#bridge_psk + + +# ================================================================= +# External config files +# ================================================================= + +# External configuration files may be included by using the +# include_dir option. This defines a directory that will be searched +# for config files. All files that end in '.conf' will be loaded as +# a configuration file. It is best to have this as the last option +# in the main file. This option will only be processed from the main +# configuration file. The directory specified must not contain the +# main configuration file. +# Files within include_dir will be loaded sorted in case-sensitive +# alphabetical order, with capital letters ordered first. If this option is +# given multiple times, all of the files from the first instance will be +# processed before the next instance. See the man page for examples. +#include_dir +CFGEOF + +# WARNING: /etc/bird.conf не существует +# WARNING: /etc/bird4.conf не существует +#---------------------------------------------------- +#Generating cron +#---------------------------------------------------- + +#save config to muromec +0 3 * * 1 sh /root/bkpscript/backup_script.sh diff --git a/bkps/wrt-bkp-172.16.11.7.sh b/bkps/wrt-bkp-172.16.11.7.sh new file mode 100644 index 0000000..406e069 --- /dev/null +++ b/bkps/wrt-bkp-172.16.11.7.sh @@ -0,0 +1,2341 @@ + +#hostname= Buran-bee-stya.reut.loc +#DISTRIB_DESCRIPTION='OpenWrt 23.05.3 r23809-234f1a2efa' +#profile = beeline_smartbox-turbo-plus +#target = ramips +#soc = mt7621 +#arch = mipsel_24kc +#Beeline SmartBox TURBO+ custom default settings +#---------------------------------------------------- +#Generating cmd for install pkg +#---------------------------------------------------- +opkg install luci-app-mosquitto +opkg install iwinfo +opkg install cgi-io +opkg install opkg +opkg install luci-app-opkg +opkg install kmod-usb-storage-uas +opkg install ubus +opkg install rpcd +opkg install kmod-nft-fib +opkg install kmod-nfnetlink +opkg install kmod-crypto-hash +opkg install kmod-nf-reject6 +opkg install luci-mod-system +opkg install kmod-nf-flow +opkg install kmod-lib-crc-ccitt +opkg install ucode-mod-uloop +opkg install getrandom +opkg install ucode-mod-ubus +opkg install luci-theme-bootstrap +opkg install kmod-pppoe +opkg install kmod-pppox +opkg install kmod-nf-reject +opkg install procd-ujail +opkg install base-files +opkg install kmod-nf-nat +opkg install kmod-crypto-crc32c +opkg install ucode-mod-uci +opkg install netifd +opkg install uboot-envtools +opkg install dnsmasq +opkg install usbutils +opkg install ubusd +opkg install kmod-crypto-acompress +opkg install rpcd-mod-ucode +opkg install ucode-mod-math +opkg install kmod-lib-crc32c +opkg install luci-mod-status +opkg install block-mount +opkg install kmod-nft-nat +opkg install kmod-usb3 +opkg install kmod-fs-exfat +opkg install luci-app-firewall +opkg install ubi-utils +opkg install odhcp6c +opkg install fstools +opkg install uci +opkg install ucode-mod-fs +opkg install kmod-fs-ext4 +opkg install luci-ssl +opkg install dropbear +opkg install rpcd-mod-file +opkg install mtd +opkg install odhcpd-ipv6only +opkg install procd-seccomp +opkg install ucode-mod-nl80211 +opkg install libiwinfo-data +opkg install ucode +opkg install rpcd-mod-luci +opkg install kmod-nf-log +opkg install urandom-seed +opkg install luci-proto-ppp +opkg install luci-mod-admin-full +opkg install ppp +opkg install luci-base +opkg install kmod-leds-gpio +opkg install kmod-gpio-button-hotplug +opkg install logd +opkg install kmod-mt7603 +opkg install kmod-nf-log6 +opkg install luci-proto-ipv6 +opkg install kmod-fs-ntfs3 +opkg install jshn +opkg install e2fsprogs +opkg install kmod-ppp +opkg install kmod-nft-offload +opkg install netcat +opkg install luci-app-samba4 +opkg install kmod-mt7615-firmware +opkg install uhttpd +opkg install kmod-nf-conntrack +opkg install usign +opkg install atftpd +opkg install ucode-mod-rtnl +opkg install ucode-mod-html +opkg install luci +opkg install kmod-nf-conntrack6 +opkg install luci-light +opkg install kmod-lib-lzo +opkg install ubox +opkg install kernel +opkg install rpcd-mod-iwinfo +opkg install luci-mod-network +opkg install kmod-nft-core +opkg install lldpd +opkg install mount-utils +opkg install uhttpd-mod-ubus +opkg install fwtool +opkg install jsonfilter +opkg install liblucihttp-ucode +opkg install iperf3 +opkg install hostapd-common +opkg install vsftpd +opkg install luci-app-hd-idle +opkg install urngd +opkg install kmod-slhc +opkg install rpcd-mod-rrdns +opkg install ppp-mod-pppoe +#---------------------------------------------------- +#Generating configuration Beeline SmartBox TURBO+ +#---------------------------------------------------- +uci -q batch << EOI +set atftpd.service=service +set atftpd.service.path='/srv/tftp' +commit atftpd +set dhcp.@dnsmasq[0]=dnsmasq +set dhcp.@dnsmasq[0].domainneeded='1' +set dhcp.@dnsmasq[0].localise_queries='1' +set dhcp.@dnsmasq[0].rebind_protection='1' +set dhcp.@dnsmasq[0].rebind_localhost='1' +set dhcp.@dnsmasq[0].local='/lan/' +set dhcp.@dnsmasq[0].domain='lan' +set dhcp.@dnsmasq[0].expandhosts='1' +set dhcp.@dnsmasq[0].cachesize='1000' +set dhcp.@dnsmasq[0].authoritative='1' +set dhcp.@dnsmasq[0].readethers='1' +set dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases' +set dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.d/resolv.conf.auto' +set dhcp.@dnsmasq[0].localservice='1' +set dhcp.@dnsmasq[0].ednspacket_max='1232' +set dhcp.lan=dhcp +set dhcp.lan.interface='lan' +set dhcp.lan.start='100' +set dhcp.lan.limit='150' +set dhcp.lan.leasetime='12h' +set dhcp.lan.dhcpv4='server' +set dhcp.lan.ignore='1' +set dhcp.wan=dhcp +set dhcp.wan.interface='wan' +set dhcp.wan.ignore='1' +set dhcp.odhcpd=odhcpd +set dhcp.odhcpd.maindhcp='0' +set dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd' +set dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update' +set dhcp.odhcpd.loglevel='4' +commit dhcp +set dropbear.@dropbear[0]=dropbear +set dropbear.@dropbear[0].PasswordAuth='on' +set dropbear.@dropbear[0].RootPasswordAuth='on' +set dropbear.@dropbear[0].Port='22' +commit dropbear +set firewall.@defaults[0]=defaults +set firewall.@defaults[0].syn_flood='1' +set firewall.@defaults[0].input='REJECT' +set firewall.@defaults[0].output='ACCEPT' +set firewall.@defaults[0].forward='REJECT' +set firewall.@zone[0]=zone +set firewall.@zone[0].name='lan' +set firewall.@zone[0].network='lan' +set firewall.@zone[0].input='ACCEPT' +set firewall.@zone[0].output='ACCEPT' +set firewall.@zone[0].forward='ACCEPT' +set firewall.@zone[1]=zone +set firewall.@zone[1].name='wan' +set firewall.@zone[1].network='wan' 'wan6' +set firewall.@zone[1].input='REJECT' +set firewall.@zone[1].output='ACCEPT' +set firewall.@zone[1].forward='REJECT' +set firewall.@zone[1].masq='1' +set firewall.@zone[1].mtu_fix='1' +set firewall.@forwarding[0]=forwarding +set firewall.@forwarding[0].src='lan' +set firewall.@forwarding[0].dest='wan' +set firewall.@rule[0]=rule +set firewall.@rule[0].name='Allow-DHCP-Renew' +set firewall.@rule[0].src='wan' +set firewall.@rule[0].proto='udp' +set firewall.@rule[0].dest_port='68' +set firewall.@rule[0].target='ACCEPT' +set firewall.@rule[0].family='ipv4' +set firewall.@rule[1]=rule +set firewall.@rule[1].name='Allow-Ping' +set firewall.@rule[1].src='wan' +set firewall.@rule[1].proto='icmp' +set firewall.@rule[1].icmp_type='echo-request' +set firewall.@rule[1].family='ipv4' +set firewall.@rule[1].target='ACCEPT' +set firewall.@rule[2]=rule +set firewall.@rule[2].name='Allow-IGMP' +set firewall.@rule[2].src='wan' +set firewall.@rule[2].proto='igmp' +set firewall.@rule[2].family='ipv4' +set firewall.@rule[2].target='ACCEPT' +set firewall.@rule[3]=rule +set firewall.@rule[3].name='Allow-DHCPv6' +set firewall.@rule[3].src='wan' +set firewall.@rule[3].proto='udp' +set firewall.@rule[3].dest_port='546' +set firewall.@rule[3].family='ipv6' +set firewall.@rule[3].target='ACCEPT' +set firewall.@rule[4]=rule +set firewall.@rule[4].name='Allow-MLD' +set firewall.@rule[4].src='wan' +set firewall.@rule[4].proto='icmp' +set firewall.@rule[4].src_ip='fe80::/10' +set firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0' +set firewall.@rule[4].family='ipv6' +set firewall.@rule[4].target='ACCEPT' +set firewall.@rule[5]=rule +set firewall.@rule[5].name='Allow-ICMPv6-Input' +set firewall.@rule[5].src='wan' +set firewall.@rule[5].proto='icmp' +set firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement' +set firewall.@rule[5].limit='1000/sec' +set firewall.@rule[5].family='ipv6' +set firewall.@rule[5].target='ACCEPT' +set firewall.@rule[6]=rule +set firewall.@rule[6].name='Allow-ICMPv6-Forward' +set firewall.@rule[6].src='wan' +set firewall.@rule[6].dest='*' +set firewall.@rule[6].proto='icmp' +set firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' +set firewall.@rule[6].limit='1000/sec' +set firewall.@rule[6].family='ipv6' +set firewall.@rule[6].target='ACCEPT' +set firewall.@rule[7]=rule +set firewall.@rule[7].name='Allow-IPSec-ESP' +set firewall.@rule[7].src='wan' +set firewall.@rule[7].dest='lan' +set firewall.@rule[7].proto='esp' +set firewall.@rule[7].target='ACCEPT' +set firewall.@rule[8]=rule +set firewall.@rule[8].name='Allow-ISAKMP' +set firewall.@rule[8].src='wan' +set firewall.@rule[8].dest='lan' +set firewall.@rule[8].dest_port='500' +set firewall.@rule[8].proto='udp' +set firewall.@rule[8].target='ACCEPT' +commit firewall +set fstab.@global[0]=global +set fstab.@global[0].anon_swap='0' +set fstab.@global[0].anon_mount='0' +set fstab.@global[0].auto_swap='1' +set fstab.@global[0].auto_mount='1' +set fstab.@global[0].delay_root='5' +set fstab.@global[0].check_fs='0' +set fstab.@mount[0]=mount +set fstab.@mount[0].target='/mnt/sda' +set fstab.@mount[0].uuid='9d591806-abe2-402b-a114-502e206789ae' +set fstab.@mount[0].enabled='1' +commit fstab +set hd-idle.@hd-idle[0]=hd-idle +set hd-idle.@hd-idle[0].disk='sda' +set hd-idle.@hd-idle[0].enabled='0' +set hd-idle.@hd-idle[0].idle_time_unit='minutes' +set hd-idle.@hd-idle[0].idle_time_interval='10' +commit hd-idle +set lldpd.config=lldpd +set lldpd.config.enable_cdp='1' +set lldpd.config.enable_fdp='1' +set lldpd.config.enable_sonmp='1' +set lldpd.config.enable_edp='1' +set lldpd.config.lldp_class='4' +set lldpd.config.lldp_location='address country EU' +set lldpd.config.interface='loopback' 'lan' +commit lldpd +set luci.main=core +set luci.main.lang='auto' +set luci.main.mediaurlbase='/luci-static/bootstrap' +set luci.main.resourcebase='/luci-static/resources' +set luci.main.ubuspath='/ubus/' +set luci.flash_keep=extern +set luci.flash_keep.uci='/etc/config/' +set luci.flash_keep.dropbear='/etc/dropbear/' +set luci.flash_keep.openvpn='/etc/openvpn/' +set luci.flash_keep.passwd='/etc/passwd' +set luci.flash_keep.opkg='/etc/opkg.conf' +set luci.flash_keep.firewall='/etc/firewall.user' +set luci.flash_keep.uploads='/lib/uci/upload/' +set luci.languages=internal +set luci.sauth=internal +set luci.sauth.sessionpath='/tmp/luci-sessions' +set luci.sauth.sessiontime='3600' +set luci.ccache=internal +set luci.ccache.enable='1' +set luci.themes=internal +set luci.themes.Bootstrap='/luci-static/bootstrap' +set luci.themes.BootstrapDark='/luci-static/bootstrap-dark' +set luci.themes.BootstrapLight='/luci-static/bootstrap-light' +set luci.apply=internal +set luci.apply.rollback='90' +set luci.apply.holdoff='4' +set luci.apply.timeout='5' +set luci.apply.display='1.5' +set luci.diag=internal +set luci.diag.dns='openwrt.org' +set luci.diag.ping='openwrt.org' +set luci.diag.route='openwrt.org' +commit luci +set mosquitto.owrt=owrt +set mosquitto.owrt.use_uci='0' +set mosquitto.mosquitto=mosquitto +set mosquitto.persistence=persistence +commit mosquitto +set network.loopback=interface +set network.loopback.device='lo' +set network.loopback.proto='static' +set network.loopback.ipaddr='127.0.0.1' +set network.loopback.netmask='255.0.0.0' +set network.globals=globals +set network.globals.ula_prefix='fdb5:9be6:0229::/48' +set network.globals.packet_steering='1' +set network.@device[0]=device +set network.@device[0].name='br-lan' +set network.@device[0].type='bridge' +set network.@device[0].ports='lan1' 'lan2' 'lan3' 'lan4' +set network.@device[0].ipv6='0' +set network.lan=interface +set network.lan.device='br-lan' +set network.lan.proto='static' +set network.lan.ipaddr='172.16.11.7' +set network.lan.netmask='255.255.255.0' +set network.lan.ip6assign='60' +set network.lan.gateway='172.16.11.1' +set network.lan.dns='172.16.11.1' +set network.lan.delegate='0' +set network.wan=interface +set network.wan.device='wan' +set network.wan.proto='dhcp' +set network.wan6=interface +set network.wan6.device='wan' +set network.wan6.proto='dhcpv6' +commit network +set rpcd.@rpcd[0]=rpcd +set rpcd.@rpcd[0].socket='/var/run/ubus/ubus.sock' +set rpcd.@rpcd[0].timeout='30' +set rpcd.@login[0]=login +set rpcd.@login[0].username='root' +set rpcd.@login[0].password='$p$root' +set rpcd.@login[0].read='*' +set rpcd.@login[0].write='*' +commit rpcd +set samba4.@samba[0]=samba +set samba4.@samba[0].workgroup='WORKGROUP' +set samba4.@samba[0].charset='UTF-8' +set samba4.@samba[0].description='Samba on OpenWRT' +set samba4.@samba[0].enable_extra_tuning='1' +set samba4.@sambashare[0]=sambashare +set samba4.@sambashare[0].name='bkp' +set samba4.@sambashare[0].path='/mnt/sda' +set samba4.@sambashare[0].read_only='no' +set samba4.@sambashare[0].guest_ok='yes' +set samba4.@sambashare[0].create_mask='0666' +set samba4.@sambashare[0].dir_mask='0777' +commit samba4 +set system.@system[0]=system +set system.@system[0].hostname='Buran-bee-stya.reut.loc' +set system.@system[0].timezone='MSK-3' +set system.@system[0].ttylogin='0' +set system.@system[0].log_size='64' +set system.@system[0].urandom_seed='0' +set system.@system[0].compat_version='1.1' +set system.@system[0].zonename='Europe/Moscow' +set system.@system[0].log_proto='udp' +set system.@system[0].conloglevel='8' +set system.@system[0].cronloglevel='5' +set system.ntp=timeserver +set system.ntp.server='0.openwrt.pool.ntp.org' '1.openwrt.pool.ntp.org' '2.openwrt.pool.ntp.org' '3.openwrt.pool.ntp.org' +set system.led_wan=led +set system.led_wan.name='wan' +set system.led_wan.sysfs='blue:wan' +set system.led_wan.trigger='netdev' +set system.led_wan.mode='link tx rx' +set system.led_wan.dev='wan' +commit system +set ubootenv.@ubootenv[0]=ubootenv +set ubootenv.@ubootenv[0].dev='/dev/mtd0' +set ubootenv.@ubootenv[0].offset='0x80000' +set ubootenv.@ubootenv[0].envsize='0x1000' +set ubootenv.@ubootenv[0].secsize='0x20000' +commit ubootenv +set ucitrack.@network[0]=network +set ucitrack.@network[0].init='network' +set ucitrack.@network[0].affects='dhcp' +set ucitrack.@wireless[0]=wireless +set ucitrack.@wireless[0].affects='network' +set ucitrack.@firewall[0]=firewall +set ucitrack.@firewall[0].init='firewall' +set ucitrack.@firewall[0].affects='luci-splash' 'qos' 'miniupnpd' +set ucitrack.@olsr[0]=olsr +set ucitrack.@olsr[0].init='olsrd' +set ucitrack.@dhcp[0]=dhcp +set ucitrack.@dhcp[0].init='dnsmasq' +set ucitrack.@dhcp[0].affects='odhcpd' +set ucitrack.@odhcpd[0]=odhcpd +set ucitrack.@odhcpd[0].init='odhcpd' +set ucitrack.@dropbear[0]=dropbear +set ucitrack.@dropbear[0].init='dropbear' +set ucitrack.@httpd[0]=httpd +set ucitrack.@httpd[0].init='httpd' +set ucitrack.@fstab[0]=fstab +set ucitrack.@fstab[0].exec='/sbin/block mount' +set ucitrack.@qos[0]=qos +set ucitrack.@qos[0].init='qos' +set ucitrack.@system[0]=system +set ucitrack.@system[0].init='led' +set ucitrack.@system[0].exec='/etc/init.d/log reload' +set ucitrack.@system[0].affects='luci_statistics' 'dhcp' +set ucitrack.@luci_splash[0]=luci_splash +set ucitrack.@luci_splash[0].init='luci_splash' +set ucitrack.@upnpd[0]=upnpd +set ucitrack.@upnpd[0].init='miniupnpd' +set ucitrack.@ntpclient[0]=ntpclient +set ucitrack.@ntpclient[0].init='ntpclient' +set ucitrack.@samba[0]=samba +set ucitrack.@samba[0].init='samba' +set ucitrack.@tinyproxy[0]=tinyproxy +set ucitrack.@tinyproxy[0].init='tinyproxy' +commit ucitrack +set uhttpd.main=uhttpd +set uhttpd.main.listen_http='0.0.0.0:80' '[::]:80' +set uhttpd.main.listen_https='0.0.0.0:443' '[::]:443' +set uhttpd.main.redirect_https='0' +set uhttpd.main.home='/www' +set uhttpd.main.rfc1918_filter='1' +set uhttpd.main.max_requests='3' +set uhttpd.main.max_connections='100' +set uhttpd.main.cert='/etc/uhttpd.crt' +set uhttpd.main.key='/etc/uhttpd.key' +set uhttpd.main.cgi_prefix='/cgi-bin' +set uhttpd.main.lua_prefix='/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua' +set uhttpd.main.script_timeout='60' +set uhttpd.main.network_timeout='30' +set uhttpd.main.http_keepalive='20' +set uhttpd.main.tcp_keepalive='1' +set uhttpd.main.ucode_prefix='/cgi-bin/luci=/usr/share/ucode/luci/uhttpd.uc' +set uhttpd.main.ubus_prefix='/ubus' +set uhttpd.defaults=cert +set uhttpd.defaults.days='730' +set uhttpd.defaults.key_type='ec' +set uhttpd.defaults.bits='2048' +set uhttpd.defaults.ec_curve='P-256' +set uhttpd.defaults.country='ZZ' +set uhttpd.defaults.state='Somewhere' +set uhttpd.defaults.location='Unknown' +set uhttpd.defaults.commonname='OpenWrt' +commit uhttpd +set wireless.radio0=wifi-device +set wireless.radio0.type='mac80211' +set wireless.radio0.path='1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0' +set wireless.radio0.channel='auto' +set wireless.radio0.band='2g' +set wireless.radio0.htmode='HT40' +set wireless.radio0.cell_density='0' +set wireless.radio0.country='RU' +set wireless.default_radio0=wifi-iface +set wireless.default_radio0.device='radio0' +set wireless.default_radio0.network='lan' +set wireless.default_radio0.mode='ap' +set wireless.default_radio0.ssid='Buran' +set wireless.default_radio0.encryption='sae' +set wireless.default_radio0.key='23637387581' +set wireless.default_radio0.disassoc_low_ack='0' +set wireless.default_radio0.ieee80211w='1' +set wireless.default_radio0.ieee80211r='1' +set wireless.default_radio0.mobility_domain='af53' +set wireless.default_radio0.ft_over_ds='0' +set wireless.default_radio0.wpa_disable_eapol_key_retries='1' +set wireless.default_radio0.skip_inactivity_poll='1' +set wireless.radio1=wifi-device +set wireless.radio1.type='mac80211' +set wireless.radio1.path='1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0' +set wireless.radio1.channel='60' +set wireless.radio1.band='5g' +set wireless.radio1.htmode='VHT160' +set wireless.radio1.cell_density='0' +set wireless.radio1.country='RU' +set wireless.default_radio1=wifi-iface +set wireless.default_radio1.device='radio1' +set wireless.default_radio1.network='lan' +set wireless.default_radio1.mode='ap' +set wireless.default_radio1.ssid='Buran' +set wireless.default_radio1.encryption='sae' +set wireless.default_radio1.key='23637387581' +set wireless.default_radio1.disassoc_low_ack='0' +set wireless.default_radio1.ieee80211w='1' +set wireless.default_radio1.ieee80211r='1' +set wireless.default_radio1.mobility_domain='af53' +set wireless.default_radio1.ft_over_ds='0' +set wireless.default_radio1.wpa_disable_eapol_key_retries='1' +set wireless.default_radio1.skip_inactivity_poll='1' +commit wireless +EOI +#---------------------------------------------------- +#Generating conf file +#---------------------------------------------------- +mkdir -p "/etc/mosquitto" + +mkdir -p "/etc/mosquitto" + +#Gen file /etc/mosquitto/mosquitto.conf-opkg + +mkdir -p "/etc/mosquitto" +cat << 'CFGEOF' > "/etc/mosquitto/mosquitto.conf-opkg" +# Config file for mosquitto +# +# See mosquitto.conf(5) for more information. +# +# Default values are shown, uncomment to change. +# +# Use the # character to indicate a comment, but only if it is the +# very first character on the line. + +# ================================================================= +# General configuration +# ================================================================= + +# Use per listener security settings. +# +# It is recommended this option be set before any other options. +# +# If this option is set to true, then all authentication and access control +# options are controlled on a per listener basis. The following options are +# affected: +# +# acl_file +# allow_anonymous +# allow_zero_length_clientid +# auto_id_prefix +# password_file +# plugin +# plugin_opt_* +# psk_file +# +# Note that if set to true, then a durable client (i.e. with clean session set +# to false) that has disconnected will use the ACL settings defined for the +# listener that it was most recently connected to. +# +# The default behaviour is for this to be set to false, which maintains the +# setting behaviour from previous versions of mosquitto. +#per_listener_settings false + + +# This option controls whether a client is allowed to connect with a zero +# length client id or not. This option only affects clients using MQTT v3.1.1 +# and later. If set to false, clients connecting with a zero length client id +# are disconnected. If set to true, clients will be allocated a client id by +# the broker. This means it is only useful for clients with clean session set +# to true. +#allow_zero_length_clientid true + +# If allow_zero_length_clientid is true, this option allows you to set a prefix +# to automatically generated client ids to aid visibility in logs. +# Defaults to 'auto-' +#auto_id_prefix auto- + +# This option affects the scenario when a client subscribes to a topic that has +# retained messages. It is possible that the client that published the retained +# message to the topic had access at the time they published, but that access +# has been subsequently removed. If check_retain_source is set to true, the +# default, the source of a retained message will be checked for access rights +# before it is republished. When set to false, no check will be made and the +# retained message will always be published. This affects all listeners. +#check_retain_source true + +# QoS 1 and 2 messages will be allowed inflight per client until this limit +# is exceeded. Defaults to 0. (No maximum) +# See also max_inflight_messages +#max_inflight_bytes 0 + +# The maximum number of QoS 1 and 2 messages currently inflight per +# client. +# This includes messages that are partway through handshakes and +# those that are being retried. Defaults to 20. Set to 0 for no +# maximum. Setting to 1 will guarantee in-order delivery of QoS 1 +# and 2 messages. +#max_inflight_messages 20 + +# For MQTT v5 clients, it is possible to have the server send a "server +# keepalive" value that will override the keepalive value set by the client. +# This is intended to be used as a mechanism to say that the server will +# disconnect the client earlier than it anticipated, and that the client should +# use the new keepalive value. The max_keepalive option allows you to specify +# that clients may only connect with keepalive less than or equal to this +# value, otherwise they will be sent a server keepalive telling them to use +# max_keepalive. This only applies to MQTT v5 clients. The default, and maximum +# value allowable, is 65535. +# +# Set to 0 to allow clients to set keepalive = 0, which means no keepalive +# checks are made and the client will never be disconnected by the broker if no +# messages are received. You should be very sure this is the behaviour that you +# want. +# +# For MQTT v3.1.1 and v3.1 clients, there is no mechanism to tell the client +# what keepalive value they should use. If an MQTT v3.1.1 or v3.1 client +# specifies a keepalive time greater than max_keepalive they will be sent a +# CONNACK message with the "identifier rejected" reason code, and disconnected. +# +#max_keepalive 65535 + +# For MQTT v5 clients, it is possible to have the server send a "maximum packet +# size" value that will instruct the client it will not accept MQTT packets +# with size greater than max_packet_size bytes. This applies to the full MQTT +# packet, not just the payload. Setting this option to a positive value will +# set the maximum packet size to that number of bytes. If a client sends a +# packet which is larger than this value, it will be disconnected. This applies +# to all clients regardless of the protocol version they are using, but v3.1.1 +# and earlier clients will of course not have received the maximum packet size +# information. Defaults to no limit. Setting below 20 bytes is forbidden +# because it is likely to interfere with ordinary client operation, even with +# very small payloads. +#max_packet_size 0 + +# QoS 1 and 2 messages above those currently in-flight will be queued per +# client until this limit is exceeded. Defaults to 0. (No maximum) +# See also max_queued_messages. +# If both max_queued_messages and max_queued_bytes are specified, packets will +# be queued until the first limit is reached. +#max_queued_bytes 0 + +# Set the maximum QoS supported. Clients publishing at a QoS higher than +# specified here will be disconnected. +#max_qos 2 + +# The maximum number of QoS 1 and 2 messages to hold in a queue per client +# above those that are currently in-flight. Defaults to 1000. Set +# to 0 for no maximum (not recommended). +# See also queue_qos0_messages. +# See also max_queued_bytes. +#max_queued_messages 1000 +# +# This option sets the maximum number of heap memory bytes that the broker will +# allocate, and hence sets a hard limit on memory use by the broker. Memory +# requests that exceed this value will be denied. The effect will vary +# depending on what has been denied. If an incoming message is being processed, +# then the message will be dropped and the publishing client will be +# disconnected. If an outgoing message is being sent, then the individual +# message will be dropped and the receiving client will be disconnected. +# Defaults to no limit. +#memory_limit 0 + +# This option sets the maximum publish payload size that the broker will allow. +# Received messages that exceed this size will not be accepted by the broker. +# The default value is 0, which means that all valid MQTT messages are +# accepted. MQTT imposes a maximum payload size of 268435455 bytes. +#message_size_limit 0 + +# This option allows the session of persistent clients (those with clean +# session set to false) that are not currently connected to be removed if they +# do not reconnect within a certain time frame. This is a non-standard option +# in MQTT v3.1. MQTT v3.1.1 and v5.0 allow brokers to remove client sessions. +# +# Badly designed clients may set clean session to false whilst using a randomly +# generated client id. This leads to persistent clients that connect once and +# never reconnect. This option allows these clients to be removed. This option +# allows persistent clients (those with clean session set to false) to be +# removed if they do not reconnect within a certain time frame. +# +# The expiration period should be an integer followed by one of h d w m y for +# hour, day, week, month and year respectively. For example +# +# persistent_client_expiration 2m +# persistent_client_expiration 14d +# persistent_client_expiration 1y +# +# The default if not set is to never expire persistent clients. +#persistent_client_expiration + +# Write process id to a file. Default is a blank string which means +# a pid file shouldn't be written. +# This should be set to /var/run/mosquitto/mosquitto.pid if mosquitto is +# being run automatically on boot with an init script and +# start-stop-daemon or similar. +#pid_file + +# Set to true to queue messages with QoS 0 when a persistent client is +# disconnected. These messages are included in the limit imposed by +# max_queued_messages and max_queued_bytes +# Defaults to false. +# This is a non-standard option for the MQTT v3.1 spec but is allowed in +# v3.1.1. +#queue_qos0_messages false + +# Set to false to disable retained message support. If a client publishes a +# message with the retain bit set, it will be disconnected if this is set to +# false. +#retain_available true + +# Disable Nagle's algorithm on client sockets. This has the effect of reducing +# latency of individual messages at the potential cost of increasing the number +# of packets being sent. +#set_tcp_nodelay false + +# Time in seconds between updates of the $SYS tree. +# Set to 0 to disable the publishing of the $SYS tree. +#sys_interval 10 + +# The MQTT specification requires that the QoS of a message delivered to a +# subscriber is never upgraded to match the QoS of the subscription. Enabling +# this option changes this behaviour. If upgrade_outgoing_qos is set true, +# messages sent to a subscriber will always match the QoS of its subscription. +# This is a non-standard option explicitly disallowed by the spec. +#upgrade_outgoing_qos false + +# When run as root, drop privileges to this user and its primary +# group. +# Set to root to stay as root, but this is not recommended. +# If set to "mosquitto", or left unset, and the "mosquitto" user does not exist +# then it will drop privileges to the "nobody" user instead. +# If run as a non-root user, this setting has no effect. +# Note that on Windows this has no effect and so mosquitto should be started by +# the user you wish it to run as. +#user mosquitto + +# ================================================================= +# Listeners +# ================================================================= + +# Listen on a port/ip address combination. By using this variable +# multiple times, mosquitto can listen on more than one port. If +# this variable is used and neither bind_address nor port given, +# then the default listener will not be started. +# The port number to listen on must be given. Optionally, an ip +# address or host name may be supplied as a second argument. In +# this case, mosquitto will attempt to bind the listener to that +# address and so restrict access to the associated network and +# interface. By default, mosquitto will listen on all interfaces. +# Note that for a websockets listener it is not possible to bind to a host +# name. +# +# On systems that support Unix Domain Sockets, it is also possible +# to create a # Unix socket rather than opening a TCP socket. In +# this case, the port number should be set to 0 and a unix socket +# path must be provided, e.g. +# listener 0 /tmp/mosquitto.sock +# +# listener port-number [ip address/host name/unix socket path] +#listener + +# By default, a listener will attempt to listen on all supported IP protocol +# versions. If you do not have an IPv4 or IPv6 interface you may wish to +# disable support for either of those protocol versions. In particular, note +# that due to the limitations of the websockets library, it will only ever +# attempt to open IPv6 sockets if IPv6 support is compiled in, and so will fail +# if IPv6 is not available. +# +# Set to `ipv4` to force the listener to only use IPv4, or set to `ipv6` to +# force the listener to only use IPv6. If you want support for both IPv4 and +# IPv6, then do not use the socket_domain option. +# +#socket_domain + +# Bind the listener to a specific interface. This is similar to +# the [ip address/host name] part of the listener definition, but is useful +# when an interface has multiple addresses or the address may change. If used +# with the [ip address/host name] part of the listener definition, then the +# bind_interface option will take priority. +# Not available on Windows. +# +# Example: bind_interface eth0 +#bind_interface + +# When a listener is using the websockets protocol, it is possible to serve +# http data as well. Set http_dir to a directory which contains the files you +# wish to serve. If this option is not specified, then no normal http +# connections will be possible. +#http_dir + +# The maximum number of client connections to allow. This is +# a per listener setting. +# Default is -1, which means unlimited connections. +# Note that other process limits mean that unlimited connections +# are not really possible. Typically the default maximum number of +# connections possible is around 1024. +#max_connections -1 + +# The listener can be restricted to operating within a topic hierarchy using +# the mount_point option. This is achieved be prefixing the mount_point string +# to all topics for any clients connected to this listener. This prefixing only +# happens internally to the broker; the client will not see the prefix. +#mount_point + +# Choose the protocol to use when listening. +# This can be either mqtt or websockets. +# Certificate based TLS may be used with websockets, except that only the +# cafile, certfile, keyfile, ciphers, and ciphers_tls13 options are supported. +#protocol mqtt + +# Set use_username_as_clientid to true to replace the clientid that a client +# connected with with its username. This allows authentication to be tied to +# the clientid, which means that it is possible to prevent one client +# disconnecting another by using the same clientid. +# If a client connects with no username it will be disconnected as not +# authorised when this option is set to true. +# Do not use in conjunction with clientid_prefixes. +# See also use_identity_as_username. +# This does not apply globally, but on a per-listener basis. +#use_username_as_clientid + +# Change the websockets headers size. This is a global option, it is not +# possible to set per listener. This option sets the size of the buffer used in +# the libwebsockets library when reading HTTP headers. If you are passing large +# header data such as cookies then you may need to increase this value. If left +# unset, or set to 0, then the default of 1024 bytes will be used. +#websockets_headers_size + +# ----------------------------------------------------------------- +# Certificate based SSL/TLS support +# ----------------------------------------------------------------- +# The following options can be used to enable certificate based SSL/TLS support +# for this listener. Note that the recommended port for MQTT over TLS is 8883, +# but this must be set manually. +# +# See also the mosquitto-tls man page and the "Pre-shared-key based SSL/TLS +# support" section. Only one of certificate or PSK encryption support can be +# enabled for any listener. + +# Both of certfile and keyfile must be defined to enable certificate based +# TLS encryption. + +# Path to the PEM encoded server certificate. +#certfile + +# Path to the PEM encoded keyfile. +#keyfile + +# If you wish to control which encryption ciphers are used, use the ciphers +# option. The list of available ciphers can be optained using the "openssl +# ciphers" command and should be provided in the same format as the output of +# that command. This applies to TLS 1.2 and earlier versions only. Use +# ciphers_tls1.3 for TLS v1.3. +#ciphers + +# Choose which TLS v1.3 ciphersuites are used for this listener. +# Defaults to "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" +#ciphers_tls1.3 + +# If you have require_certificate set to true, you can create a certificate +# revocation list file to revoke access to particular client certificates. If +# you have done this, use crlfile to point to the PEM encoded revocation file. +#crlfile + +# To allow the use of ephemeral DH key exchange, which provides forward +# security, the listener must load DH parameters. This can be specified with +# the dhparamfile option. The dhparamfile can be generated with the command +# e.g. "openssl dhparam -out dhparam.pem 2048" +#dhparamfile + +# By default an TLS enabled listener will operate in a similar fashion to a +# https enabled web server, in that the server has a certificate signed by a CA +# and the client will verify that it is a trusted certificate. The overall aim +# is encryption of the network traffic. By setting require_certificate to true, +# the client must provide a valid certificate in order for the network +# connection to proceed. This allows access to the broker to be controlled +# outside of the mechanisms provided by MQTT. +#require_certificate false + +# cafile and capath define methods of accessing the PEM encoded +# Certificate Authority certificates that will be considered trusted when +# checking incoming client certificates. +# cafile defines the path to a file containing the CA certificates. +# capath defines a directory that will be searched for files +# containing the CA certificates. For capath to work correctly, the +# certificate files must have ".crt" as the file ending and you must run +# "openssl rehash " each time you add/remove a certificate. +#cafile +#capath + + +# If require_certificate is true, you may set use_identity_as_username to true +# to use the CN value from the client certificate as a username. If this is +# true, the password_file option will not be used for this listener. +#use_identity_as_username false + +# ----------------------------------------------------------------- +# Pre-shared-key based SSL/TLS support +# ----------------------------------------------------------------- +# The following options can be used to enable PSK based SSL/TLS support for +# this listener. Note that the recommended port for MQTT over TLS is 8883, but +# this must be set manually. +# +# See also the mosquitto-tls man page and the "Certificate based SSL/TLS +# support" section. Only one of certificate or PSK encryption support can be +# enabled for any listener. + +# The psk_hint option enables pre-shared-key support for this listener and also +# acts as an identifier for this listener. The hint is sent to clients and may +# be used locally to aid authentication. The hint is a free form string that +# doesn't have much meaning in itself, so feel free to be creative. +# If this option is provided, see psk_file to define the pre-shared keys to be +# used or create a security plugin to handle them. +#psk_hint + +# When using PSK, the encryption ciphers used will be chosen from the list of +# available PSK ciphers. If you want to control which ciphers are available, +# use the "ciphers" option. The list of available ciphers can be optained +# using the "openssl ciphers" command and should be provided in the same format +# as the output of that command. +#ciphers + +# Set use_identity_as_username to have the psk identity sent by the client used +# as its username. Authentication will be carried out using the PSK rather than +# the MQTT username/password and so password_file will not be used for this +# listener. +#use_identity_as_username false + + +# ================================================================= +# Persistence +# ================================================================= + +# If persistence is enabled, save the in-memory database to disk +# every autosave_interval seconds. If set to 0, the persistence +# database will only be written when mosquitto exits. See also +# autosave_on_changes. +# Note that writing of the persistence database can be forced by +# sending mosquitto a SIGUSR1 signal. +#autosave_interval 1800 + +# If true, mosquitto will count the number of subscription changes, retained +# messages received and queued messages and if the total exceeds +# autosave_interval then the in-memory database will be saved to disk. +# If false, mosquitto will save the in-memory database to disk by treating +# autosave_interval as a time in seconds. +#autosave_on_changes false + +# Save persistent message data to disk (true/false). +# This saves information about all messages, including +# subscriptions, currently in-flight messages and retained +# messages. +# retained_persistence is a synonym for this option. +#persistence false + +# The filename to use for the persistent database, not including +# the path. +#persistence_file mosquitto.db + +# Location for persistent database. +# Default is an empty string (current directory). +# Set to e.g. /var/lib/mosquitto if running as a proper service on Linux or +# similar. +#persistence_location + + +# ================================================================= +# Logging +# ================================================================= + +# Places to log to. Use multiple log_dest lines for multiple +# logging destinations. +# Possible destinations are: stdout stderr syslog topic file dlt +# +# stdout and stderr log to the console on the named output. +# +# syslog uses the userspace syslog facility which usually ends up +# in /var/log/messages or similar. +# +# topic logs to the broker topic '$SYS/broker/log/', +# where severity is one of D, E, W, N, I, M which are debug, error, +# warning, notice, information and message. Message type severity is used by +# the subscribe/unsubscribe log_types and publishes log messages to +# $SYS/broker/log/M/susbcribe or $SYS/broker/log/M/unsubscribe. +# +# The file destination requires an additional parameter which is the file to be +# logged to, e.g. "log_dest file /var/log/mosquitto.log". The file will be +# closed and reopened when the broker receives a HUP signal. Only a single file +# destination may be configured. +# +# The dlt destination is for the automotive `Diagnostic Log and Trace` tool. +# This requires that Mosquitto has been compiled with DLT support. +# +# Note that if the broker is running as a Windows service it will default to +# "log_dest none" and neither stdout nor stderr logging is available. +# Use "log_dest none" if you wish to disable logging. +#log_dest stderr + +# Types of messages to log. Use multiple log_type lines for logging +# multiple types of messages. +# Possible types are: debug, error, warning, notice, information, +# none, subscribe, unsubscribe, websockets, all. +# Note that debug type messages are for decoding the incoming/outgoing +# network packets. They are not logged in "topics". +#log_type error +#log_type warning +#log_type notice +#log_type information + + +# If set to true, client connection and disconnection messages will be included +# in the log. +#connection_messages true + +# If using syslog logging (not on Windows), messages will be logged to the +# "daemon" facility by default. Use the log_facility option to choose which of +# local0 to local7 to log to instead. The option value should be an integer +# value, e.g. "log_facility 5" to use local5. +#log_facility + +# If set to true, add a timestamp value to each log message. +#log_timestamp true + +# Set the format of the log timestamp. If left unset, this is the number of +# seconds since the Unix epoch. +# This is a free text string which will be passed to the strftime function. To +# get an ISO 8601 datetime, for example: +# log_timestamp_format %Y-%m-%dT%H:%M:%S +#log_timestamp_format + +# Change the websockets logging level. This is a global option, it is not +# possible to set per listener. This is an integer that is interpreted by +# libwebsockets as a bit mask for its lws_log_levels enum. See the +# libwebsockets documentation for more details. "log_type websockets" must also +# be enabled. +#websockets_log_level 0 + + +# ================================================================= +# Security +# ================================================================= + +# If set, only clients that have a matching prefix on their +# clientid will be allowed to connect to the broker. By default, +# all clients may connect. +# For example, setting "secure-" here would mean a client "secure- +# client" could connect but another with clientid "mqtt" couldn't. +#clientid_prefixes + +# Boolean value that determines whether clients that connect +# without providing a username are allowed to connect. If set to +# false then a password file should be created (see the +# password_file option) to control authenticated client access. +# +# Defaults to false, unless there are no listeners defined in the configuration +# file, in which case it is set to true, but connections are only allowed from +# the local machine. +#allow_anonymous false + +# ----------------------------------------------------------------- +# Default authentication and topic access control +# ----------------------------------------------------------------- + +# Control access to the broker using a password file. This file can be +# generated using the mosquitto_passwd utility. If TLS support is not compiled +# into mosquitto (it is recommended that TLS support should be included) then +# plain text passwords are used, in which case the file should be a text file +# with lines in the format: +# username:password +# The password (and colon) may be omitted if desired, although this +# offers very little in the way of security. +# +# See the TLS client require_certificate and use_identity_as_username options +# for alternative authentication options. If a plugin is used as well as +# password_file, the plugin check will be made first. +#password_file + +# Access may also be controlled using a pre-shared-key file. This requires +# TLS-PSK support and a listener configured to use it. The file should be text +# lines in the format: +# identity:key +# The key should be in hexadecimal format without a leading "0x". +# If an plugin is used as well, the plugin check will be made first. +#psk_file + +# Control access to topics on the broker using an access control list +# file. If this parameter is defined then only the topics listed will +# have access. +# If the first character of a line of the ACL file is a # it is treated as a +# comment. +# Topic access is added with lines of the format: +# +# topic [read|write|readwrite|deny] +# +# The access type is controlled using "read", "write", "readwrite" or "deny". +# This parameter is optional (unless contains a space character) - if +# not given then the access is read/write. can contain the + or # +# wildcards as in subscriptions. +# +# The "deny" option can used to explicity deny access to a topic that would +# otherwise be granted by a broader read/write/readwrite statement. Any "deny" +# topics are handled before topics that grant read/write access. +# +# The first set of topics are applied to anonymous clients, assuming +# allow_anonymous is true. User specific topic ACLs are added after a +# user line as follows: +# +# user +# +# The username referred to here is the same as in password_file. It is +# not the clientid. +# +# +# If is also possible to define ACLs based on pattern substitution within the +# topic. The patterns available for substition are: +# +# %c to match the client id of the client +# %u to match the username of the client +# +# The substitution pattern must be the only text for that level of hierarchy. +# +# The form is the same as for the topic keyword, but using pattern as the +# keyword. +# Pattern ACLs apply to all users even if the "user" keyword has previously +# been given. +# +# If using bridges with usernames and ACLs, connection messages can be allowed +# with the following pattern: +# pattern write $SYS/broker/connection/%c/state +# +# pattern [read|write|readwrite] +# +# Example: +# +# pattern write sensor/%u/data +# +# If an plugin is used as well as acl_file, the plugin check will be +# made first. +#acl_file + +# ----------------------------------------------------------------- +# External authentication and topic access plugin options +# ----------------------------------------------------------------- + +# External authentication and access control can be supported with the +# plugin option. This is a path to a loadable plugin. See also the +# plugin_opt_* options described below. +# +# The plugin option can be specified multiple times to load multiple +# plugins. The plugins will be processed in the order that they are specified +# here. If the plugin option is specified alongside either of +# password_file or acl_file then the plugin checks will be made first. +# +# If the per_listener_settings option is false, the plugin will be apply to all +# listeners. If per_listener_settings is true, then the plugin will apply to +# the current listener being defined only. +# +# This option is also available as `auth_plugin`, but this use is deprecated +# and will be removed in the future. +# +#plugin + +# If the plugin option above is used, define options to pass to the +# plugin here as described by the plugin instructions. All options named +# using the format plugin_opt_* will be passed to the plugin, for example: +# +# This option is also available as `auth_opt_*`, but this use is deprecated +# and will be removed in the future. +# +# plugin_opt_db_host +# plugin_opt_db_port +# plugin_opt_db_username +# plugin_opt_db_password + + +# ================================================================= +# Bridges +# ================================================================= + +# A bridge is a way of connecting multiple MQTT brokers together. +# Create a new bridge using the "connection" option as described below. Set +# options for the bridges using the remaining parameters. You must specify the +# address and at least one topic to subscribe to. +# +# Each connection must have a unique name. +# +# The address line may have multiple host address and ports specified. See +# below in the round_robin description for more details on bridge behaviour if +# multiple addresses are used. Note that if you use an IPv6 address, then you +# are required to specify a port. +# +# The direction that the topic will be shared can be chosen by +# specifying out, in or both, where the default value is out. +# The QoS level of the bridged communication can be specified with the next +# topic option. The default QoS level is 0, to change the QoS the topic +# direction must also be given. +# +# The local and remote prefix options allow a topic to be remapped when it is +# bridged to/from the remote broker. This provides the ability to place a topic +# tree in an appropriate location. +# +# For more details see the mosquitto.conf man page. +# +# Multiple topics can be specified per connection, but be careful +# not to create any loops. +# +# If you are using bridges with cleansession set to false (the default), then +# you may get unexpected behaviour from incoming topics if you change what +# topics you are subscribing to. This is because the remote broker keeps the +# subscription for the old topic. If you have this problem, connect your bridge +# with cleansession set to true, then reconnect with cleansession set to false +# as normal. +#connection +#address [:] [[:]] +#topic [[[out | in | both] qos-level] local-prefix remote-prefix] + +# If you need to have the bridge connect over a particular network interface, +# use bridge_bind_address to tell the bridge which local IP address the socket +# should bind to, e.g. `bridge_bind_address 192.168.1.10` +#bridge_bind_address + +# If a bridge has topics that have "out" direction, the default behaviour is to +# send an unsubscribe request to the remote broker on that topic. This means +# that changing a topic direction from "in" to "out" will not keep receiving +# incoming messages. Sending these unsubscribe requests is not always +# desirable, setting bridge_attempt_unsubscribe to false will disable sending +# the unsubscribe request. +#bridge_attempt_unsubscribe true + +# Set the version of the MQTT protocol to use with for this bridge. Can be one +# of mqttv50, mqttv311 or mqttv31. Defaults to mqttv311. +#bridge_protocol_version mqttv311 + +# Set the clean session variable for this bridge. +# When set to true, when the bridge disconnects for any reason, all +# messages and subscriptions will be cleaned up on the remote +# broker. Note that with cleansession set to true, there may be a +# significant amount of retained messages sent when the bridge +# reconnects after losing its connection. +# When set to false, the subscriptions and messages are kept on the +# remote broker, and delivered when the bridge reconnects. +#cleansession false + +# Set the amount of time a bridge using the lazy start type must be idle before +# it will be stopped. Defaults to 60 seconds. +#idle_timeout 60 + +# Set the keepalive interval for this bridge connection, in +# seconds. +#keepalive_interval 60 + +# Set the clientid to use on the local broker. If not defined, this defaults to +# 'local.'. If you are bridging a broker to itself, it is important +# that local_clientid and clientid do not match. +#local_clientid + +# If set to true, publish notification messages to the local and remote brokers +# giving information about the state of the bridge connection. Retained +# messages are published to the topic $SYS/broker/connection//state +# unless the notification_topic option is used. +# If the message is 1 then the connection is active, or 0 if the connection has +# failed. +# This uses the last will and testament feature. +#notifications true + +# Choose the topic on which notification messages for this bridge are +# published. If not set, messages are published on the topic +# $SYS/broker/connection//state +#notification_topic + +# Set the client id to use on the remote end of this bridge connection. If not +# defined, this defaults to 'name.hostname' where name is the connection name +# and hostname is the hostname of this computer. +# This replaces the old "clientid" option to avoid confusion. "clientid" +# remains valid for the time being. +#remote_clientid + +# Set the password to use when connecting to a broker that requires +# authentication. This option is only used if remote_username is also set. +# This replaces the old "password" option to avoid confusion. "password" +# remains valid for the time being. +#remote_password + +# Set the username to use when connecting to a broker that requires +# authentication. +# This replaces the old "username" option to avoid confusion. "username" +# remains valid for the time being. +#remote_username + +# Set the amount of time a bridge using the automatic start type will wait +# until attempting to reconnect. +# This option can be configured to use a constant delay time in seconds, or to +# use a backoff mechanism based on "Decorrelated Jitter", which adds a degree +# of randomness to when the restart occurs. +# +# Set a constant timeout of 20 seconds: +# restart_timeout 20 +# +# Set backoff with a base (start value) of 10 seconds and a cap (upper limit) of +# 60 seconds: +# restart_timeout 10 30 +# +# Defaults to jitter with a base of 5 and cap of 30 +#restart_timeout 5 30 + +# If the bridge has more than one address given in the address/addresses +# configuration, the round_robin option defines the behaviour of the bridge on +# a failure of the bridge connection. If round_robin is false, the default +# value, then the first address is treated as the main bridge connection. If +# the connection fails, the other secondary addresses will be attempted in +# turn. Whilst connected to a secondary bridge, the bridge will periodically +# attempt to reconnect to the main bridge until successful. +# If round_robin is true, then all addresses are treated as equals. If a +# connection fails, the next address will be tried and if successful will +# remain connected until it fails +#round_robin false + +# Set the start type of the bridge. This controls how the bridge starts and +# can be one of three types: automatic, lazy and once. Note that RSMB provides +# a fourth start type "manual" which isn't currently supported by mosquitto. +# +# "automatic" is the default start type and means that the bridge connection +# will be started automatically when the broker starts and also restarted +# after a short delay (30 seconds) if the connection fails. +# +# Bridges using the "lazy" start type will be started automatically when the +# number of queued messages exceeds the number set with the "threshold" +# parameter. It will be stopped automatically after the time set by the +# "idle_timeout" parameter. Use this start type if you wish the connection to +# only be active when it is needed. +# +# A bridge using the "once" start type will be started automatically when the +# broker starts but will not be restarted if the connection fails. +#start_type automatic + +# Set the number of messages that need to be queued for a bridge with lazy +# start type to be restarted. Defaults to 10 messages. +# Must be less than max_queued_messages. +#threshold 10 + +# If try_private is set to true, the bridge will attempt to indicate to the +# remote broker that it is a bridge not an ordinary client. If successful, this +# means that loop detection will be more effective and that retained messages +# will be propagated correctly. Not all brokers support this feature so it may +# be necessary to set try_private to false if your bridge does not connect +# properly. +#try_private true + +# Some MQTT brokers do not allow retained messages. MQTT v5 gives a mechanism +# for brokers to tell clients that they do not support retained messages, but +# this is not possible for MQTT v3.1.1 or v3.1. If you need to bridge to a +# v3.1.1 or v3.1 broker that does not support retained messages, set the +# bridge_outgoing_retain option to false. This will remove the retain bit on +# all outgoing messages to that bridge, regardless of any other setting. +#bridge_outgoing_retain true + +# If you wish to restrict the size of messages sent to a remote bridge, use the +# bridge_max_packet_size option. This sets the maximum number of bytes for +# the total message, including headers and payload. +# Note that MQTT v5 brokers may provide their own maximum-packet-size property. +# In this case, the smaller of the two limits will be used. +# Set to 0 for "unlimited". +#bridge_max_packet_size 0 + + +# ----------------------------------------------------------------- +# Certificate based SSL/TLS support +# ----------------------------------------------------------------- +# Either bridge_cafile or bridge_capath must be defined to enable TLS support +# for this bridge. +# bridge_cafile defines the path to a file containing the +# Certificate Authority certificates that have signed the remote broker +# certificate. +# bridge_capath defines a directory that will be searched for files containing +# the CA certificates. For bridge_capath to work correctly, the certificate +# files must have ".crt" as the file ending and you must run "openssl rehash +# " each time you add/remove a certificate. +#bridge_cafile +#bridge_capath + + +# If the remote broker has more than one protocol available on its port, e.g. +# MQTT and WebSockets, then use bridge_alpn to configure which protocol is +# requested. Note that WebSockets support for bridges is not yet available. +#bridge_alpn + +# When using certificate based encryption, bridge_insecure disables +# verification of the server hostname in the server certificate. This can be +# useful when testing initial server configurations, but makes it possible for +# a malicious third party to impersonate your server through DNS spoofing, for +# example. Use this option in testing only. If you need to resort to using this +# option in a production environment, your setup is at fault and there is no +# point using encryption. +#bridge_insecure false + +# Path to the PEM encoded client certificate, if required by the remote broker. +#bridge_certfile + +# Path to the PEM encoded client private key, if required by the remote broker. +#bridge_keyfile + +# ----------------------------------------------------------------- +# PSK based SSL/TLS support +# ----------------------------------------------------------------- +# Pre-shared-key encryption provides an alternative to certificate based +# encryption. A bridge can be configured to use PSK with the bridge_identity +# and bridge_psk options. These are the client PSK identity, and pre-shared-key +# in hexadecimal format with no "0x". Only one of certificate and PSK based +# encryption can be used on one +# bridge at once. +#bridge_identity +#bridge_psk + + +# ================================================================= +# External config files +# ================================================================= + +# External configuration files may be included by using the +# include_dir option. This defines a directory that will be searched +# for config files. All files that end in '.conf' will be loaded as +# a configuration file. It is best to have this as the last option +# in the main file. This option will only be processed from the main +# configuration file. The directory specified must not contain the +# main configuration file. +# Files within include_dir will be loaded sorted in case-sensitive +# alphabetical order, with capital letters ordered first. If this option is +# given multiple times, all of the files from the first instance will be +# processed before the next instance. See the man page for examples. +#include_dir +CFGEOF + +#Gen file /etc/mosquitto/mosquitto.conf + +mkdir -p "/etc/mosquitto" +cat << 'CFGEOF' > "/etc/mosquitto/mosquitto.conf" +# Config file for mosquitto +# +# See mosquitto.conf(5) for more information. +# +# Default values are shown, uncomment to change. +# +# Use the # character to indicate a comment, but only if it is the +# very first character on the line. + +# ================================================================= +# General configuration +# ================================================================= + +# Use per listener security settings. +# +# It is recommended this option be set before any other options. +# +# If this option is set to true, then all authentication and access control +# options are controlled on a per listener basis. The following options are +# affected: +# +# acl_file +# allow_anonymous +# allow_zero_length_clientid +# auto_id_prefix +# password_file +# plugin +# plugin_opt_* +# psk_file +# +# Note that if set to true, then a durable client (i.e. with clean session set +# to false) that has disconnected will use the ACL settings defined for the +# listener that it was most recently connected to. +# +# The default behaviour is for this to be set to false, which maintains the +# setting behaviour from previous versions of mosquitto. +#per_listener_settings false + + +# This option controls whether a client is allowed to connect with a zero +# length client id or not. This option only affects clients using MQTT v3.1.1 +# and later. If set to false, clients connecting with a zero length client id +# are disconnected. If set to true, clients will be allocated a client id by +# the broker. This means it is only useful for clients with clean session set +# to true. +#allow_zero_length_clientid true + +# If allow_zero_length_clientid is true, this option allows you to set a prefix +# to automatically generated client ids to aid visibility in logs. +# Defaults to 'auto-' +#auto_id_prefix auto- + +# This option affects the scenario when a client subscribes to a topic that has +# retained messages. It is possible that the client that published the retained +# message to the topic had access at the time they published, but that access +# has been subsequently removed. If check_retain_source is set to true, the +# default, the source of a retained message will be checked for access rights +# before it is republished. When set to false, no check will be made and the +# retained message will always be published. This affects all listeners. +#check_retain_source true + +# QoS 1 and 2 messages will be allowed inflight per client until this limit +# is exceeded. Defaults to 0. (No maximum) +# See also max_inflight_messages +#max_inflight_bytes 0 + +# The maximum number of QoS 1 and 2 messages currently inflight per +# client. +# This includes messages that are partway through handshakes and +# those that are being retried. Defaults to 20. Set to 0 for no +# maximum. Setting to 1 will guarantee in-order delivery of QoS 1 +# and 2 messages. +#max_inflight_messages 20 + +# For MQTT v5 clients, it is possible to have the server send a "server +# keepalive" value that will override the keepalive value set by the client. +# This is intended to be used as a mechanism to say that the server will +# disconnect the client earlier than it anticipated, and that the client should +# use the new keepalive value. The max_keepalive option allows you to specify +# that clients may only connect with keepalive less than or equal to this +# value, otherwise they will be sent a server keepalive telling them to use +# max_keepalive. This only applies to MQTT v5 clients. The default, and maximum +# value allowable, is 65535. +# +# Set to 0 to allow clients to set keepalive = 0, which means no keepalive +# checks are made and the client will never be disconnected by the broker if no +# messages are received. You should be very sure this is the behaviour that you +# want. +# +# For MQTT v3.1.1 and v3.1 clients, there is no mechanism to tell the client +# what keepalive value they should use. If an MQTT v3.1.1 or v3.1 client +# specifies a keepalive time greater than max_keepalive they will be sent a +# CONNACK message with the "identifier rejected" reason code, and disconnected. +# +#max_keepalive 65535 + +# For MQTT v5 clients, it is possible to have the server send a "maximum packet +# size" value that will instruct the client it will not accept MQTT packets +# with size greater than max_packet_size bytes. This applies to the full MQTT +# packet, not just the payload. Setting this option to a positive value will +# set the maximum packet size to that number of bytes. If a client sends a +# packet which is larger than this value, it will be disconnected. This applies +# to all clients regardless of the protocol version they are using, but v3.1.1 +# and earlier clients will of course not have received the maximum packet size +# information. Defaults to no limit. Setting below 20 bytes is forbidden +# because it is likely to interfere with ordinary client operation, even with +# very small payloads. +#max_packet_size 0 + +# QoS 1 and 2 messages above those currently in-flight will be queued per +# client until this limit is exceeded. Defaults to 0. (No maximum) +# See also max_queued_messages. +# If both max_queued_messages and max_queued_bytes are specified, packets will +# be queued until the first limit is reached. +#max_queued_bytes 0 + +# Set the maximum QoS supported. Clients publishing at a QoS higher than +# specified here will be disconnected. +#max_qos 2 + +# The maximum number of QoS 1 and 2 messages to hold in a queue per client +# above those that are currently in-flight. Defaults to 1000. Set +# to 0 for no maximum (not recommended). +# See also queue_qos0_messages. +# See also max_queued_bytes. +#max_queued_messages 1000 +# +# This option sets the maximum number of heap memory bytes that the broker will +# allocate, and hence sets a hard limit on memory use by the broker. Memory +# requests that exceed this value will be denied. The effect will vary +# depending on what has been denied. If an incoming message is being processed, +# then the message will be dropped and the publishing client will be +# disconnected. If an outgoing message is being sent, then the individual +# message will be dropped and the receiving client will be disconnected. +# Defaults to no limit. +#memory_limit 0 + +# This option sets the maximum publish payload size that the broker will allow. +# Received messages that exceed this size will not be accepted by the broker. +# The default value is 0, which means that all valid MQTT messages are +# accepted. MQTT imposes a maximum payload size of 268435455 bytes. +#message_size_limit 0 + +# This option allows the session of persistent clients (those with clean +# session set to false) that are not currently connected to be removed if they +# do not reconnect within a certain time frame. This is a non-standard option +# in MQTT v3.1. MQTT v3.1.1 and v5.0 allow brokers to remove client sessions. +# +# Badly designed clients may set clean session to false whilst using a randomly +# generated client id. This leads to persistent clients that connect once and +# never reconnect. This option allows these clients to be removed. This option +# allows persistent clients (those with clean session set to false) to be +# removed if they do not reconnect within a certain time frame. +# +# The expiration period should be an integer followed by one of h d w m y for +# hour, day, week, month and year respectively. For example +# +# persistent_client_expiration 2m +# persistent_client_expiration 14d +# persistent_client_expiration 1y +# +# The default if not set is to never expire persistent clients. +#persistent_client_expiration + +# Write process id to a file. Default is a blank string which means +# a pid file shouldn't be written. +# This should be set to /var/run/mosquitto/mosquitto.pid if mosquitto is +# being run automatically on boot with an init script and +# start-stop-daemon or similar. +#pid_file + +# Set to true to queue messages with QoS 0 when a persistent client is +# disconnected. These messages are included in the limit imposed by +# max_queued_messages and max_queued_bytes +# Defaults to false. +# This is a non-standard option for the MQTT v3.1 spec but is allowed in +# v3.1.1. +#queue_qos0_messages false + +# Set to false to disable retained message support. If a client publishes a +# message with the retain bit set, it will be disconnected if this is set to +# false. +#retain_available true + +# Disable Nagle's algorithm on client sockets. This has the effect of reducing +# latency of individual messages at the potential cost of increasing the number +# of packets being sent. +#set_tcp_nodelay false + +# Time in seconds between updates of the $SYS tree. +# Set to 0 to disable the publishing of the $SYS tree. +#sys_interval 10 + +# The MQTT specification requires that the QoS of a message delivered to a +# subscriber is never upgraded to match the QoS of the subscription. Enabling +# this option changes this behaviour. If upgrade_outgoing_qos is set true, +# messages sent to a subscriber will always match the QoS of its subscription. +# This is a non-standard option explicitly disallowed by the spec. +#upgrade_outgoing_qos false + +# When run as root, drop privileges to this user and its primary +# group. +# Set to root to stay as root, but this is not recommended. +# If set to "mosquitto", or left unset, and the "mosquitto" user does not exist +# then it will drop privileges to the "nobody" user instead. +# If run as a non-root user, this setting has no effect. +# Note that on Windows this has no effect and so mosquitto should be started by +# the user you wish it to run as. +#user mosquitto + +# ================================================================= +# Listeners +# ================================================================= + +# Listen on a port/ip address combination. By using this variable +# multiple times, mosquitto can listen on more than one port. If +# this variable is used and neither bind_address nor port given, +# then the default listener will not be started. +# The port number to listen on must be given. Optionally, an ip +# address or host name may be supplied as a second argument. In +# this case, mosquitto will attempt to bind the listener to that +# address and so restrict access to the associated network and +# interface. By default, mosquitto will listen on all interfaces. +# Note that for a websockets listener it is not possible to bind to a host +# name. +# +# On systems that support Unix Domain Sockets, it is also possible +# to create a # Unix socket rather than opening a TCP socket. In +# this case, the port number should be set to 0 and a unix socket +# path must be provided, e.g. +# listener 0 /tmp/mosquitto.sock +# +# listener port-number [ip address/host name/unix socket path] +#listener + +# By default, a listener will attempt to listen on all supported IP protocol +# versions. If you do not have an IPv4 or IPv6 interface you may wish to +# disable support for either of those protocol versions. In particular, note +# that due to the limitations of the websockets library, it will only ever +# attempt to open IPv6 sockets if IPv6 support is compiled in, and so will fail +# if IPv6 is not available. +# +# Set to `ipv4` to force the listener to only use IPv4, or set to `ipv6` to +# force the listener to only use IPv6. If you want support for both IPv4 and +# IPv6, then do not use the socket_domain option. +# +#socket_domain + +# Bind the listener to a specific interface. This is similar to +# the [ip address/host name] part of the listener definition, but is useful +# when an interface has multiple addresses or the address may change. If used +# with the [ip address/host name] part of the listener definition, then the +# bind_interface option will take priority. +# Not available on Windows. +# +# Example: bind_interface eth0 +#bind_interface + +# When a listener is using the websockets protocol, it is possible to serve +# http data as well. Set http_dir to a directory which contains the files you +# wish to serve. If this option is not specified, then no normal http +# connections will be possible. +#http_dir + +# The maximum number of client connections to allow. This is +# a per listener setting. +# Default is -1, which means unlimited connections. +# Note that other process limits mean that unlimited connections +# are not really possible. Typically the default maximum number of +# connections possible is around 1024. +#max_connections -1 + +# The listener can be restricted to operating within a topic hierarchy using +# the mount_point option. This is achieved be prefixing the mount_point string +# to all topics for any clients connected to this listener. This prefixing only +# happens internally to the broker; the client will not see the prefix. +#mount_point + +# Choose the protocol to use when listening. +# This can be either mqtt or websockets. +# Certificate based TLS may be used with websockets, except that only the +# cafile, certfile, keyfile, ciphers, and ciphers_tls13 options are supported. +#protocol mqtt + +# Set use_username_as_clientid to true to replace the clientid that a client +# connected with with its username. This allows authentication to be tied to +# the clientid, which means that it is possible to prevent one client +# disconnecting another by using the same clientid. +# If a client connects with no username it will be disconnected as not +# authorised when this option is set to true. +# Do not use in conjunction with clientid_prefixes. +# See also use_identity_as_username. +# This does not apply globally, but on a per-listener basis. +#use_username_as_clientid + +# Change the websockets headers size. This is a global option, it is not +# possible to set per listener. This option sets the size of the buffer used in +# the libwebsockets library when reading HTTP headers. If you are passing large +# header data such as cookies then you may need to increase this value. If left +# unset, or set to 0, then the default of 1024 bytes will be used. +#websockets_headers_size + +# ----------------------------------------------------------------- +# Certificate based SSL/TLS support +# ----------------------------------------------------------------- +# The following options can be used to enable certificate based SSL/TLS support +# for this listener. Note that the recommended port for MQTT over TLS is 8883, +# but this must be set manually. +# +# See also the mosquitto-tls man page and the "Pre-shared-key based SSL/TLS +# support" section. Only one of certificate or PSK encryption support can be +# enabled for any listener. + +# Both of certfile and keyfile must be defined to enable certificate based +# TLS encryption. + +# Path to the PEM encoded server certificate. +#certfile + +# Path to the PEM encoded keyfile. +#keyfile + +# If you wish to control which encryption ciphers are used, use the ciphers +# option. The list of available ciphers can be optained using the "openssl +# ciphers" command and should be provided in the same format as the output of +# that command. This applies to TLS 1.2 and earlier versions only. Use +# ciphers_tls1.3 for TLS v1.3. +#ciphers + +# Choose which TLS v1.3 ciphersuites are used for this listener. +# Defaults to "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" +#ciphers_tls1.3 + +# If you have require_certificate set to true, you can create a certificate +# revocation list file to revoke access to particular client certificates. If +# you have done this, use crlfile to point to the PEM encoded revocation file. +#crlfile + +# To allow the use of ephemeral DH key exchange, which provides forward +# security, the listener must load DH parameters. This can be specified with +# the dhparamfile option. The dhparamfile can be generated with the command +# e.g. "openssl dhparam -out dhparam.pem 2048" +#dhparamfile + +# By default an TLS enabled listener will operate in a similar fashion to a +# https enabled web server, in that the server has a certificate signed by a CA +# and the client will verify that it is a trusted certificate. The overall aim +# is encryption of the network traffic. By setting require_certificate to true, +# the client must provide a valid certificate in order for the network +# connection to proceed. This allows access to the broker to be controlled +# outside of the mechanisms provided by MQTT. +#require_certificate false + +# cafile and capath define methods of accessing the PEM encoded +# Certificate Authority certificates that will be considered trusted when +# checking incoming client certificates. +# cafile defines the path to a file containing the CA certificates. +# capath defines a directory that will be searched for files +# containing the CA certificates. For capath to work correctly, the +# certificate files must have ".crt" as the file ending and you must run +# "openssl rehash " each time you add/remove a certificate. +#cafile +#capath + + +# If require_certificate is true, you may set use_identity_as_username to true +# to use the CN value from the client certificate as a username. If this is +# true, the password_file option will not be used for this listener. +#use_identity_as_username false + +# ----------------------------------------------------------------- +# Pre-shared-key based SSL/TLS support +# ----------------------------------------------------------------- +# The following options can be used to enable PSK based SSL/TLS support for +# this listener. Note that the recommended port for MQTT over TLS is 8883, but +# this must be set manually. +# +# See also the mosquitto-tls man page and the "Certificate based SSL/TLS +# support" section. Only one of certificate or PSK encryption support can be +# enabled for any listener. + +# The psk_hint option enables pre-shared-key support for this listener and also +# acts as an identifier for this listener. The hint is sent to clients and may +# be used locally to aid authentication. The hint is a free form string that +# doesn't have much meaning in itself, so feel free to be creative. +# If this option is provided, see psk_file to define the pre-shared keys to be +# used or create a security plugin to handle them. +#psk_hint + +# When using PSK, the encryption ciphers used will be chosen from the list of +# available PSK ciphers. If you want to control which ciphers are available, +# use the "ciphers" option. The list of available ciphers can be optained +# using the "openssl ciphers" command and should be provided in the same format +# as the output of that command. +#ciphers + +# Set use_identity_as_username to have the psk identity sent by the client used +# as its username. Authentication will be carried out using the PSK rather than +# the MQTT username/password and so password_file will not be used for this +# listener. +#use_identity_as_username false + + +# ================================================================= +# Persistence +# ================================================================= + +# If persistence is enabled, save the in-memory database to disk +# every autosave_interval seconds. If set to 0, the persistence +# database will only be written when mosquitto exits. See also +# autosave_on_changes. +# Note that writing of the persistence database can be forced by +# sending mosquitto a SIGUSR1 signal. +#autosave_interval 1800 + +# If true, mosquitto will count the number of subscription changes, retained +# messages received and queued messages and if the total exceeds +# autosave_interval then the in-memory database will be saved to disk. +# If false, mosquitto will save the in-memory database to disk by treating +# autosave_interval as a time in seconds. +#autosave_on_changes false + +# Save persistent message data to disk (true/false). +# This saves information about all messages, including +# subscriptions, currently in-flight messages and retained +# messages. +# retained_persistence is a synonym for this option. +#persistence false + +# The filename to use for the persistent database, not including +# the path. +#persistence_file mosquitto.db + +# Location for persistent database. +# Default is an empty string (current directory). +# Set to e.g. /var/lib/mosquitto if running as a proper service on Linux or +# similar. +#persistence_location + + +# ================================================================= +# Logging +# ================================================================= + +# Places to log to. Use multiple log_dest lines for multiple +# logging destinations. +# Possible destinations are: stdout stderr syslog topic file dlt +# +# stdout and stderr log to the console on the named output. +# +# syslog uses the userspace syslog facility which usually ends up +# in /var/log/messages or similar. +# +# topic logs to the broker topic '$SYS/broker/log/', +# where severity is one of D, E, W, N, I, M which are debug, error, +# warning, notice, information and message. Message type severity is used by +# the subscribe/unsubscribe log_types and publishes log messages to +# $SYS/broker/log/M/susbcribe or $SYS/broker/log/M/unsubscribe. +# +# The file destination requires an additional parameter which is the file to be +# logged to, e.g. "log_dest file /var/log/mosquitto.log". The file will be +# closed and reopened when the broker receives a HUP signal. Only a single file +# destination may be configured. +# +# The dlt destination is for the automotive `Diagnostic Log and Trace` tool. +# This requires that Mosquitto has been compiled with DLT support. +# +# Note that if the broker is running as a Windows service it will default to +# "log_dest none" and neither stdout nor stderr logging is available. +# Use "log_dest none" if you wish to disable logging. +#log_dest stderr + +# Types of messages to log. Use multiple log_type lines for logging +# multiple types of messages. +# Possible types are: debug, error, warning, notice, information, +# none, subscribe, unsubscribe, websockets, all. +# Note that debug type messages are for decoding the incoming/outgoing +# network packets. They are not logged in "topics". +#log_type error +#log_type warning +#log_type notice +#log_type information + + +# If set to true, client connection and disconnection messages will be included +# in the log. +#connection_messages true + +# If using syslog logging (not on Windows), messages will be logged to the +# "daemon" facility by default. Use the log_facility option to choose which of +# local0 to local7 to log to instead. The option value should be an integer +# value, e.g. "log_facility 5" to use local5. +#log_facility + +# If set to true, add a timestamp value to each log message. +#log_timestamp true + +# Set the format of the log timestamp. If left unset, this is the number of +# seconds since the Unix epoch. +# This is a free text string which will be passed to the strftime function. To +# get an ISO 8601 datetime, for example: +# log_timestamp_format %Y-%m-%dT%H:%M:%S +#log_timestamp_format + +# Change the websockets logging level. This is a global option, it is not +# possible to set per listener. This is an integer that is interpreted by +# libwebsockets as a bit mask for its lws_log_levels enum. See the +# libwebsockets documentation for more details. "log_type websockets" must also +# be enabled. +#websockets_log_level 0 + + +# ================================================================= +# Security +# ================================================================= + +# If set, only clients that have a matching prefix on their +# clientid will be allowed to connect to the broker. By default, +# all clients may connect. +# For example, setting "secure-" here would mean a client "secure- +# client" could connect but another with clientid "mqtt" couldn't. +#clientid_prefixes + +# Boolean value that determines whether clients that connect +# without providing a username are allowed to connect. If set to +# false then a password file should be created (see the +# password_file option) to control authenticated client access. +# +# Defaults to false, unless there are no listeners defined in the configuration +# file, in which case it is set to true, but connections are only allowed from +# the local machine. +#allow_anonymous false + +# ----------------------------------------------------------------- +# Default authentication and topic access control +# ----------------------------------------------------------------- + +# Control access to the broker using a password file. This file can be +# generated using the mosquitto_passwd utility. If TLS support is not compiled +# into mosquitto (it is recommended that TLS support should be included) then +# plain text passwords are used, in which case the file should be a text file +# with lines in the format: +# username:password +# The password (and colon) may be omitted if desired, although this +# offers very little in the way of security. +# +# See the TLS client require_certificate and use_identity_as_username options +# for alternative authentication options. If a plugin is used as well as +# password_file, the plugin check will be made first. +#password_file + +# Access may also be controlled using a pre-shared-key file. This requires +# TLS-PSK support and a listener configured to use it. The file should be text +# lines in the format: +# identity:key +# The key should be in hexadecimal format without a leading "0x". +# If an plugin is used as well, the plugin check will be made first. +#psk_file + +# Control access to topics on the broker using an access control list +# file. If this parameter is defined then only the topics listed will +# have access. +# If the first character of a line of the ACL file is a # it is treated as a +# comment. +# Topic access is added with lines of the format: +# +# topic [read|write|readwrite|deny] +# +# The access type is controlled using "read", "write", "readwrite" or "deny". +# This parameter is optional (unless contains a space character) - if +# not given then the access is read/write. can contain the + or # +# wildcards as in subscriptions. +# +# The "deny" option can used to explicity deny access to a topic that would +# otherwise be granted by a broader read/write/readwrite statement. Any "deny" +# topics are handled before topics that grant read/write access. +# +# The first set of topics are applied to anonymous clients, assuming +# allow_anonymous is true. User specific topic ACLs are added after a +# user line as follows: +# +# user +# +# The username referred to here is the same as in password_file. It is +# not the clientid. +# +# +# If is also possible to define ACLs based on pattern substitution within the +# topic. The patterns available for substition are: +# +# %c to match the client id of the client +# %u to match the username of the client +# +# The substitution pattern must be the only text for that level of hierarchy. +# +# The form is the same as for the topic keyword, but using pattern as the +# keyword. +# Pattern ACLs apply to all users even if the "user" keyword has previously +# been given. +# +# If using bridges with usernames and ACLs, connection messages can be allowed +# with the following pattern: +# pattern write $SYS/broker/connection/%c/state +# +# pattern [read|write|readwrite] +# +# Example: +# +# pattern write sensor/%u/data +# +# If an plugin is used as well as acl_file, the plugin check will be +# made first. +#acl_file + +# ----------------------------------------------------------------- +# External authentication and topic access plugin options +# ----------------------------------------------------------------- + +# External authentication and access control can be supported with the +# plugin option. This is a path to a loadable plugin. See also the +# plugin_opt_* options described below. +# +# The plugin option can be specified multiple times to load multiple +# plugins. The plugins will be processed in the order that they are specified +# here. If the plugin option is specified alongside either of +# password_file or acl_file then the plugin checks will be made first. +# +# If the per_listener_settings option is false, the plugin will be apply to all +# listeners. If per_listener_settings is true, then the plugin will apply to +# the current listener being defined only. +# +# This option is also available as `auth_plugin`, but this use is deprecated +# and will be removed in the future. +# +#plugin + +# If the plugin option above is used, define options to pass to the +# plugin here as described by the plugin instructions. All options named +# using the format plugin_opt_* will be passed to the plugin, for example: +# +# This option is also available as `auth_opt_*`, but this use is deprecated +# and will be removed in the future. +# +# plugin_opt_db_host +# plugin_opt_db_port +# plugin_opt_db_username +# plugin_opt_db_password + + +# ================================================================= +# Bridges +# ================================================================= + +# A bridge is a way of connecting multiple MQTT brokers together. +# Create a new bridge using the "connection" option as described below. Set +# options for the bridges using the remaining parameters. You must specify the +# address and at least one topic to subscribe to. +# +# Each connection must have a unique name. +# +# The address line may have multiple host address and ports specified. See +# below in the round_robin description for more details on bridge behaviour if +# multiple addresses are used. Note that if you use an IPv6 address, then you +# are required to specify a port. +# +# The direction that the topic will be shared can be chosen by +# specifying out, in or both, where the default value is out. +# The QoS level of the bridged communication can be specified with the next +# topic option. The default QoS level is 0, to change the QoS the topic +# direction must also be given. +# +# The local and remote prefix options allow a topic to be remapped when it is +# bridged to/from the remote broker. This provides the ability to place a topic +# tree in an appropriate location. +# +# For more details see the mosquitto.conf man page. +# +# Multiple topics can be specified per connection, but be careful +# not to create any loops. +# +# If you are using bridges with cleansession set to false (the default), then +# you may get unexpected behaviour from incoming topics if you change what +# topics you are subscribing to. This is because the remote broker keeps the +# subscription for the old topic. If you have this problem, connect your bridge +# with cleansession set to true, then reconnect with cleansession set to false +# as normal. +#connection +#address [:] [[:]] +#topic [[[out | in | both] qos-level] local-prefix remote-prefix] + +# If you need to have the bridge connect over a particular network interface, +# use bridge_bind_address to tell the bridge which local IP address the socket +# should bind to, e.g. `bridge_bind_address 192.168.1.10` +#bridge_bind_address + +# If a bridge has topics that have "out" direction, the default behaviour is to +# send an unsubscribe request to the remote broker on that topic. This means +# that changing a topic direction from "in" to "out" will not keep receiving +# incoming messages. Sending these unsubscribe requests is not always +# desirable, setting bridge_attempt_unsubscribe to false will disable sending +# the unsubscribe request. +#bridge_attempt_unsubscribe true + +# Set the version of the MQTT protocol to use with for this bridge. Can be one +# of mqttv50, mqttv311 or mqttv31. Defaults to mqttv311. +#bridge_protocol_version mqttv311 + +# Set the clean session variable for this bridge. +# When set to true, when the bridge disconnects for any reason, all +# messages and subscriptions will be cleaned up on the remote +# broker. Note that with cleansession set to true, there may be a +# significant amount of retained messages sent when the bridge +# reconnects after losing its connection. +# When set to false, the subscriptions and messages are kept on the +# remote broker, and delivered when the bridge reconnects. +#cleansession false + +# Set the amount of time a bridge using the lazy start type must be idle before +# it will be stopped. Defaults to 60 seconds. +#idle_timeout 60 + +# Set the keepalive interval for this bridge connection, in +# seconds. +#keepalive_interval 60 + +# Set the clientid to use on the local broker. If not defined, this defaults to +# 'local.'. If you are bridging a broker to itself, it is important +# that local_clientid and clientid do not match. +#local_clientid + +# If set to true, publish notification messages to the local and remote brokers +# giving information about the state of the bridge connection. Retained +# messages are published to the topic $SYS/broker/connection//state +# unless the notification_topic option is used. +# If the message is 1 then the connection is active, or 0 if the connection has +# failed. +# This uses the last will and testament feature. +#notifications true + +# Choose the topic on which notification messages for this bridge are +# published. If not set, messages are published on the topic +# $SYS/broker/connection//state +#notification_topic + +# Set the client id to use on the remote end of this bridge connection. If not +# defined, this defaults to 'name.hostname' where name is the connection name +# and hostname is the hostname of this computer. +# This replaces the old "clientid" option to avoid confusion. "clientid" +# remains valid for the time being. +#remote_clientid + +# Set the password to use when connecting to a broker that requires +# authentication. This option is only used if remote_username is also set. +# This replaces the old "password" option to avoid confusion. "password" +# remains valid for the time being. +#remote_password + +# Set the username to use when connecting to a broker that requires +# authentication. +# This replaces the old "username" option to avoid confusion. "username" +# remains valid for the time being. +#remote_username + +# Set the amount of time a bridge using the automatic start type will wait +# until attempting to reconnect. +# This option can be configured to use a constant delay time in seconds, or to +# use a backoff mechanism based on "Decorrelated Jitter", which adds a degree +# of randomness to when the restart occurs. +# +# Set a constant timeout of 20 seconds: +# restart_timeout 20 +# +# Set backoff with a base (start value) of 10 seconds and a cap (upper limit) of +# 60 seconds: +# restart_timeout 10 30 +# +# Defaults to jitter with a base of 5 and cap of 30 +#restart_timeout 5 30 + +# If the bridge has more than one address given in the address/addresses +# configuration, the round_robin option defines the behaviour of the bridge on +# a failure of the bridge connection. If round_robin is false, the default +# value, then the first address is treated as the main bridge connection. If +# the connection fails, the other secondary addresses will be attempted in +# turn. Whilst connected to a secondary bridge, the bridge will periodically +# attempt to reconnect to the main bridge until successful. +# If round_robin is true, then all addresses are treated as equals. If a +# connection fails, the next address will be tried and if successful will +# remain connected until it fails +#round_robin false + +# Set the start type of the bridge. This controls how the bridge starts and +# can be one of three types: automatic, lazy and once. Note that RSMB provides +# a fourth start type "manual" which isn't currently supported by mosquitto. +# +# "automatic" is the default start type and means that the bridge connection +# will be started automatically when the broker starts and also restarted +# after a short delay (30 seconds) if the connection fails. +# +# Bridges using the "lazy" start type will be started automatically when the +# number of queued messages exceeds the number set with the "threshold" +# parameter. It will be stopped automatically after the time set by the +# "idle_timeout" parameter. Use this start type if you wish the connection to +# only be active when it is needed. +# +# A bridge using the "once" start type will be started automatically when the +# broker starts but will not be restarted if the connection fails. +#start_type automatic + +# Set the number of messages that need to be queued for a bridge with lazy +# start type to be restarted. Defaults to 10 messages. +# Must be less than max_queued_messages. +#threshold 10 + +# If try_private is set to true, the bridge will attempt to indicate to the +# remote broker that it is a bridge not an ordinary client. If successful, this +# means that loop detection will be more effective and that retained messages +# will be propagated correctly. Not all brokers support this feature so it may +# be necessary to set try_private to false if your bridge does not connect +# properly. +#try_private true + +# Some MQTT brokers do not allow retained messages. MQTT v5 gives a mechanism +# for brokers to tell clients that they do not support retained messages, but +# this is not possible for MQTT v3.1.1 or v3.1. If you need to bridge to a +# v3.1.1 or v3.1 broker that does not support retained messages, set the +# bridge_outgoing_retain option to false. This will remove the retain bit on +# all outgoing messages to that bridge, regardless of any other setting. +#bridge_outgoing_retain true + +# If you wish to restrict the size of messages sent to a remote bridge, use the +# bridge_max_packet_size option. This sets the maximum number of bytes for +# the total message, including headers and payload. +# Note that MQTT v5 brokers may provide their own maximum-packet-size property. +# In this case, the smaller of the two limits will be used. +# Set to 0 for "unlimited". +#bridge_max_packet_size 0 + + +# ----------------------------------------------------------------- +# Certificate based SSL/TLS support +# ----------------------------------------------------------------- +# Either bridge_cafile or bridge_capath must be defined to enable TLS support +# for this bridge. +# bridge_cafile defines the path to a file containing the +# Certificate Authority certificates that have signed the remote broker +# certificate. +# bridge_capath defines a directory that will be searched for files containing +# the CA certificates. For bridge_capath to work correctly, the certificate +# files must have ".crt" as the file ending and you must run "openssl rehash +# " each time you add/remove a certificate. +#bridge_cafile +#bridge_capath + + +# If the remote broker has more than one protocol available on its port, e.g. +# MQTT and WebSockets, then use bridge_alpn to configure which protocol is +# requested. Note that WebSockets support for bridges is not yet available. +#bridge_alpn + +# When using certificate based encryption, bridge_insecure disables +# verification of the server hostname in the server certificate. This can be +# useful when testing initial server configurations, but makes it possible for +# a malicious third party to impersonate your server through DNS spoofing, for +# example. Use this option in testing only. If you need to resort to using this +# option in a production environment, your setup is at fault and there is no +# point using encryption. +#bridge_insecure false + +# Path to the PEM encoded client certificate, if required by the remote broker. +#bridge_certfile + +# Path to the PEM encoded client private key, if required by the remote broker. +#bridge_keyfile + +# ----------------------------------------------------------------- +# PSK based SSL/TLS support +# ----------------------------------------------------------------- +# Pre-shared-key encryption provides an alternative to certificate based +# encryption. A bridge can be configured to use PSK with the bridge_identity +# and bridge_psk options. These are the client PSK identity, and pre-shared-key +# in hexadecimal format with no "0x". Only one of certificate and PSK based +# encryption can be used on one +# bridge at once. +#bridge_identity +#bridge_psk + + +# ================================================================= +# External config files +# ================================================================= + +# External configuration files may be included by using the +# include_dir option. This defines a directory that will be searched +# for config files. All files that end in '.conf' will be loaded as +# a configuration file. It is best to have this as the last option +# in the main file. This option will only be processed from the main +# configuration file. The directory specified must not contain the +# main configuration file. +# Files within include_dir will be loaded sorted in case-sensitive +# alphabetical order, with capital letters ordered first. If this option is +# given multiple times, all of the files from the first instance will be +# processed before the next instance. See the man page for examples. +#include_dir +listener 1883 0.0.0.0 +autosave_interval 86400 # once a day +persistence true +persistence_location /root/bkpscript +allow_anonymous true +CFGEOF + +# WARNING: /etc/bird.conf не существует +# WARNING: /etc/bird4.conf не существует +#---------------------------------------------------- +#Generating cron +#---------------------------------------------------- + diff --git a/bkps/wrt-bkp-172.16.111.7.sh b/bkps/wrt-bkp-172.16.111.7.sh new file mode 100644 index 0000000..cdc8362 --- /dev/null +++ b/bkps/wrt-bkp-172.16.111.7.sh @@ -0,0 +1,2237 @@ + +#hostname= Buran-mi-zah +#DISTRIB_DESCRIPTION='OpenWrt 22.03.5 r20134-5f15225c1e' +#profile = xiaomi_mi-router-3g-v2 +#target = ramips +#soc = mt7621 +#arch = mipsel_24kc +#Xiaomi Mi Router 3G v2 custom default settings +#---------------------------------------------------- +#Generating cmd for install pkg +#---------------------------------------------------- +opkg install iwinfo +opkg install cgi-io +opkg install luci-lib-base +opkg install opkg +opkg install luci-app-opkg +opkg install ubus +opkg install rpcd +opkg install luci-lib-ip +opkg install kmod-nft-fib +opkg install kmod-nfnetlink +opkg install libubus-lua +opkg install kmod-crypto-hash +opkg install kmod-nf-reject6 +opkg install libiwinfo-lua +opkg install luci-mod-system +opkg install kmod-nf-flow +opkg install kmod-lib-crc-ccitt +opkg install getrandom +opkg install ucode-mod-ubus +opkg install luci-theme-bootstrap +opkg install kmod-pppoe +opkg install kmod-pppox +opkg install kmod-nf-reject +opkg install procd-ujail +opkg install base-files +opkg install kmod-nf-nat +opkg install kmod-crypto-crc32c +opkg install ucode-mod-uci +opkg install netifd +opkg install dnsmasq +opkg install ubusd +opkg install kmod-lib-crc32c +opkg install luci-mod-status +opkg install kmod-nft-nat +opkg install luci-app-firewall +opkg install tcpdump +opkg install ubi-utils +opkg install odhcp6c +opkg install fstools +opkg install uci +opkg install lua +opkg install ucode-mod-fs +opkg install luci-ssl +opkg install dropbear +opkg install rpcd-mod-file +opkg install mtd +opkg install odhcpd-ipv6only +opkg install procd-seccomp +opkg install libiwinfo-data +opkg install ucode +opkg install rpcd-mod-luci +opkg install kmod-nf-log +opkg install urandom-seed +opkg install luci-proto-ppp +opkg install luci-mod-admin-full +opkg install ppp +opkg install luci-base +opkg install kmod-leds-gpio +opkg install kmod-gpio-button-hotplug +opkg install logd +opkg install kmod-mt7603 +opkg install kmod-nf-log6 +opkg install luci-proto-ipv6 +opkg install jshn +opkg install kmod-ppp +opkg install kmod-nft-offload +opkg install uhttpd +opkg install kmod-nf-conntrack +opkg install usign +opkg install luci-lib-nixio +opkg install liblucihttp-lua +opkg install luci-lib-jsonc +opkg install luci +opkg install kmod-nf-conntrack6 +opkg install ubox +opkg install kernel +opkg install rpcd-mod-iwinfo +opkg install kmod-mt76x2 +opkg install luci-mod-network +opkg install kmod-nft-core +opkg install uhttpd-mod-ubus +opkg install fwtool +opkg install jsonfilter +opkg install hostapd-common +opkg install urngd +opkg install kmod-slhc +opkg install rpcd-mod-rrdns +opkg install ppp-mod-pppoe +#---------------------------------------------------- +#Generating configuration Xiaomi Mi Router 3G v2 +#---------------------------------------------------- +uci -q batch << EOI +set dhcp.@dnsmasq[0]=dnsmasq +set dhcp.@dnsmasq[0].domainneeded='1' +set dhcp.@dnsmasq[0].localise_queries='1' +set dhcp.@dnsmasq[0].rebind_protection='1' +set dhcp.@dnsmasq[0].rebind_localhost='1' +set dhcp.@dnsmasq[0].local='/lan/' +set dhcp.@dnsmasq[0].domain='lan' +set dhcp.@dnsmasq[0].expandhosts='1' +set dhcp.@dnsmasq[0].authoritative='1' +set dhcp.@dnsmasq[0].readethers='1' +set dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases' +set dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.d/resolv.conf.auto' +set dhcp.@dnsmasq[0].localservice='1' +set dhcp.@dnsmasq[0].ednspacket_max='1232' +set dhcp.lan=dhcp +set dhcp.lan.interface='lan' +set dhcp.lan.start='100' +set dhcp.lan.limit='150' +set dhcp.lan.leasetime='12h' +set dhcp.lan.dhcpv4='server' +set dhcp.lan.ignore='1' +set dhcp.lan.dynamicdhcp='0' +set dhcp.wan=dhcp +set dhcp.wan.interface='wan' +set dhcp.wan.ignore='1' +set dhcp.odhcpd=odhcpd +set dhcp.odhcpd.maindhcp='0' +set dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd' +set dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update' +set dhcp.odhcpd.loglevel='4' +set dhcp.@relay[0]=relay +set dhcp.@relay[0].id='1' +set dhcp.@relay[0].interface='lan' +set dhcp.@relay[0].local_addr='172.17.10.7' +set dhcp.@relay[0].server_addr='172.17.10.1' +commit dhcp +set dropbear.@dropbear[0]=dropbear +set dropbear.@dropbear[0].PasswordAuth='on' +set dropbear.@dropbear[0].RootPasswordAuth='on' +set dropbear.@dropbear[0].Port='22' +commit dropbear +set firewall.@defaults[0]=defaults +set firewall.@defaults[0].syn_flood='1' +set firewall.@defaults[0].input='ACCEPT' +set firewall.@defaults[0].output='ACCEPT' +set firewall.@defaults[0].forward='REJECT' +set firewall.@zone[0]=zone +set firewall.@zone[0].name='lan' +set firewall.@zone[0].network='lan' +set firewall.@zone[0].input='ACCEPT' +set firewall.@zone[0].output='ACCEPT' +set firewall.@zone[0].forward='ACCEPT' +set firewall.@zone[1]=zone +set firewall.@zone[1].name='wan' +set firewall.@zone[1].network='wan' 'wan6' +set firewall.@zone[1].input='REJECT' +set firewall.@zone[1].output='ACCEPT' +set firewall.@zone[1].forward='REJECT' +set firewall.@zone[1].masq='1' +set firewall.@zone[1].mtu_fix='1' +set firewall.@forwarding[0]=forwarding +set firewall.@forwarding[0].src='lan' +set firewall.@forwarding[0].dest='wan' +set firewall.@rule[0]=rule +set firewall.@rule[0].name='Allow-DHCP-Renew' +set firewall.@rule[0].src='wan' +set firewall.@rule[0].proto='udp' +set firewall.@rule[0].dest_port='68' +set firewall.@rule[0].target='ACCEPT' +set firewall.@rule[0].family='ipv4' +set firewall.@rule[1]=rule +set firewall.@rule[1].name='Allow-Ping' +set firewall.@rule[1].src='wan' +set firewall.@rule[1].proto='icmp' +set firewall.@rule[1].icmp_type='echo-request' +set firewall.@rule[1].family='ipv4' +set firewall.@rule[1].target='ACCEPT' +set firewall.@rule[2]=rule +set firewall.@rule[2].name='Allow-IGMP' +set firewall.@rule[2].src='wan' +set firewall.@rule[2].proto='igmp' +set firewall.@rule[2].family='ipv4' +set firewall.@rule[2].target='ACCEPT' +set firewall.@rule[3]=rule +set firewall.@rule[3].name='Allow-DHCPv6' +set firewall.@rule[3].src='wan' +set firewall.@rule[3].proto='udp' +set firewall.@rule[3].dest_port='546' +set firewall.@rule[3].family='ipv6' +set firewall.@rule[3].target='ACCEPT' +set firewall.@rule[4]=rule +set firewall.@rule[4].name='Allow-MLD' +set firewall.@rule[4].src='wan' +set firewall.@rule[4].proto='icmp' +set firewall.@rule[4].src_ip='fe80::/10' +set firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0' +set firewall.@rule[4].family='ipv6' +set firewall.@rule[4].target='ACCEPT' +set firewall.@rule[5]=rule +set firewall.@rule[5].name='Allow-ICMPv6-Input' +set firewall.@rule[5].src='wan' +set firewall.@rule[5].proto='icmp' +set firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement' +set firewall.@rule[5].limit='1000/sec' +set firewall.@rule[5].family='ipv6' +set firewall.@rule[5].target='ACCEPT' +set firewall.@rule[6]=rule +set firewall.@rule[6].name='Allow-ICMPv6-Forward' +set firewall.@rule[6].src='wan' +set firewall.@rule[6].dest='*' +set firewall.@rule[6].proto='icmp' +set firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' +set firewall.@rule[6].limit='1000/sec' +set firewall.@rule[6].family='ipv6' +set firewall.@rule[6].target='ACCEPT' +set firewall.@rule[7]=rule +set firewall.@rule[7].name='Allow-IPSec-ESP' +set firewall.@rule[7].src='wan' +set firewall.@rule[7].dest='lan' +set firewall.@rule[7].proto='esp' +set firewall.@rule[7].target='ACCEPT' +set firewall.@rule[8]=rule +set firewall.@rule[8].name='Allow-ISAKMP' +set firewall.@rule[8].src='wan' +set firewall.@rule[8].dest='lan' +set firewall.@rule[8].dest_port='500' +set firewall.@rule[8].proto='udp' +set firewall.@rule[8].target='ACCEPT' +commit firewall +set luci.main=core +set luci.main.lang='auto' +set luci.main.mediaurlbase='/luci-static/bootstrap' +set luci.main.resourcebase='/luci-static/resources' +set luci.main.ubuspath='/ubus/' +set luci.flash_keep=extern +set luci.flash_keep.uci='/etc/config/' +set luci.flash_keep.dropbear='/etc/dropbear/' +set luci.flash_keep.openvpn='/etc/openvpn/' +set luci.flash_keep.passwd='/etc/passwd' +set luci.flash_keep.opkg='/etc/opkg.conf' +set luci.flash_keep.firewall='/etc/firewall.user' +set luci.flash_keep.uploads='/lib/uci/upload/' +set luci.languages=internal +set luci.sauth=internal +set luci.sauth.sessionpath='/tmp/luci-sessions' +set luci.sauth.sessiontime='3600' +set luci.ccache=internal +set luci.ccache.enable='1' +set luci.themes=internal +set luci.themes.Bootstrap='/luci-static/bootstrap' +set luci.themes.BootstrapDark='/luci-static/bootstrap-dark' +set luci.themes.BootstrapLight='/luci-static/bootstrap-light' +set luci.apply=internal +set luci.apply.rollback='90' +set luci.apply.holdoff='4' +set luci.apply.timeout='5' +set luci.apply.display='1.5' +set luci.diag=internal +set luci.diag.dns='openwrt.org' +set luci.diag.ping='openwrt.org' +set luci.diag.route='openwrt.org' +commit luci +set mosquitto.owrt=owrt +set mosquitto.owrt.use_uci='0' +set mosquitto.mosquitto=mosquitto +set mosquitto.persistence=persistence +commit mosquitto +set network.loopback=interface +set network.loopback.device='lo' +set network.loopback.proto='static' +set network.loopback.ipaddr='127.0.0.1' +set network.loopback.netmask='255.0.0.0' +set network.globals=globals +set network.globals.packet_steering='1' +set network.globals.ula_prefix='fd2f:e5d6:5432::/48' +set network.@device[0]=device +set network.@device[0].name='br-lan' +set network.@device[0].type='bridge' +set network.@device[0].ports='lan1' 'lan2' +set network.@device[0].ipv6='0' +set network.lan=interface +set network.lan.device='br-lan' +set network.lan.proto='static' +set network.lan.netmask='255.255.255.0' +set network.lan.ip6assign='60' +set network.lan.delegate='0' +set network.lan.ipaddr='172.16.111.7' +set network.lan.gateway='172.16.111.1' +set network.lan.dns='172.16.111.1' +set network.wan=interface +set network.wan.device='wan' +set network.wan.proto='dhcp' +set network.wan6=interface +set network.wan6.device='wan' +set network.wan6.proto='dhcpv6' +commit network +set rpcd.@rpcd[0]=rpcd +set rpcd.@rpcd[0].socket='/var/run/ubus/ubus.sock' +set rpcd.@rpcd[0].timeout='30' +set rpcd.@login[0]=login +set rpcd.@login[0].username='root' +set rpcd.@login[0].password='$p$root' +set rpcd.@login[0].read='*' +set rpcd.@login[0].write='*' +commit rpcd +set system.@system[0]=system +set system.@system[0].ttylogin='0' +set system.@system[0].log_size='64' +set system.@system[0].urandom_seed='0' +set system.@system[0].compat_version='1.1' +set system.@system[0].hostname='Buran-mi-zah' +set system.@system[0].zonename='Etc/GMT+3' +set system.@system[0].timezone='<-03>3' +set system.@system[0].log_proto='udp' +set system.@system[0].conloglevel='8' +set system.@system[0].cronloglevel='5' +set system.ntp=timeserver +set system.ntp.server='0.openwrt.pool.ntp.org' '1.openwrt.pool.ntp.org' '2.openwrt.pool.ntp.org' '3.openwrt.pool.ntp.org' +commit system +set ucitrack.@network[0]=network +set ucitrack.@network[0].init='network' +set ucitrack.@network[0].affects='dhcp' +set ucitrack.@wireless[0]=wireless +set ucitrack.@wireless[0].affects='network' +set ucitrack.@firewall[0]=firewall +set ucitrack.@firewall[0].init='firewall' +set ucitrack.@firewall[0].affects='luci-splash' 'qos' 'miniupnpd' +set ucitrack.@olsr[0]=olsr +set ucitrack.@olsr[0].init='olsrd' +set ucitrack.@dhcp[0]=dhcp +set ucitrack.@dhcp[0].init='dnsmasq' +set ucitrack.@dhcp[0].affects='odhcpd' +set ucitrack.@odhcpd[0]=odhcpd +set ucitrack.@odhcpd[0].init='odhcpd' +set ucitrack.@dropbear[0]=dropbear +set ucitrack.@dropbear[0].init='dropbear' +set ucitrack.@httpd[0]=httpd +set ucitrack.@httpd[0].init='httpd' +set ucitrack.@fstab[0]=fstab +set ucitrack.@fstab[0].exec='/sbin/block mount' +set ucitrack.@qos[0]=qos +set ucitrack.@qos[0].init='qos' +set ucitrack.@system[0]=system +set ucitrack.@system[0].init='led' +set ucitrack.@system[0].exec='/etc/init.d/log reload' +set ucitrack.@system[0].affects='luci_statistics' 'dhcp' +set ucitrack.@luci_splash[0]=luci_splash +set ucitrack.@luci_splash[0].init='luci_splash' +set ucitrack.@upnpd[0]=upnpd +set ucitrack.@upnpd[0].init='miniupnpd' +set ucitrack.@ntpclient[0]=ntpclient +set ucitrack.@ntpclient[0].init='ntpclient' +set ucitrack.@samba[0]=samba +set ucitrack.@samba[0].init='samba' +set ucitrack.@tinyproxy[0]=tinyproxy +set ucitrack.@tinyproxy[0].init='tinyproxy' +commit ucitrack +set uhttpd.main=uhttpd +set uhttpd.main.listen_http='0.0.0.0:80' '[::]:80' +set uhttpd.main.listen_https='0.0.0.0:443' '[::]:443' +set uhttpd.main.redirect_https='0' +set uhttpd.main.home='/www' +set uhttpd.main.rfc1918_filter='1' +set uhttpd.main.max_requests='3' +set uhttpd.main.max_connections='100' +set uhttpd.main.cert='/etc/uhttpd.crt' +set uhttpd.main.key='/etc/uhttpd.key' +set uhttpd.main.cgi_prefix='/cgi-bin' +set uhttpd.main.lua_prefix='/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua' +set uhttpd.main.script_timeout='60' +set uhttpd.main.network_timeout='30' +set uhttpd.main.http_keepalive='20' +set uhttpd.main.tcp_keepalive='1' +set uhttpd.main.ubus_prefix='/ubus' +set uhttpd.defaults=cert +set uhttpd.defaults.days='730' +set uhttpd.defaults.key_type='ec' +set uhttpd.defaults.bits='2048' +set uhttpd.defaults.ec_curve='P-256' +set uhttpd.defaults.country='ZZ' +set uhttpd.defaults.state='Somewhere' +set uhttpd.defaults.location='Unknown' +set uhttpd.defaults.commonname='OpenWrt' +commit uhttpd +set wireless.radio0=wifi-device +set wireless.radio0.type='mac80211' +set wireless.radio0.path='1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0' +set wireless.radio0.band='2g' +set wireless.radio0.cell_density='0' +set wireless.radio0.country='RU' +set wireless.radio0.htmode='HT20' +set wireless.radio0.channel='1' +set wireless.default_radio0=wifi-iface +set wireless.default_radio0.device='radio0' +set wireless.default_radio0.network='lan' +set wireless.default_radio0.mode='ap' +set wireless.default_radio0.ssid='Buran' +set wireless.default_radio0.encryption='psk2' +set wireless.default_radio0.key='23637387581' +set wireless.default_radio0.ieee80211r='1' +set wireless.default_radio0.ft_over_ds='1' +set wireless.default_radio0.ft_psk_generate_local='1' +set wireless.default_radio0.mobility_domain='4f37' +set wireless.default_radio0.short_preamble='0' +set wireless.radio1=wifi-device +set wireless.radio1.type='mac80211' +set wireless.radio1.path='1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0' +set wireless.radio1.band='5g' +set wireless.radio1.cell_density='0' +set wireless.radio1.country='RU' +set wireless.radio1.channel='44' +set wireless.radio1.htmode='VHT40' +set wireless.default_radio1=wifi-iface +set wireless.default_radio1.device='radio1' +set wireless.default_radio1.network='lan' +set wireless.default_radio1.mode='ap' +set wireless.default_radio1.encryption='sae-mixed' +set wireless.default_radio1.key='23637387581' +set wireless.default_radio1.ieee80211r='1' +set wireless.default_radio1.mobility_domain='4f17' +set wireless.default_radio1.ft_over_ds='1' +set wireless.default_radio1.ft_psk_generate_local='1' +set wireless.default_radio1.short_preamble='0' +set wireless.default_radio1.ssid='Buran' +commit wireless +EOI +#---------------------------------------------------- +#Generating conf file +#---------------------------------------------------- +mkdir -p "/etc/mosquitto" + +mkdir -p "/etc/mosquitto" + +#Gen file /etc/mosquitto/mosquitto.conf.def + +mkdir -p "/etc/mosquitto" +cat << 'CFGEOF' > "/etc/mosquitto/mosquitto.conf.def" +# Config file for mosquitto +# +# See mosquitto.conf(5) for more information. +# +# Default values are shown, uncomment to change. +# +# Use the # character to indicate a comment, but only if it is the +# very first character on the line. + +# ================================================================= +# General configuration +# ================================================================= + +# Use per listener security settings. +# +# It is recommended this option be set before any other options. +# +# If this option is set to true, then all authentication and access control +# options are controlled on a per listener basis. The following options are +# affected: +# +# acl_file +# allow_anonymous +# allow_zero_length_clientid +# auto_id_prefix +# password_file +# plugin +# plugin_opt_* +# psk_file +# +# Note that if set to true, then a durable client (i.e. with clean session set +# to false) that has disconnected will use the ACL settings defined for the +# listener that it was most recently connected to. +# +# The default behaviour is for this to be set to false, which maintains the +# setting behaviour from previous versions of mosquitto. +#per_listener_settings false + + +# This option controls whether a client is allowed to connect with a zero +# length client id or not. This option only affects clients using MQTT v3.1.1 +# and later. If set to false, clients connecting with a zero length client id +# are disconnected. If set to true, clients will be allocated a client id by +# the broker. This means it is only useful for clients with clean session set +# to true. +#allow_zero_length_clientid true + +# If allow_zero_length_clientid is true, this option allows you to set a prefix +# to automatically generated client ids to aid visibility in logs. +# Defaults to 'auto-' +#auto_id_prefix auto- + +# This option affects the scenario when a client subscribes to a topic that has +# retained messages. It is possible that the client that published the retained +# message to the topic had access at the time they published, but that access +# has been subsequently removed. If check_retain_source is set to true, the +# default, the source of a retained message will be checked for access rights +# before it is republished. When set to false, no check will be made and the +# retained message will always be published. This affects all listeners. +#check_retain_source true + +# QoS 1 and 2 messages will be allowed inflight per client until this limit +# is exceeded. Defaults to 0. (No maximum) +# See also max_inflight_messages +#max_inflight_bytes 0 + +# The maximum number of QoS 1 and 2 messages currently inflight per +# client. +# This includes messages that are partway through handshakes and +# those that are being retried. Defaults to 20. Set to 0 for no +# maximum. Setting to 1 will guarantee in-order delivery of QoS 1 +# and 2 messages. +#max_inflight_messages 20 + +# For MQTT v5 clients, it is possible to have the server send a "server +# keepalive" value that will override the keepalive value set by the client. +# This is intended to be used as a mechanism to say that the server will +# disconnect the client earlier than it anticipated, and that the client should +# use the new keepalive value. The max_keepalive option allows you to specify +# that clients may only connect with keepalive less than or equal to this +# value, otherwise they will be sent a server keepalive telling them to use +# max_keepalive. This only applies to MQTT v5 clients. The default, and maximum +# value allowable, is 65535. +# +# Set to 0 to allow clients to set keepalive = 0, which means no keepalive +# checks are made and the client will never be disconnected by the broker if no +# messages are received. You should be very sure this is the behaviour that you +# want. +# +# For MQTT v3.1.1 and v3.1 clients, there is no mechanism to tell the client +# what keepalive value they should use. If an MQTT v3.1.1 or v3.1 client +# specifies a keepalive time greater than max_keepalive they will be sent a +# CONNACK message with the "identifier rejected" reason code, and disconnected. +# +#max_keepalive 65535 + +# For MQTT v5 clients, it is possible to have the server send a "maximum packet +# size" value that will instruct the client it will not accept MQTT packets +# with size greater than max_packet_size bytes. This applies to the full MQTT +# packet, not just the payload. Setting this option to a positive value will +# set the maximum packet size to that number of bytes. If a client sends a +# packet which is larger than this value, it will be disconnected. This applies +# to all clients regardless of the protocol version they are using, but v3.1.1 +# and earlier clients will of course not have received the maximum packet size +# information. Defaults to no limit. Setting below 20 bytes is forbidden +# because it is likely to interfere with ordinary client operation, even with +# very small payloads. +#max_packet_size 0 + +# QoS 1 and 2 messages above those currently in-flight will be queued per +# client until this limit is exceeded. Defaults to 0. (No maximum) +# See also max_queued_messages. +# If both max_queued_messages and max_queued_bytes are specified, packets will +# be queued until the first limit is reached. +#max_queued_bytes 0 + +# Set the maximum QoS supported. Clients publishing at a QoS higher than +# specified here will be disconnected. +#max_qos 2 + +# The maximum number of QoS 1 and 2 messages to hold in a queue per client +# above those that are currently in-flight. Defaults to 1000. Set +# to 0 for no maximum (not recommended). +# See also queue_qos0_messages. +# See also max_queued_bytes. +#max_queued_messages 1000 +# +# This option sets the maximum number of heap memory bytes that the broker will +# allocate, and hence sets a hard limit on memory use by the broker. Memory +# requests that exceed this value will be denied. The effect will vary +# depending on what has been denied. If an incoming message is being processed, +# then the message will be dropped and the publishing client will be +# disconnected. If an outgoing message is being sent, then the individual +# message will be dropped and the receiving client will be disconnected. +# Defaults to no limit. +#memory_limit 0 + +# This option sets the maximum publish payload size that the broker will allow. +# Received messages that exceed this size will not be accepted by the broker. +# The default value is 0, which means that all valid MQTT messages are +# accepted. MQTT imposes a maximum payload size of 268435455 bytes. +#message_size_limit 0 + +# This option allows the session of persistent clients (those with clean +# session set to false) that are not currently connected to be removed if they +# do not reconnect within a certain time frame. This is a non-standard option +# in MQTT v3.1. MQTT v3.1.1 and v5.0 allow brokers to remove client sessions. +# +# Badly designed clients may set clean session to false whilst using a randomly +# generated client id. This leads to persistent clients that connect once and +# never reconnect. This option allows these clients to be removed. This option +# allows persistent clients (those with clean session set to false) to be +# removed if they do not reconnect within a certain time frame. +# +# The expiration period should be an integer followed by one of h d w m y for +# hour, day, week, month and year respectively. For example +# +# persistent_client_expiration 2m +# persistent_client_expiration 14d +# persistent_client_expiration 1y +# +# The default if not set is to never expire persistent clients. +#persistent_client_expiration + +# Write process id to a file. Default is a blank string which means +# a pid file shouldn't be written. +# This should be set to /var/run/mosquitto/mosquitto.pid if mosquitto is +# being run automatically on boot with an init script and +# start-stop-daemon or similar. +#pid_file + +# Set to true to queue messages with QoS 0 when a persistent client is +# disconnected. These messages are included in the limit imposed by +# max_queued_messages and max_queued_bytes +# Defaults to false. +# This is a non-standard option for the MQTT v3.1 spec but is allowed in +# v3.1.1. +#queue_qos0_messages false + +# Set to false to disable retained message support. If a client publishes a +# message with the retain bit set, it will be disconnected if this is set to +# false. +#retain_available true + +# Disable Nagle's algorithm on client sockets. This has the effect of reducing +# latency of individual messages at the potential cost of increasing the number +# of packets being sent. +#set_tcp_nodelay false + +# Time in seconds between updates of the $SYS tree. +# Set to 0 to disable the publishing of the $SYS tree. +#sys_interval 10 + +# The MQTT specification requires that the QoS of a message delivered to a +# subscriber is never upgraded to match the QoS of the subscription. Enabling +# this option changes this behaviour. If upgrade_outgoing_qos is set true, +# messages sent to a subscriber will always match the QoS of its subscription. +# This is a non-standard option explicitly disallowed by the spec. +#upgrade_outgoing_qos false + +# When run as root, drop privileges to this user and its primary +# group. +# Set to root to stay as root, but this is not recommended. +# If set to "mosquitto", or left unset, and the "mosquitto" user does not exist +# then it will drop privileges to the "nobody" user instead. +# If run as a non-root user, this setting has no effect. +# Note that on Windows this has no effect and so mosquitto should be started by +# the user you wish it to run as. +#user mosquitto + +# ================================================================= +# Listeners +# ================================================================= + +# Listen on a port/ip address combination. By using this variable +# multiple times, mosquitto can listen on more than one port. If +# this variable is used and neither bind_address nor port given, +# then the default listener will not be started. +# The port number to listen on must be given. Optionally, an ip +# address or host name may be supplied as a second argument. In +# this case, mosquitto will attempt to bind the listener to that +# address and so restrict access to the associated network and +# interface. By default, mosquitto will listen on all interfaces. +# Note that for a websockets listener it is not possible to bind to a host +# name. +# +# On systems that support Unix Domain Sockets, it is also possible +# to create a # Unix socket rather than opening a TCP socket. In +# this case, the port number should be set to 0 and a unix socket +# path must be provided, e.g. +# listener 0 /tmp/mosquitto.sock +# +# listener port-number [ip address/host name/unix socket path] +#listener + +# By default, a listener will attempt to listen on all supported IP protocol +# versions. If you do not have an IPv4 or IPv6 interface you may wish to +# disable support for either of those protocol versions. In particular, note +# that due to the limitations of the websockets library, it will only ever +# attempt to open IPv6 sockets if IPv6 support is compiled in, and so will fail +# if IPv6 is not available. +# +# Set to `ipv4` to force the listener to only use IPv4, or set to `ipv6` to +# force the listener to only use IPv6. If you want support for both IPv4 and +# IPv6, then do not use the socket_domain option. +# +#socket_domain + +# Bind the listener to a specific interface. This is similar to +# the [ip address/host name] part of the listener definition, but is useful +# when an interface has multiple addresses or the address may change. If used +# with the [ip address/host name] part of the listener definition, then the +# bind_interface option will take priority. +# Not available on Windows. +# +# Example: bind_interface eth0 +#bind_interface + +# When a listener is using the websockets protocol, it is possible to serve +# http data as well. Set http_dir to a directory which contains the files you +# wish to serve. If this option is not specified, then no normal http +# connections will be possible. +#http_dir + +# The maximum number of client connections to allow. This is +# a per listener setting. +# Default is -1, which means unlimited connections. +# Note that other process limits mean that unlimited connections +# are not really possible. Typically the default maximum number of +# connections possible is around 1024. +#max_connections -1 + +# The listener can be restricted to operating within a topic hierarchy using +# the mount_point option. This is achieved be prefixing the mount_point string +# to all topics for any clients connected to this listener. This prefixing only +# happens internally to the broker; the client will not see the prefix. +#mount_point + +# Choose the protocol to use when listening. +# This can be either mqtt or websockets. +# Certificate based TLS may be used with websockets, except that only the +# cafile, certfile, keyfile, ciphers, and ciphers_tls13 options are supported. +#protocol mqtt + +# Set use_username_as_clientid to true to replace the clientid that a client +# connected with with its username. This allows authentication to be tied to +# the clientid, which means that it is possible to prevent one client +# disconnecting another by using the same clientid. +# If a client connects with no username it will be disconnected as not +# authorised when this option is set to true. +# Do not use in conjunction with clientid_prefixes. +# See also use_identity_as_username. +# This does not apply globally, but on a per-listener basis. +#use_username_as_clientid + +# Change the websockets headers size. This is a global option, it is not +# possible to set per listener. This option sets the size of the buffer used in +# the libwebsockets library when reading HTTP headers. If you are passing large +# header data such as cookies then you may need to increase this value. If left +# unset, or set to 0, then the default of 1024 bytes will be used. +#websockets_headers_size + +# ----------------------------------------------------------------- +# Certificate based SSL/TLS support +# ----------------------------------------------------------------- +# The following options can be used to enable certificate based SSL/TLS support +# for this listener. Note that the recommended port for MQTT over TLS is 8883, +# but this must be set manually. +# +# See also the mosquitto-tls man page and the "Pre-shared-key based SSL/TLS +# support" section. Only one of certificate or PSK encryption support can be +# enabled for any listener. + +# Both of certfile and keyfile must be defined to enable certificate based +# TLS encryption. + +# Path to the PEM encoded server certificate. +#certfile + +# Path to the PEM encoded keyfile. +#keyfile + +# If you wish to control which encryption ciphers are used, use the ciphers +# option. The list of available ciphers can be optained using the "openssl +# ciphers" command and should be provided in the same format as the output of +# that command. This applies to TLS 1.2 and earlier versions only. Use +# ciphers_tls1.3 for TLS v1.3. +#ciphers + +# Choose which TLS v1.3 ciphersuites are used for this listener. +# Defaults to "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" +#ciphers_tls1.3 + +# If you have require_certificate set to true, you can create a certificate +# revocation list file to revoke access to particular client certificates. If +# you have done this, use crlfile to point to the PEM encoded revocation file. +#crlfile + +# To allow the use of ephemeral DH key exchange, which provides forward +# security, the listener must load DH parameters. This can be specified with +# the dhparamfile option. The dhparamfile can be generated with the command +# e.g. "openssl dhparam -out dhparam.pem 2048" +#dhparamfile + +# By default an TLS enabled listener will operate in a similar fashion to a +# https enabled web server, in that the server has a certificate signed by a CA +# and the client will verify that it is a trusted certificate. The overall aim +# is encryption of the network traffic. By setting require_certificate to true, +# the client must provide a valid certificate in order for the network +# connection to proceed. This allows access to the broker to be controlled +# outside of the mechanisms provided by MQTT. +#require_certificate false + +# cafile and capath define methods of accessing the PEM encoded +# Certificate Authority certificates that will be considered trusted when +# checking incoming client certificates. +# cafile defines the path to a file containing the CA certificates. +# capath defines a directory that will be searched for files +# containing the CA certificates. For capath to work correctly, the +# certificate files must have ".crt" as the file ending and you must run +# "openssl rehash " each time you add/remove a certificate. +#cafile +#capath + + +# If require_certificate is true, you may set use_identity_as_username to true +# to use the CN value from the client certificate as a username. If this is +# true, the password_file option will not be used for this listener. +#use_identity_as_username false + +# ----------------------------------------------------------------- +# Pre-shared-key based SSL/TLS support +# ----------------------------------------------------------------- +# The following options can be used to enable PSK based SSL/TLS support for +# this listener. Note that the recommended port for MQTT over TLS is 8883, but +# this must be set manually. +# +# See also the mosquitto-tls man page and the "Certificate based SSL/TLS +# support" section. Only one of certificate or PSK encryption support can be +# enabled for any listener. + +# The psk_hint option enables pre-shared-key support for this listener and also +# acts as an identifier for this listener. The hint is sent to clients and may +# be used locally to aid authentication. The hint is a free form string that +# doesn't have much meaning in itself, so feel free to be creative. +# If this option is provided, see psk_file to define the pre-shared keys to be +# used or create a security plugin to handle them. +#psk_hint + +# When using PSK, the encryption ciphers used will be chosen from the list of +# available PSK ciphers. If you want to control which ciphers are available, +# use the "ciphers" option. The list of available ciphers can be optained +# using the "openssl ciphers" command and should be provided in the same format +# as the output of that command. +#ciphers + +# Set use_identity_as_username to have the psk identity sent by the client used +# as its username. Authentication will be carried out using the PSK rather than +# the MQTT username/password and so password_file will not be used for this +# listener. +#use_identity_as_username false + + +# ================================================================= +# Persistence +# ================================================================= + +# If persistence is enabled, save the in-memory database to disk +# every autosave_interval seconds. If set to 0, the persistence +# database will only be written when mosquitto exits. See also +# autosave_on_changes. +# Note that writing of the persistence database can be forced by +# sending mosquitto a SIGUSR1 signal. +#autosave_interval 1800 + +# If true, mosquitto will count the number of subscription changes, retained +# messages received and queued messages and if the total exceeds +# autosave_interval then the in-memory database will be saved to disk. +# If false, mosquitto will save the in-memory database to disk by treating +# autosave_interval as a time in seconds. +#autosave_on_changes false + +# Save persistent message data to disk (true/false). +# This saves information about all messages, including +# subscriptions, currently in-flight messages and retained +# messages. +# retained_persistence is a synonym for this option. +#persistence false + +# The filename to use for the persistent database, not including +# the path. +#persistence_file mosquitto.db + +# Location for persistent database. +# Default is an empty string (current directory). +# Set to e.g. /var/lib/mosquitto if running as a proper service on Linux or +# similar. +#persistence_location + + +# ================================================================= +# Logging +# ================================================================= + +# Places to log to. Use multiple log_dest lines for multiple +# logging destinations. +# Possible destinations are: stdout stderr syslog topic file dlt +# +# stdout and stderr log to the console on the named output. +# +# syslog uses the userspace syslog facility which usually ends up +# in /var/log/messages or similar. +# +# topic logs to the broker topic '$SYS/broker/log/', +# where severity is one of D, E, W, N, I, M which are debug, error, +# warning, notice, information and message. Message type severity is used by +# the subscribe/unsubscribe log_types and publishes log messages to +# $SYS/broker/log/M/susbcribe or $SYS/broker/log/M/unsubscribe. +# +# The file destination requires an additional parameter which is the file to be +# logged to, e.g. "log_dest file /var/log/mosquitto.log". The file will be +# closed and reopened when the broker receives a HUP signal. Only a single file +# destination may be configured. +# +# The dlt destination is for the automotive `Diagnostic Log and Trace` tool. +# This requires that Mosquitto has been compiled with DLT support. +# +# Note that if the broker is running as a Windows service it will default to +# "log_dest none" and neither stdout nor stderr logging is available. +# Use "log_dest none" if you wish to disable logging. +#log_dest stderr + +# Types of messages to log. Use multiple log_type lines for logging +# multiple types of messages. +# Possible types are: debug, error, warning, notice, information, +# none, subscribe, unsubscribe, websockets, all. +# Note that debug type messages are for decoding the incoming/outgoing +# network packets. They are not logged in "topics". +#log_type error +#log_type warning +#log_type notice +#log_type information + + +# If set to true, client connection and disconnection messages will be included +# in the log. +#connection_messages true + +# If using syslog logging (not on Windows), messages will be logged to the +# "daemon" facility by default. Use the log_facility option to choose which of +# local0 to local7 to log to instead. The option value should be an integer +# value, e.g. "log_facility 5" to use local5. +#log_facility + +# If set to true, add a timestamp value to each log message. +#log_timestamp true + +# Set the format of the log timestamp. If left unset, this is the number of +# seconds since the Unix epoch. +# This is a free text string which will be passed to the strftime function. To +# get an ISO 8601 datetime, for example: +# log_timestamp_format %Y-%m-%dT%H:%M:%S +#log_timestamp_format + +# Change the websockets logging level. This is a global option, it is not +# possible to set per listener. This is an integer that is interpreted by +# libwebsockets as a bit mask for its lws_log_levels enum. See the +# libwebsockets documentation for more details. "log_type websockets" must also +# be enabled. +#websockets_log_level 0 + + +# ================================================================= +# Security +# ================================================================= + +# If set, only clients that have a matching prefix on their +# clientid will be allowed to connect to the broker. By default, +# all clients may connect. +# For example, setting "secure-" here would mean a client "secure- +# client" could connect but another with clientid "mqtt" couldn't. +#clientid_prefixes + +# Boolean value that determines whether clients that connect +# without providing a username are allowed to connect. If set to +# false then a password file should be created (see the +# password_file option) to control authenticated client access. +# +# Defaults to false, unless there are no listeners defined in the configuration +# file, in which case it is set to true, but connections are only allowed from +# the local machine. +#allow_anonymous false + +# ----------------------------------------------------------------- +# Default authentication and topic access control +# ----------------------------------------------------------------- + +# Control access to the broker using a password file. This file can be +# generated using the mosquitto_passwd utility. If TLS support is not compiled +# into mosquitto (it is recommended that TLS support should be included) then +# plain text passwords are used, in which case the file should be a text file +# with lines in the format: +# username:password +# The password (and colon) may be omitted if desired, although this +# offers very little in the way of security. +# +# See the TLS client require_certificate and use_identity_as_username options +# for alternative authentication options. If a plugin is used as well as +# password_file, the plugin check will be made first. +#password_file + +# Access may also be controlled using a pre-shared-key file. This requires +# TLS-PSK support and a listener configured to use it. The file should be text +# lines in the format: +# identity:key +# The key should be in hexadecimal format without a leading "0x". +# If an plugin is used as well, the plugin check will be made first. +#psk_file + +# Control access to topics on the broker using an access control list +# file. If this parameter is defined then only the topics listed will +# have access. +# If the first character of a line of the ACL file is a # it is treated as a +# comment. +# Topic access is added with lines of the format: +# +# topic [read|write|readwrite|deny] +# +# The access type is controlled using "read", "write", "readwrite" or "deny". +# This parameter is optional (unless contains a space character) - if +# not given then the access is read/write. can contain the + or # +# wildcards as in subscriptions. +# +# The "deny" option can used to explicity deny access to a topic that would +# otherwise be granted by a broader read/write/readwrite statement. Any "deny" +# topics are handled before topics that grant read/write access. +# +# The first set of topics are applied to anonymous clients, assuming +# allow_anonymous is true. User specific topic ACLs are added after a +# user line as follows: +# +# user +# +# The username referred to here is the same as in password_file. It is +# not the clientid. +# +# +# If is also possible to define ACLs based on pattern substitution within the +# topic. The patterns available for substition are: +# +# %c to match the client id of the client +# %u to match the username of the client +# +# The substitution pattern must be the only text for that level of hierarchy. +# +# The form is the same as for the topic keyword, but using pattern as the +# keyword. +# Pattern ACLs apply to all users even if the "user" keyword has previously +# been given. +# +# If using bridges with usernames and ACLs, connection messages can be allowed +# with the following pattern: +# pattern write $SYS/broker/connection/%c/state +# +# pattern [read|write|readwrite] +# +# Example: +# +# pattern write sensor/%u/data +# +# If an plugin is used as well as acl_file, the plugin check will be +# made first. +#acl_file + +# ----------------------------------------------------------------- +# External authentication and topic access plugin options +# ----------------------------------------------------------------- + +# External authentication and access control can be supported with the +# plugin option. This is a path to a loadable plugin. See also the +# plugin_opt_* options described below. +# +# The plugin option can be specified multiple times to load multiple +# plugins. The plugins will be processed in the order that they are specified +# here. If the plugin option is specified alongside either of +# password_file or acl_file then the plugin checks will be made first. +# +# If the per_listener_settings option is false, the plugin will be apply to all +# listeners. If per_listener_settings is true, then the plugin will apply to +# the current listener being defined only. +# +# This option is also available as `auth_plugin`, but this use is deprecated +# and will be removed in the future. +# +#plugin + +# If the plugin option above is used, define options to pass to the +# plugin here as described by the plugin instructions. All options named +# using the format plugin_opt_* will be passed to the plugin, for example: +# +# This option is also available as `auth_opt_*`, but this use is deprecated +# and will be removed in the future. +# +# plugin_opt_db_host +# plugin_opt_db_port +# plugin_opt_db_username +# plugin_opt_db_password + + +# ================================================================= +# Bridges +# ================================================================= + +# A bridge is a way of connecting multiple MQTT brokers together. +# Create a new bridge using the "connection" option as described below. Set +# options for the bridges using the remaining parameters. You must specify the +# address and at least one topic to subscribe to. +# +# Each connection must have a unique name. +# +# The address line may have multiple host address and ports specified. See +# below in the round_robin description for more details on bridge behaviour if +# multiple addresses are used. Note that if you use an IPv6 address, then you +# are required to specify a port. +# +# The direction that the topic will be shared can be chosen by +# specifying out, in or both, where the default value is out. +# The QoS level of the bridged communication can be specified with the next +# topic option. The default QoS level is 0, to change the QoS the topic +# direction must also be given. +# +# The local and remote prefix options allow a topic to be remapped when it is +# bridged to/from the remote broker. This provides the ability to place a topic +# tree in an appropriate location. +# +# For more details see the mosquitto.conf man page. +# +# Multiple topics can be specified per connection, but be careful +# not to create any loops. +# +# If you are using bridges with cleansession set to false (the default), then +# you may get unexpected behaviour from incoming topics if you change what +# topics you are subscribing to. This is because the remote broker keeps the +# subscription for the old topic. If you have this problem, connect your bridge +# with cleansession set to true, then reconnect with cleansession set to false +# as normal. +#connection +#address [:] [[:]] +#topic [[[out | in | both] qos-level] local-prefix remote-prefix] + +# If you need to have the bridge connect over a particular network interface, +# use bridge_bind_address to tell the bridge which local IP address the socket +# should bind to, e.g. `bridge_bind_address 192.168.1.10` +#bridge_bind_address + +# If a bridge has topics that have "out" direction, the default behaviour is to +# send an unsubscribe request to the remote broker on that topic. This means +# that changing a topic direction from "in" to "out" will not keep receiving +# incoming messages. Sending these unsubscribe requests is not always +# desirable, setting bridge_attempt_unsubscribe to false will disable sending +# the unsubscribe request. +#bridge_attempt_unsubscribe true + +# Set the version of the MQTT protocol to use with for this bridge. Can be one +# of mqttv50, mqttv311 or mqttv31. Defaults to mqttv311. +#bridge_protocol_version mqttv311 + +# Set the clean session variable for this bridge. +# When set to true, when the bridge disconnects for any reason, all +# messages and subscriptions will be cleaned up on the remote +# broker. Note that with cleansession set to true, there may be a +# significant amount of retained messages sent when the bridge +# reconnects after losing its connection. +# When set to false, the subscriptions and messages are kept on the +# remote broker, and delivered when the bridge reconnects. +#cleansession false + +# Set the amount of time a bridge using the lazy start type must be idle before +# it will be stopped. Defaults to 60 seconds. +#idle_timeout 60 + +# Set the keepalive interval for this bridge connection, in +# seconds. +#keepalive_interval 60 + +# Set the clientid to use on the local broker. If not defined, this defaults to +# 'local.'. If you are bridging a broker to itself, it is important +# that local_clientid and clientid do not match. +#local_clientid + +# If set to true, publish notification messages to the local and remote brokers +# giving information about the state of the bridge connection. Retained +# messages are published to the topic $SYS/broker/connection//state +# unless the notification_topic option is used. +# If the message is 1 then the connection is active, or 0 if the connection has +# failed. +# This uses the last will and testament feature. +#notifications true + +# Choose the topic on which notification messages for this bridge are +# published. If not set, messages are published on the topic +# $SYS/broker/connection//state +#notification_topic + +# Set the client id to use on the remote end of this bridge connection. If not +# defined, this defaults to 'name.hostname' where name is the connection name +# and hostname is the hostname of this computer. +# This replaces the old "clientid" option to avoid confusion. "clientid" +# remains valid for the time being. +#remote_clientid + +# Set the password to use when connecting to a broker that requires +# authentication. This option is only used if remote_username is also set. +# This replaces the old "password" option to avoid confusion. "password" +# remains valid for the time being. +#remote_password + +# Set the username to use when connecting to a broker that requires +# authentication. +# This replaces the old "username" option to avoid confusion. "username" +# remains valid for the time being. +#remote_username + +# Set the amount of time a bridge using the automatic start type will wait +# until attempting to reconnect. +# This option can be configured to use a constant delay time in seconds, or to +# use a backoff mechanism based on "Decorrelated Jitter", which adds a degree +# of randomness to when the restart occurs. +# +# Set a constant timeout of 20 seconds: +# restart_timeout 20 +# +# Set backoff with a base (start value) of 10 seconds and a cap (upper limit) of +# 60 seconds: +# restart_timeout 10 30 +# +# Defaults to jitter with a base of 5 and cap of 30 +#restart_timeout 5 30 + +# If the bridge has more than one address given in the address/addresses +# configuration, the round_robin option defines the behaviour of the bridge on +# a failure of the bridge connection. If round_robin is false, the default +# value, then the first address is treated as the main bridge connection. If +# the connection fails, the other secondary addresses will be attempted in +# turn. Whilst connected to a secondary bridge, the bridge will periodically +# attempt to reconnect to the main bridge until successful. +# If round_robin is true, then all addresses are treated as equals. If a +# connection fails, the next address will be tried and if successful will +# remain connected until it fails +#round_robin false + +# Set the start type of the bridge. This controls how the bridge starts and +# can be one of three types: automatic, lazy and once. Note that RSMB provides +# a fourth start type "manual" which isn't currently supported by mosquitto. +# +# "automatic" is the default start type and means that the bridge connection +# will be started automatically when the broker starts and also restarted +# after a short delay (30 seconds) if the connection fails. +# +# Bridges using the "lazy" start type will be started automatically when the +# number of queued messages exceeds the number set with the "threshold" +# parameter. It will be stopped automatically after the time set by the +# "idle_timeout" parameter. Use this start type if you wish the connection to +# only be active when it is needed. +# +# A bridge using the "once" start type will be started automatically when the +# broker starts but will not be restarted if the connection fails. +#start_type automatic + +# Set the number of messages that need to be queued for a bridge with lazy +# start type to be restarted. Defaults to 10 messages. +# Must be less than max_queued_messages. +#threshold 10 + +# If try_private is set to true, the bridge will attempt to indicate to the +# remote broker that it is a bridge not an ordinary client. If successful, this +# means that loop detection will be more effective and that retained messages +# will be propagated correctly. Not all brokers support this feature so it may +# be necessary to set try_private to false if your bridge does not connect +# properly. +#try_private true + +# Some MQTT brokers do not allow retained messages. MQTT v5 gives a mechanism +# for brokers to tell clients that they do not support retained messages, but +# this is not possible for MQTT v3.1.1 or v3.1. If you need to bridge to a +# v3.1.1 or v3.1 broker that does not support retained messages, set the +# bridge_outgoing_retain option to false. This will remove the retain bit on +# all outgoing messages to that bridge, regardless of any other setting. +#bridge_outgoing_retain true + +# If you wish to restrict the size of messages sent to a remote bridge, use the +# bridge_max_packet_size option. This sets the maximum number of bytes for +# the total message, including headers and payload. +# Note that MQTT v5 brokers may provide their own maximum-packet-size property. +# In this case, the smaller of the two limits will be used. +# Set to 0 for "unlimited". +#bridge_max_packet_size 0 + + +# ----------------------------------------------------------------- +# Certificate based SSL/TLS support +# ----------------------------------------------------------------- +# Either bridge_cafile or bridge_capath must be defined to enable TLS support +# for this bridge. +# bridge_cafile defines the path to a file containing the +# Certificate Authority certificates that have signed the remote broker +# certificate. +# bridge_capath defines a directory that will be searched for files containing +# the CA certificates. For bridge_capath to work correctly, the certificate +# files must have ".crt" as the file ending and you must run "openssl rehash +# " each time you add/remove a certificate. +#bridge_cafile +#bridge_capath + + +# If the remote broker has more than one protocol available on its port, e.g. +# MQTT and WebSockets, then use bridge_alpn to configure which protocol is +# requested. Note that WebSockets support for bridges is not yet available. +#bridge_alpn + +# When using certificate based encryption, bridge_insecure disables +# verification of the server hostname in the server certificate. This can be +# useful when testing initial server configurations, but makes it possible for +# a malicious third party to impersonate your server through DNS spoofing, for +# example. Use this option in testing only. If you need to resort to using this +# option in a production environment, your setup is at fault and there is no +# point using encryption. +#bridge_insecure false + +# Path to the PEM encoded client certificate, if required by the remote broker. +#bridge_certfile + +# Path to the PEM encoded client private key, if required by the remote broker. +#bridge_keyfile + +# ----------------------------------------------------------------- +# PSK based SSL/TLS support +# ----------------------------------------------------------------- +# Pre-shared-key encryption provides an alternative to certificate based +# encryption. A bridge can be configured to use PSK with the bridge_identity +# and bridge_psk options. These are the client PSK identity, and pre-shared-key +# in hexadecimal format with no "0x". Only one of certificate and PSK based +# encryption can be used on one +# bridge at once. +#bridge_identity +#bridge_psk + + +# ================================================================= +# External config files +# ================================================================= + +# External configuration files may be included by using the +# include_dir option. This defines a directory that will be searched +# for config files. All files that end in '.conf' will be loaded as +# a configuration file. It is best to have this as the last option +# in the main file. This option will only be processed from the main +# configuration file. The directory specified must not contain the +# main configuration file. +# Files within include_dir will be loaded sorted in case-sensitive +# alphabetical order, with capital letters ordered first. If this option is +# given multiple times, all of the files from the first instance will be +# processed before the next instance. See the man page for examples. +#include_dir +CFGEOF + +#Gen file /etc/mosquitto/mosquitto.conf + +mkdir -p "/etc/mosquitto" +cat << 'CFGEOF' > "/etc/mosquitto/mosquitto.conf" +# Config file for mosquitto +# +# See mosquitto.conf(5) for more information. +# +# Default values are shown, uncomment to change. +# +# Use the # character to indicate a comment, but only if it is the +# very first character on the line. + +# ================================================================= +# General configuration +# ================================================================= + +# Use per listener security settings. +# +# It is recommended this option be set before any other options. +# +# If this option is set to true, then all authentication and access control +# options are controlled on a per listener basis. The following options are +# affected: +# +# password_file acl_file psk_file auth_plugin auth_opt_* allow_anonymous +# auto_id_prefix allow_zero_length_clientid +# +# Note that if set to true, then a durable client (i.e. with clean session set +# to false) that has disconnected will use the ACL settings defined for the +# listener that it was most recently connected to. +# +# The default behaviour is for this to be set to false, which maintains the +# setting behaviour from previous versions of mosquitto. +#per_listener_settings false + + +# This option controls whether a client is allowed to connect with a zero +# length client id or not. This option only affects clients using MQTT v3.1.1 +# and later. If set to false, clients connecting with a zero length client id +# are disconnected. If set to true, clients will be allocated a client id by +# the broker. This means it is only useful for clients with clean session set +# to true. +#allow_zero_length_clientid true + +# If allow_zero_length_clientid is true, this option allows you to set a prefix +# to automatically generated client ids to aid visibility in logs. +# Defaults to 'auto-' +#auto_id_prefix auto- + +# This option affects the scenario when a client subscribes to a topic that has +# retained messages. It is possible that the client that published the retained +# message to the topic had access at the time they published, but that access +# has been subsequently removed. If check_retain_source is set to true, the +# default, the source of a retained message will be checked for access rights +# before it is republished. When set to false, no check will be made and the +# retained message will always be published. This affects all listeners. +#check_retain_source true + +# QoS 1 and 2 messages will be allowed inflight per client until this limit +# is exceeded. Defaults to 0. (No maximum) +# See also max_inflight_messages +#max_inflight_bytes 0 + +# The maximum number of QoS 1 and 2 messages currently inflight per +# client. +# This includes messages that are partway through handshakes and +# those that are being retried. Defaults to 20. Set to 0 for no +# maximum. Setting to 1 will guarantee in-order delivery of QoS 1 +# and 2 messages. +#max_inflight_messages 20 + +# For MQTT v5 clients, it is possible to have the server send a "server +# keepalive" value that will override the keepalive value set by the client. +# This is intended to be used as a mechanism to say that the server will +# disconnect the client earlier than it anticipated, and that the client should +# use the new keepalive value. The max_keepalive option allows you to specify +# that clients may only connect with keepalive less than or equal to this +# value, otherwise they will be sent a server keepalive telling them to use +# max_keepalive. This only applies to MQTT v5 clients. The maximum value +# allowable is 65535. Do not set below 10. +#max_keepalive 65535 + +# For MQTT v5 clients, it is possible to have the server send a "maximum packet +# size" value that will instruct the client it will not accept MQTT packets +# with size greater than max_packet_size bytes. This applies to the full MQTT +# packet, not just the payload. Setting this option to a positive value will +# set the maximum packet size to that number of bytes. If a client sends a +# packet which is larger than this value, it will be disconnected. This applies +# to all clients regardless of the protocol version they are using, but v3.1.1 +# and earlier clients will of course not have received the maximum packet size +# information. Defaults to no limit. Setting below 20 bytes is forbidden +# because it is likely to interfere with ordinary client operation, even with +# very small payloads. +#max_packet_size 0 + +# QoS 1 and 2 messages above those currently in-flight will be queued per +# client until this limit is exceeded. Defaults to 0. (No maximum) +# See also max_queued_messages. +# If both max_queued_messages and max_queued_bytes are specified, packets will +# be queued until the first limit is reached. +#max_queued_bytes 0 + +# Set the maximum QoS supported. Clients publishing at a QoS higher than +# specified here will be disconnected. +#max_qos 2 + +# The maximum number of QoS 1 and 2 messages to hold in a queue per client +# above those that are currently in-flight. Defaults to 1000. Set +# to 0 for no maximum (not recommended). +# See also queue_qos0_messages. +# See also max_queued_bytes. +#max_queued_messages 1000 +# +# This option sets the maximum number of heap memory bytes that the broker will +# allocate, and hence sets a hard limit on memory use by the broker. Memory +# requests that exceed this value will be denied. The effect will vary +# depending on what has been denied. If an incoming message is being processed, +# then the message will be dropped and the publishing client will be +# disconnected. If an outgoing message is being sent, then the individual +# message will be dropped and the receiving client will be disconnected. +# Defaults to no limit. +#memory_limit 0 + +# This option sets the maximum publish payload size that the broker will allow. +# Received messages that exceed this size will not be accepted by the broker. +# The default value is 0, which means that all valid MQTT messages are +# accepted. MQTT imposes a maximum payload size of 268435455 bytes. +#message_size_limit 0 + +# This option allows persistent clients (those with clean session set to false) +# to be removed if they do not reconnect within a certain time frame. +# +# This is a non-standard option in MQTT V3.1 but allowed in MQTT v3.1.1. +# +# Badly designed clients may set clean session to false whilst using a randomly +# generated client id. This leads to persistent clients that will never +# reconnect. This option allows these clients to be removed. +# +# The expiration period should be an integer followed by one of h d w m y for +# hour, day, week, month and year respectively. For example +# +# persistent_client_expiration 2m +# persistent_client_expiration 14d +# persistent_client_expiration 1y +# +# The default if not set is to never expire persistent clients. +#persistent_client_expiration + +# Write process id to a file. Default is a blank string which means +# a pid file shouldn't be written. +# This should be set to /var/run/mosquitto.pid if mosquitto is +# being run automatically on boot with an init script and +# start-stop-daemon or similar. +#pid_file + +# Set to true to queue messages with QoS 0 when a persistent client is +# disconnected. These messages are included in the limit imposed by +# max_queued_messages and max_queued_bytes +# Defaults to false. +# This is a non-standard option for the MQTT v3.1 spec but is allowed in +# v3.1.1. +#queue_qos0_messages false + +# Set to false to disable retained message support. If a client publishes a +# message with the retain bit set, it will be disconnected if this is set to +# false. +#retain_available true + +# Disable Nagle's algorithm on client sockets. This has the effect of reducing +# latency of individual messages at the potential cost of increasing the number +# of packets being sent. +#set_tcp_nodelay false + +# Time in seconds between updates of the $SYS tree. +# Set to 0 to disable the publishing of the $SYS tree. +#sys_interval 10 + +# The MQTT specification requires that the QoS of a message delivered to a +# subscriber is never upgraded to match the QoS of the subscription. Enabling +# this option changes this behaviour. If upgrade_outgoing_qos is set true, +# messages sent to a subscriber will always match the QoS of its subscription. +# This is a non-standard option explicitly disallowed by the spec. +#upgrade_outgoing_qos false + +# When run as root, drop privileges to this user and its primary +# group. +# Set to root to stay as root, but this is not recommended. +# If set to "mosquitto", or left unset, and the "mosquitto" user does not exist +# then it will drop privileges to the "nobody" user instead. +# If run as a non-root user, this setting has no effect. +# Note that on Windows this has no effect and so mosquitto should be started by +# the user you wish it to run as. +#user mosquitto + +# ================================================================= +# Listeners +# ================================================================= + +# Listen on a port/ip address combination. By using this variable +# multiple times, mosquitto can listen on more than one port. If +# this variable is used and neither bind_address nor port given, +# then the default listener will not be started. +# The port number to listen on must be given. Optionally, an ip +# address or host name may be supplied as a second argument. In +# this case, mosquitto will attempt to bind the listener to that +# address and so restrict access to the associated network and +# interface. By default, mosquitto will listen on all interfaces. +# Note that for a websockets listener it is not possible to bind to a host +# name. +# +# On systems that support Unix Domain Sockets, it is also possible +# to create a # Unix socket rather than opening a TCP socket. In +# this case, the port number should be set to 0 and a unix socket +# path must be provided, e.g. +# listener 0 /tmp/mosquitto.sock +# +# listener port-number [ip address/host name/unix socket path] +#listener +listener 1883 172.16.111.7 + +# By default, a listener will attempt to listen on all supported IP protocol +# versions. If you do not have an IPv4 or IPv6 interface you may wish to +# disable support for either of those protocol versions. In particular, note +# that due to the limitations of the websockets library, it will only ever +# attempt to open IPv6 sockets if IPv6 support is compiled in, and so will fail +# if IPv6 is not available. +# +# Set to `ipv4` to force the listener to only use IPv4, or set to `ipv6` to +# force the listener to only use IPv6. If you want support for both IPv4 and +# IPv6, then do not use the socket_domain option. +# +#socket_domain + +# Bind the listener to a specific interface. This is similar to +# the [ip address/host name] part of the listener definition, but is useful +# when an interface has multiple addresses or the address may change. It is +# valid to use this with the [ip address/host name] part of the listener +# definition, but take care that the interface you are binding to contains the +# address you are binding to, otherwise you will not be able to connect. +# Only available on Linux and requires elevated privileges. +# +# Example: bind_interface eth0 +#bind_interface + +# When a listener is using the websockets protocol, it is possible to serve +# http data as well. Set http_dir to a directory which contains the files you +# wish to serve. If this option is not specified, then no normal http +# connections will be possible. +#http_dir + +# The maximum number of client connections to allow. This is +# a per listener setting. +# Default is -1, which means unlimited connections. +# Note that other process limits mean that unlimited connections +# are not really possible. Typically the default maximum number of +# connections possible is around 1024. +#max_connections -1 + +# The listener can be restricted to operating within a topic hierarchy using +# the mount_point option. This is achieved be prefixing the mount_point string +# to all topics for any clients connected to this listener. This prefixing only +# happens internally to the broker; the client will not see the prefix. +#mount_point + +# Choose the protocol to use when listening. +# This can be either mqtt or websockets. +# Certificate based TLS may be used with websockets, except that only the +# cafile, certfile, keyfile, ciphers, and ciphers_tls13 options are supported. +#protocol mqtt + +# Set use_username_as_clientid to true to replace the clientid that a client +# connected with with its username. This allows authentication to be tied to +# the clientid, which means that it is possible to prevent one client +# disconnecting another by using the same clientid. +# If a client connects with no username it will be disconnected as not +# authorised when this option is set to true. +# Do not use in conjunction with clientid_prefixes. +# See also use_identity_as_username. +#use_username_as_clientid + +# Change the websockets headers size. This is a global option, it is not +# possible to set per listener. This option sets the size of the buffer used in +# the libwebsockets library when reading HTTP headers. If you are passing large +# header data such as cookies then you may need to increase this value. If left +# unset, or set to 0, then the default of 1024 bytes will be used. +#websockets_headers_size + +# ----------------------------------------------------------------- +# Certificate based SSL/TLS support +# ----------------------------------------------------------------- +# The following options can be used to enable certificate based SSL/TLS support +# for this listener. Note that the recommended port for MQTT over TLS is 8883, +# but this must be set manually. +# +# See also the mosquitto-tls man page and the "Pre-shared-key based SSL/TLS +# support" section. Only one of certificate or PSK encryption support can be +# enabled for any listener. + +# Both of certfile and keyfile must be defined to enable certificate based +# TLS encryption. + +# Path to the PEM encoded server certificate. +#certfile + +# Path to the PEM encoded keyfile. +#keyfile + +# If you wish to control which encryption ciphers are used, use the ciphers +# option. The list of available ciphers can be optained using the "openssl +# ciphers" command and should be provided in the same format as the output of +# that command. This applies to TLS 1.2 and earlier versions only. Use +# ciphers_tls1.3 for TLS v1.3. +#ciphers + +# Choose which TLS v1.3 ciphersuites are used for this listener. +# Defaults to "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" +#ciphers_tls1.3 + +# If you have require_certificate set to true, you can create a certificate +# revocation list file to revoke access to particular client certificates. If +# you have done this, use crlfile to point to the PEM encoded revocation file. +#crlfile + +# To allow the use of ephemeral DH key exchange, which provides forward +# security, the listener must load DH parameters. This can be specified with +# the dhparamfile option. The dhparamfile can be generated with the command +# e.g. "openssl dhparam -out dhparam.pem 2048" +#dhparamfile + +# By default an TLS enabled listener will operate in a similar fashion to a +# https enabled web server, in that the server has a certificate signed by a CA +# and the client will verify that it is a trusted certificate. The overall aim +# is encryption of the network traffic. By setting require_certificate to true, +# the client must provide a valid certificate in order for the network +# connection to proceed. This allows access to the broker to be controlled +# outside of the mechanisms provided by MQTT. +#require_certificate false + +# cafile and capath define methods of accessing the PEM encoded +# Certificate Authority certificates that will be considered trusted when +# checking incoming client certificates. +# cafile defines the path to a file containing the CA certificates. +# capath defines a directory that will be searched for files +# containing the CA certificates. For capath to work correctly, the +# certificate files must have ".crt" as the file ending and you must run +# "openssl rehash " each time you add/remove a certificate. +#cafile +#capath + + +# If require_certificate is true, you may set use_identity_as_username to true +# to use the CN value from the client certificate as a username. If this is +# true, the password_file option will not be used for this listener. +#use_identity_as_username false + +# ----------------------------------------------------------------- +# Pre-shared-key based SSL/TLS support +# ----------------------------------------------------------------- +# The following options can be used to enable PSK based SSL/TLS support for +# this listener. Note that the recommended port for MQTT over TLS is 8883, but +# this must be set manually. +# +# See also the mosquitto-tls man page and the "Certificate based SSL/TLS +# support" section. Only one of certificate or PSK encryption support can be +# enabled for any listener. + +# The psk_hint option enables pre-shared-key support for this listener and also +# acts as an identifier for this listener. The hint is sent to clients and may +# be used locally to aid authentication. The hint is a free form string that +# doesn't have much meaning in itself, so feel free to be creative. +# If this option is provided, see psk_file to define the pre-shared keys to be +# used or create a security plugin to handle them. +#psk_hint + +# When using PSK, the encryption ciphers used will be chosen from the list of +# available PSK ciphers. If you want to control which ciphers are available, +# use the "ciphers" option. The list of available ciphers can be optained +# using the "openssl ciphers" command and should be provided in the same format +# as the output of that command. +#ciphers + +# Set use_identity_as_username to have the psk identity sent by the client used +# as its username. Authentication will be carried out using the PSK rather than +# the MQTT username/password and so password_file will not be used for this +# listener. +#use_identity_as_username false + + +# ================================================================= +# Persistence +# ================================================================= + +# If persistence is enabled, save the in-memory database to disk +# every autosave_interval seconds. If set to 0, the persistence +# database will only be written when mosquitto exits. See also +# autosave_on_changes. +# Note that writing of the persistence database can be forced by +# sending mosquitto a SIGUSR1 signal. +autosave_interval 432000 # once a week + +# If true, mosquitto will count the number of subscription changes, retained +# messages received and queued messages and if the total exceeds +# autosave_interval then the in-memory database will be saved to disk. +# If false, mosquitto will save the in-memory database to disk by treating +# autosave_interval as a time in seconds. +#autosave_on_changes false + +# Save persistent message data to disk (true/false). +# This saves information about all messages, including +# subscriptions, currently in-flight messages and retained +# messages. +# retained_persistence is a synonym for this option. +#persistence false +persistence true + +# The filename to use for the persistent database, not including +# the path. +#persistence_file mosquitto.db + +# Location for persistent database. Must include trailing / +# Default is an empty string (current directory). +# Set to e.g. /var/lib/mosquitto/ if running as a proper service on Linux or +# similar. +#persistence_location +persistence_location /root/bkpscript + +# ================================================================= +# Logging +# ================================================================= + +# Places to log to. Use multiple log_dest lines for multiple +# logging destinations. +# Possible destinations are: stdout stderr syslog topic file dlt +# +# stdout and stderr log to the console on the named output. +# +# syslog uses the userspace syslog facility which usually ends up +# in /var/log/messages or similar. +# +# topic logs to the broker topic '$SYS/broker/log/', +# where severity is one of D, E, W, N, I, M which are debug, error, +# warning, notice, information and message. Message type severity is used by +# the subscribe/unsubscribe log_types and publishes log messages to +# $SYS/broker/log/M/susbcribe or $SYS/broker/log/M/unsubscribe. +# +# The file destination requires an additional parameter which is the file to be +# logged to, e.g. "log_dest file /var/log/mosquitto.log". The file will be +# closed and reopened when the broker receives a HUP signal. Only a single file +# destination may be configured. +# +# The dlt destination is for the automotive `Diagnostic Log and Trace` tool. +# This requires that Mosquitto has been compiled with DLT support. +# +# Note that if the broker is running as a Windows service it will default to +# "log_dest none" and neither stdout nor stderr logging is available. +# Use "log_dest none" if you wish to disable logging. +#log_dest stderr + +# Types of messages to log. Use multiple log_type lines for logging +# multiple types of messages. +# Possible types are: debug, error, warning, notice, information, +# none, subscribe, unsubscribe, websockets, all. +# Note that debug type messages are for decoding the incoming/outgoing +# network packets. They are not logged in "topics". +#log_type error +#log_type warning +#log_type notice +#log_type information + + +# If set to true, client connection and disconnection messages will be included +# in the log. +#connection_messages true + +# If using syslog logging (not on Windows), messages will be logged to the +# "daemon" facility by default. Use the log_facility option to choose which of +# local0 to local7 to log to instead. The option value should be an integer +# value, e.g. "log_facility 5" to use local5. +#log_facility + +# If set to true, add a timestamp value to each log message. +#log_timestamp true + +# Set the format of the log timestamp. If left unset, this is the number of +# seconds since the Unix epoch. +# This is a free text string which will be passed to the strftime function. To +# get an ISO 8601 datetime, for example: +# log_timestamp_format %Y-%m-%dT%H:%M:%S +#log_timestamp_format + +# Change the websockets logging level. This is a global option, it is not +# possible to set per listener. This is an integer that is interpreted by +# libwebsockets as a bit mask for its lws_log_levels enum. See the +# libwebsockets documentation for more details. "log_type websockets" must also +# be enabled. +#websockets_log_level 0 + + +# ================================================================= +# Security +# ================================================================= + +# If set, only clients that have a matching prefix on their +# clientid will be allowed to connect to the broker. By default, +# all clients may connect. +# For example, setting "secure-" here would mean a client "secure- +# client" could connect but another with clientid "mqtt" couldn't. +#clientid_prefixes + +# Boolean value that determines whether clients that connect +# without providing a username are allowed to connect. If set to +# false then a password file should be created (see the +# password_file option) to control authenticated client access. +# +# Defaults to false, unless there are no listeners defined in the configuration +# file, in which case it is set to true, but connections are only allowed from +# the local machine. +#allow_anonymous false +allow_anonymous true + +# ----------------------------------------------------------------- +# Default authentication and topic access control +# ----------------------------------------------------------------- + +# Control access to the broker using a password file. This file can be +# generated using the mosquitto_passwd utility. If TLS support is not compiled +# into mosquitto (it is recommended that TLS support should be included) then +# plain text passwords are used, in which case the file should be a text file +# with lines in the format: +# username:password +# The password (and colon) may be omitted if desired, although this +# offers very little in the way of security. +# +# See the TLS client require_certificate and use_identity_as_username options +# for alternative authentication options. If an auth_plugin is used as well as +# password_file, the auth_plugin check will be made first. +#password_file + +# Access may also be controlled using a pre-shared-key file. This requires +# TLS-PSK support and a listener configured to use it. The file should be text +# lines in the format: +# identity:key +# The key should be in hexadecimal format without a leading "0x". +# If an auth_plugin is used as well, the auth_plugin check will be made first. +#psk_file + +# Control access to topics on the broker using an access control list +# file. If this parameter is defined then only the topics listed will +# have access. +# If the first character of a line of the ACL file is a # it is treated as a +# comment. +# Topic access is added with lines of the format: +# +# topic [read|write|readwrite|deny] +# +# The access type is controlled using "read", "write", "readwrite" or "deny". +# This parameter is optional (unless contains a space character) - if +# not given then the access is read/write. can contain the + or # +# wildcards as in subscriptions. +# +# The "deny" option can used to explicity deny access to a topic that would +# otherwise be granted by a broader read/write/readwrite statement. Any "deny" +# topics are handled before topics that grant read/write access. +# +# The first set of topics are applied to anonymous clients, assuming +# allow_anonymous is true. User specific topic ACLs are added after a +# user line as follows: +# +# user +# +# The username referred to here is the same as in password_file. It is +# not the clientid. +# +# +# If is also possible to define ACLs based on pattern substitution within the +# topic. The patterns available for substition are: +# +# %c to match the client id of the client +# %u to match the username of the client +# +# The substitution pattern must be the only text for that level of hierarchy. +# +# The form is the same as for the topic keyword, but using pattern as the +# keyword. +# Pattern ACLs apply to all users even if the "user" keyword has previously +# been given. +# +# If using bridges with usernames and ACLs, connection messages can be allowed +# with the following pattern: +# pattern write $SYS/broker/connection/%c/state +# +# pattern [read|write|readwrite] +# +# Example: +# +# pattern write sensor/%u/data +# +# If an auth_plugin is used as well as acl_file, the auth_plugin check will be +# made first. +#acl_file + +# ----------------------------------------------------------------- +# External authentication and topic access plugin options +# ----------------------------------------------------------------- + +# External authentication and access control can be supported with the +# auth_plugin option. This is a path to a loadable plugin. See also the +# auth_opt_* options described below. +# +# The auth_plugin option can be specified multiple times to load multiple +# plugins. The plugins will be processed in the order that they are specified +# here. If the auth_plugin option is specified alongside either of +# password_file or acl_file then the plugin checks will be made first. +# +#auth_plugin + +# If the auth_plugin option above is used, define options to pass to the +# plugin here as described by the plugin instructions. All options named +# using the format auth_opt_* will be passed to the plugin, for example: +# +# auth_opt_db_host +# auth_opt_db_port +# auth_opt_db_username +# auth_opt_db_password + + +# ================================================================= +# Bridges +# ================================================================= + +# A bridge is a way of connecting multiple MQTT brokers together. +# Create a new bridge using the "connection" option as described below. Set +# options for the bridges using the remaining parameters. You must specify the +# address and at least one topic to subscribe to. +# +# Each connection must have a unique name. +# +# The address line may have multiple host address and ports specified. See +# below in the round_robin description for more details on bridge behaviour if +# multiple addresses are used. Note that if you use an IPv6 address, then you +# are required to specify a port. +# +# The direction that the topic will be shared can be chosen by +# specifying out, in or both, where the default value is out. +# The QoS level of the bridged communication can be specified with the next +# topic option. The default QoS level is 0, to change the QoS the topic +# direction must also be given. +# +# The local and remote prefix options allow a topic to be remapped when it is +# bridged to/from the remote broker. This provides the ability to place a topic +# tree in an appropriate location. +# +# For more details see the mosquitto.conf man page. +# +# Multiple topics can be specified per connection, but be careful +# not to create any loops. +# +# If you are using bridges with cleansession set to false (the default), then +# you may get unexpected behaviour from incoming topics if you change what +# topics you are subscribing to. This is because the remote broker keeps the +# subscription for the old topic. If you have this problem, connect your bridge +# with cleansession set to true, then reconnect with cleansession set to false +# as normal. +#connection +#address [:] [[:]] +#topic [[[out | in | both] qos-level] local-prefix remote-prefix] + +# If you need to have the bridge connect over a particular network interface, +# use bridge_bind_address to tell the bridge which local IP address the socket +# should bind to, e.g. `bridge_bind_address 192.168.1.10` +#bridge_bind_address +#bridge_bind_address 172.17.10.4 +# If a bridge has topics that have "out" direction, the default behaviour is to +# send an unsubscribe request to the remote broker on that topic. This means +# that changing a topic direction from "in" to "out" will not keep receiving +# incoming messages. Sending these unsubscribe requests is not always +# desirable, setting bridge_attempt_unsubscribe to false will disable sending +# the unsubscribe request. +#bridge_attempt_unsubscribe true + +# Set the version of the MQTT protocol to use with for this bridge. Can be one +# of mqttv50, mqttv311 or mqttv31. Defaults to mqttv311. +#bridge_protocol_version mqttv311 + +# Set the clean session variable for this bridge. +# When set to true, when the bridge disconnects for any reason, all +# messages and subscriptions will be cleaned up on the remote +# broker. Note that with cleansession set to true, there may be a +# significant amount of retained messages sent when the bridge +# reconnects after losing its connection. +# When set to false, the subscriptions and messages are kept on the +# remote broker, and delivered when the bridge reconnects. +#cleansession false + +# Set the amount of time a bridge using the lazy start type must be idle before +# it will be stopped. Defaults to 60 seconds. +#idle_timeout 60 + +# Set the keepalive interval for this bridge connection, in +# seconds. +#keepalive_interval 60 + +# Set the clientid to use on the local broker. If not defined, this defaults to +# 'local.'. If you are bridging a broker to itself, it is important +# that local_clientid and clientid do not match. +#local_clientid + +# If set to true, publish notification messages to the local and remote brokers +# giving information about the state of the bridge connection. Retained +# messages are published to the topic $SYS/broker/connection//state +# unless the notification_topic option is used. +# If the message is 1 then the connection is active, or 0 if the connection has +# failed. +# This uses the last will and testament feature. +#notifications true + +# Choose the topic on which notification messages for this bridge are +# published. If not set, messages are published on the topic +# $SYS/broker/connection//state +#notification_topic + +# Set the client id to use on the remote end of this bridge connection. If not +# defined, this defaults to 'name.hostname' where name is the connection name +# and hostname is the hostname of this computer. +# This replaces the old "clientid" option to avoid confusion. "clientid" +# remains valid for the time being. +#remote_clientid + +# Set the password to use when connecting to a broker that requires +# authentication. This option is only used if remote_username is also set. +# This replaces the old "password" option to avoid confusion. "password" +# remains valid for the time being. +#remote_password + +# Set the username to use when connecting to a broker that requires +# authentication. +# This replaces the old "username" option to avoid confusion. "username" +# remains valid for the time being. +#remote_username + +# Set the amount of time a bridge using the automatic start type will wait +# until attempting to reconnect. +# This option can be configured to use a constant delay time in seconds, or to +# use a backoff mechanism based on "Decorrelated Jitter", which adds a degree +# of randomness to when the restart occurs. +# +# Set a constant timeout of 20 seconds: +# restart_timeout 20 +# +# Set backoff with a base (start value) of 10 seconds and a cap (upper limit) of +# 60 seconds: +# restart_timeout 10 30 +# +# Defaults to jitter with a base of 5 and cap of 30 +#restart_timeout 5 30 + +# If the bridge has more than one address given in the address/addresses +# configuration, the round_robin option defines the behaviour of the bridge on +# a failure of the bridge connection. If round_robin is false, the default +# value, then the first address is treated as the main bridge connection. If +# the connection fails, the other secondary addresses will be attempted in +# turn. Whilst connected to a secondary bridge, the bridge will periodically +# attempt to reconnect to the main bridge until successful. +# If round_robin is true, then all addresses are treated as equals. If a +# connection fails, the next address will be tried and if successful will +# remain connected until it fails +#round_robin false + +# Set the start type of the bridge. This controls how the bridge starts and +# can be one of three types: automatic, lazy and once. Note that RSMB provides +# a fourth start type "manual" which isn't currently supported by mosquitto. +# +# "automatic" is the default start type and means that the bridge connection +# will be started automatically when the broker starts and also restarted +# after a short delay (30 seconds) if the connection fails. +# +# Bridges using the "lazy" start type will be started automatically when the +# number of queued messages exceeds the number set with the "threshold" +# parameter. It will be stopped automatically after the time set by the +# "idle_timeout" parameter. Use this start type if you wish the connection to +# only be active when it is needed. +# +# A bridge using the "once" start type will be started automatically when the +# broker starts but will not be restarted if the connection fails. +#start_type automatic + +# Set the number of messages that need to be queued for a bridge with lazy +# start type to be restarted. Defaults to 10 messages. +# Must be less than max_queued_messages. +#threshold 10 + +# If try_private is set to true, the bridge will attempt to indicate to the +# remote broker that it is a bridge not an ordinary client. If successful, this +# means that loop detection will be more effective and that retained messages +# will be propagated correctly. Not all brokers support this feature so it may +# be necessary to set try_private to false if your bridge does not connect +# properly. +#try_private true + +# Some MQTT brokers do not allow retained messages. MQTT v5 gives a mechanism +# for brokers to tell clients that they do not support retained messages, but +# this is not possible for MQTT v3.1.1 or v3.1. If you need to bridge to a +# v3.1.1 or v3.1 broker that does not support retained messages, set the +# bridge_outgoing_retain option to false. This will remove the retain bit on +# all outgoing messages to that bridge, regardless of any other setting. +#bridge_outgoing_retain true + +# If you wish to restrict the size of messages sent to a remote bridge, use the +# bridge_max_packet_size option. This sets the maximum number of bytes for +# the total message, including headers and payload. +# Note that MQTT v5 brokers may provide their own maximum-packet-size property. +# In this case, the smaller of the two limits will be used. +# Set to 0 for "unlimited". +#bridge_max_packet_size 0 + + +# ----------------------------------------------------------------- +# Certificate based SSL/TLS support +# ----------------------------------------------------------------- +# Either bridge_cafile or bridge_capath must be defined to enable TLS support +# for this bridge. +# bridge_cafile defines the path to a file containing the +# Certificate Authority certificates that have signed the remote broker +# certificate. +# bridge_capath defines a directory that will be searched for files containing +# the CA certificates. For bridge_capath to work correctly, the certificate +# files must have ".crt" as the file ending and you must run "openssl rehash +# " each time you add/remove a certificate. +#bridge_cafile +#bridge_capath + + +# If the remote broker has more than one protocol available on its port, e.g. +# MQTT and WebSockets, then use bridge_alpn to configure which protocol is +# requested. Note that WebSockets support for bridges is not yet available. +#bridge_alpn + +# When using certificate based encryption, bridge_insecure disables +# verification of the server hostname in the server certificate. This can be +# useful when testing initial server configurations, but makes it possible for +# a malicious third party to impersonate your server through DNS spoofing, for +# example. Use this option in testing only. If you need to resort to using this +# option in a production environment, your setup is at fault and there is no +# point using encryption. +#bridge_insecure false + +# Path to the PEM encoded client certificate, if required by the remote broker. +#bridge_certfile + +# Path to the PEM encoded client private key, if required by the remote broker. +#bridge_keyfile + +# ----------------------------------------------------------------- +# PSK based SSL/TLS support +# ----------------------------------------------------------------- +# Pre-shared-key encryption provides an alternative to certificate based +# encryption. A bridge can be configured to use PSK with the bridge_identity +# and bridge_psk options. These are the client PSK identity, and pre-shared-key +# in hexadecimal format with no "0x". Only one of certificate and PSK based +# encryption can be used on one +# bridge at once. +#bridge_identity +#bridge_psk + + +# ================================================================= +# External config files +# ================================================================= + +# External configuration files may be included by using the +# include_dir option. This defines a directory that will be searched +# for config files. All files that end in '.conf' will be loaded as +# a configuration file. It is best to have this as the last option +# in the main file. This option will only be processed from the main +# configuration file. The directory specified must not contain the +# main configuration file. +# Files within include_dir will be loaded sorted in case-sensitive +# alphabetical order, with capital letters ordered first. If this option is +# given multiple times, all of the files from the first instance will be +# processed before the next instance. See the man page for examples. +#include_dir + +CFGEOF + +# WARNING: /etc/bird.conf не существует +# WARNING: /etc/bird4.conf не существует +#---------------------------------------------------- +#Generating cron +#---------------------------------------------------- + diff --git a/bkps/wrt-bkp-172.16.17.1.sh b/bkps/wrt-bkp-172.16.17.1.sh new file mode 100644 index 0000000..be91e0e --- /dev/null +++ b/bkps/wrt-bkp-172.16.17.1.sh @@ -0,0 +1,699 @@ + +#hostname= Buran-vad +#DISTRIB_DESCRIPTION='OpenWrt SNAPSHOT r13406-f166cf9ca0' +#profile = xiaomi_mir3g-v2 +#target = mt7621 +#soc = packages +#arch = mt7621 +#Xiaomi Mi Router 3G v2 custom default settings +#---------------------------------------------------- +#Generating cmd for install pkg +#---------------------------------------------------- +opkg install luci-proto-wireguard +opkg install iwinfo +opkg install opkg +opkg install ubus +opkg install busybox +opkg install kmod-nf-reject6 +opkg install kmod-nf-flow +opkg install kmod-lib-crc-ccitt +opkg install getrandom +opkg install kmod-pppoe +opkg install kmod-pppox +opkg install kmod-ipt-conntrack +opkg install kmod-nf-reject +opkg install base-files +opkg install kmod-nf-nat +opkg install netifd +opkg install dnsmasq +opkg install procd +opkg install ubusd +opkg install firewall +opkg install kmod-nf-ipt +opkg install tcpdump +opkg install ubi-utils +opkg install kmod-ip6tables +opkg install odhcp6c +opkg install fstools +opkg install uci +opkg install dropbear +opkg install mtd +opkg install odhcpd-ipv6only +opkg install urandom-seed +opkg install ppp +opkg install kmod-leds-gpio +opkg install kmod-gpio-button-hotplug +opkg install logd +opkg install kmod-mt7603 +opkg install libjson-script +opkg install libblobmsg-json +opkg install iptables +opkg install luci-ssl-nginx +opkg install jshn +opkg install kmod-ipt-core +opkg install kmod-ppp +opkg install kmod-nf-conntrack +opkg install usign +opkg install ip6tables +opkg install kmod-nf-ipt6 +opkg install luci +opkg install kmod-nf-conntrack6 +opkg install bird1-ipv4-uci +opkg install ubox +opkg install kernel +opkg install libnl-tiny +opkg install kmod-mt76x2 +opkg install fwtool +opkg install jsonfilter +opkg install kmod-ipt-offload +opkg install urngd +opkg install kmod-slhc +opkg install ppp-mod-pppoe +opkg install kmod-ipt-nat +#---------------------------------------------------- +#Generating configuration Xiaomi Mi Router 3G v2 +#---------------------------------------------------- +uci -q batch << EOI +set bird4.bird=bird +set bird4.bird.use_UCI_config='0' +set bird4.bird.UCI_config_file='/etc/bird4.conf' +set bird4.global=global +set bird4.global.log_file='/tmp/bird4.log' +set bird4.global.log='all' +set bird4.global.debug='off' +set bird4.@table[0]=table +set bird4.@table[0].name='aux' +set bird4.kernel1=kernel +set bird4.kernel1.table='aux' +set bird4.kernel1.import='all' +set bird4.kernel1.export='all' +set bird4.kernel1.kernel_table='100' +set bird4.kernel1.scan_time='10' +set bird4.kernel1.learn='1' +set bird4.kernel1.persist='0' +set bird4.kernel1.disabled='0' +set bird4.device1=device +set bird4.device1.scan_time='10' +set bird4.device1.disabled='0' +set bird4.static1=static +set bird4.static1.table='aux' +set bird4.static1.disabled='0' +commit bird4 +set dhcp.@dnsmasq[0]=dnsmasq +set dhcp.@dnsmasq[0].domainneeded='1' +set dhcp.@dnsmasq[0].localise_queries='1' +set dhcp.@dnsmasq[0].rebind_protection='1' +set dhcp.@dnsmasq[0].rebind_localhost='1' +set dhcp.@dnsmasq[0].expandhosts='1' +set dhcp.@dnsmasq[0].authoritative='1' +set dhcp.@dnsmasq[0].readethers='1' +set dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases' +set dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.d/resolv.conf.auto' +set dhcp.@dnsmasq[0].localservice='1' +set dhcp.@dnsmasq[0].allservers='1' +set dhcp.@dnsmasq[0].local='/vad.loc/' +set dhcp.@dnsmasq[0].domain='vad.loc' +set dhcp.@dnsmasq[0].server='/lan/10.0.254.1' +set dhcp.lan=dhcp +set dhcp.lan.interface='lan' +set dhcp.lan.limit='150' +set dhcp.lan.dhcpv6='server' +set dhcp.lan.ra='server' +set dhcp.lan.ra_slaac='1' +set dhcp.lan.ra_flags='managed-config' 'other-config' +set dhcp.lan.start='10' +set dhcp.lan.leasetime='1440h' +set dhcp.lan.ra_management='1' +set dhcp.wan=dhcp +set dhcp.wan.interface='wan' +set dhcp.wan.ignore='1' +set dhcp.odhcpd=odhcpd +set dhcp.odhcpd.maindhcp='0' +set dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd' +set dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update' +set dhcp.odhcpd.loglevel='4' +commit dhcp +set dropbear.@dropbear[0]=dropbear +set dropbear.@dropbear[0].PasswordAuth='on' +set dropbear.@dropbear[0].RootPasswordAuth='on' +set dropbear.@dropbear[0].Port='22' +commit dropbear +set firewall.@defaults[0]=defaults +set firewall.@defaults[0].syn_flood='1' +set firewall.@defaults[0].input='ACCEPT' +set firewall.@defaults[0].output='ACCEPT' +set firewall.@defaults[0].forward='REJECT' +set firewall.@zone[0]=zone +set firewall.@zone[0].name='lan' +set firewall.@zone[0].input='ACCEPT' +set firewall.@zone[0].output='ACCEPT' +set firewall.@zone[0].forward='ACCEPT' +set firewall.@zone[0].network='lan' +set firewall.@zone[1]=zone +set firewall.@zone[1].name='wan' +set firewall.@zone[1].network='wan' 'wan6' +set firewall.@zone[1].input='REJECT' +set firewall.@zone[1].output='ACCEPT' +set firewall.@zone[1].forward='REJECT' +set firewall.@zone[1].masq='1' +set firewall.@zone[1].mtu_fix='1' +set firewall.@forwarding[0]=forwarding +set firewall.@forwarding[0].src='lan' +set firewall.@forwarding[0].dest='wan' +set firewall.@rule[0]=rule +set firewall.@rule[0].name='Allow-DHCP-Renew' +set firewall.@rule[0].src='wan' +set firewall.@rule[0].proto='udp' +set firewall.@rule[0].dest_port='68' +set firewall.@rule[0].target='ACCEPT' +set firewall.@rule[0].family='ipv4' +set firewall.@rule[1]=rule +set firewall.@rule[1].name='Allow-Ping' +set firewall.@rule[1].src='wan' +set firewall.@rule[1].proto='icmp' +set firewall.@rule[1].icmp_type='echo-request' +set firewall.@rule[1].family='ipv4' +set firewall.@rule[1].target='ACCEPT' +set firewall.@rule[2]=rule +set firewall.@rule[2].name='Allow-IGMP' +set firewall.@rule[2].src='wan' +set firewall.@rule[2].proto='igmp' +set firewall.@rule[2].family='ipv4' +set firewall.@rule[2].target='ACCEPT' +set firewall.@rule[3]=rule +set firewall.@rule[3].name='Allow-DHCPv6' +set firewall.@rule[3].src='wan' +set firewall.@rule[3].proto='udp' +set firewall.@rule[3].src_ip='fc00::/6' +set firewall.@rule[3].dest_ip='fc00::/6' +set firewall.@rule[3].dest_port='546' +set firewall.@rule[3].family='ipv6' +set firewall.@rule[3].target='ACCEPT' +set firewall.@rule[4]=rule +set firewall.@rule[4].name='Allow-MLD' +set firewall.@rule[4].src='wan' +set firewall.@rule[4].proto='icmp' +set firewall.@rule[4].src_ip='fe80::/10' +set firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0' +set firewall.@rule[4].family='ipv6' +set firewall.@rule[4].target='ACCEPT' +set firewall.@rule[5]=rule +set firewall.@rule[5].name='Allow-ICMPv6-Input' +set firewall.@rule[5].src='wan' +set firewall.@rule[5].proto='icmp' +set firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement' +set firewall.@rule[5].limit='1000/sec' +set firewall.@rule[5].family='ipv6' +set firewall.@rule[5].target='ACCEPT' +set firewall.@rule[6]=rule +set firewall.@rule[6].name='Allow-ICMPv6-Forward' +set firewall.@rule[6].src='wan' +set firewall.@rule[6].dest='*' +set firewall.@rule[6].proto='icmp' +set firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' +set firewall.@rule[6].limit='1000/sec' +set firewall.@rule[6].family='ipv6' +set firewall.@rule[6].target='ACCEPT' +set firewall.@rule[7]=rule +set firewall.@rule[7].name='Allow-IPSec-ESP' +set firewall.@rule[7].src='wan' +set firewall.@rule[7].dest='lan' +set firewall.@rule[7].proto='esp' +set firewall.@rule[7].target='ACCEPT' +set firewall.@rule[8]=rule +set firewall.@rule[8].name='Allow-ISAKMP' +set firewall.@rule[8].src='wan' +set firewall.@rule[8].dest='lan' +set firewall.@rule[8].dest_port='500' +set firewall.@rule[8].proto='udp' +set firewall.@rule[8].target='ACCEPT' +set firewall.@rule[9]=rule +set firewall.@rule[9].name='Support-UDP-Traceroute' +set firewall.@rule[9].src='wan' +set firewall.@rule[9].dest_port='33434:33689' +set firewall.@rule[9].proto='udp' +set firewall.@rule[9].family='ipv4' +set firewall.@rule[9].target='REJECT' +set firewall.@rule[9].enabled='0' +set firewall.@include[0]=include +set firewall.@include[0].path='/etc/firewall.user' +set firewall.@zone[2]=zone +set firewall.@zone[2].name='wg' +set firewall.@zone[2].input='ACCEPT' +set firewall.@zone[2].output='ACCEPT' +set firewall.@zone[2].forward='ACCEPT' +set firewall.@zone[2].network='wg21 wg13 wg19 wg17 wg9' +set firewall.@forwarding[1]=forwarding +set firewall.@forwarding[1].src='wg' +set firewall.@forwarding[1].dest='lan' +set firewall.@forwarding[2]=forwarding +set firewall.@forwarding[2].src='wg' +set firewall.@forwarding[2].dest='wan' +set firewall.@forwarding[3]=forwarding +set firewall.@forwarding[3].src='lan' +set firewall.@forwarding[3].dest='wg' +set firewall.@rule[10]=rule +set firewall.@rule[10].name='Bereg Allow' +set firewall.@rule[10].src='wan' +set firewall.@rule[10].src_ip='192.168.59.123' +set firewall.@rule[10].target='ACCEPT' +commit firewall +set luci.main=core +set luci.main.lang='auto' +set luci.main.mediaurlbase='/luci-static/bootstrap' +set luci.main.resourcebase='/luci-static/resources' +set luci.main.ubuspath='/ubus/' +set luci.flash_keep=extern +set luci.flash_keep.uci='/etc/config/' +set luci.flash_keep.dropbear='/etc/dropbear/' +set luci.flash_keep.openvpn='/etc/openvpn/' +set luci.flash_keep.passwd='/etc/passwd' +set luci.flash_keep.opkg='/etc/opkg.conf' +set luci.flash_keep.firewall='/etc/firewall.user' +set luci.flash_keep.uploads='/lib/uci/upload/' +set luci.languages=internal +set luci.sauth=internal +set luci.sauth.sessionpath='/tmp/luci-sessions' +set luci.sauth.sessiontime='3600' +set luci.ccache=internal +set luci.ccache.enable='1' +set luci.themes=internal +set luci.themes.Bootstrap='/luci-static/bootstrap' +set luci.apply=internal +set luci.apply.rollback='90' +set luci.apply.holdoff='4' +set luci.apply.timeout='5' +set luci.apply.display='1.5' +set luci.diag=internal +set luci.diag.dns='openwrt.org' +set luci.diag.ping='openwrt.org' +set luci.diag.route='openwrt.org' +commit luci +set network.loopback=interface +set network.loopback.ifname='lo' +set network.loopback.proto='static' +set network.loopback.ipaddr='127.0.0.1' +set network.loopback.netmask='255.0.0.0' +set network.globals=globals +set network.globals.ula_prefix='fd05:470a:0ba9::/48' +set network.lan=interface +set network.lan.type='bridge' +set network.lan.ifname='lan1 lan2' +set network.lan.proto='static' +set network.lan.netmask='255.255.255.0' +set network.lan.ipaddr='172.16.17.1' +set network.lan.delegate='0' +set network.wan=interface +set network.wan.ifname='wan' +set network.wan.proto='static' +set network.wan.netmask='255.255.255.0' +set network.wan.gateway='192.168.58.129' +set network.wan.broadcast='192.168.58.255' +set network.wan.ipaddr='192.168.58.73' +set network.wan.dns='10.0.254.1' '192.168.58.129' +set network.wan6=interface +set network.wan6.ifname='wan' +set network.wan6.proto='none' +set network.wan6.auto='0' +set network.wg17=interface +set network.wg17.proto='wireguard' +set network.wg17.delegate='0' +set network.wg17.addresses='10.0.2.18/30' +set network.wg17.mtu='1420' +set network.wg17.private_key='gK9v8aIWVdrcagpbWCw6fvw+OoaPQcUvwpNi0M+FdXM=' +set network.@wireguard_wg17[0]=wireguard_wg17 +set network.@wireguard_wg17[0].description='muromec' +set network.@wireguard_wg17[0].allowed_ips='0.0.0.0/0' +set network.@wireguard_wg17[0].endpoint_host='muromec.kapka.ru' +set network.@wireguard_wg17[0].persistent_keepalive='60' +set network.@wireguard_wg17[0].endpoint_port='12017' +set network.@wireguard_wg17[0].public_key='oIra8TLMVSfCD+EZvyjaP/oYC4Jin0hFk/WrsBlhxXA=' +set network.wg9=interface +set network.wg9.proto='wireguard' +set network.wg9.private_key='mJydi85I+C/dmX5iEB/i6O2IewTJvGvjZ5Ci1tCQAWU=' +set network.wg9.addresses='10.0.1.10/30' +set network.wg9.mtu='1420' +set network.@wireguard_wg9[0]=wireguard_wg9 +set network.@wireguard_wg9[0].description='turbo.kapka.ru' +set network.@wireguard_wg9[0].public_key='tTAmlqz5EnZ/FX1s8v6fhNjy9ykOvZ5hghVJ8GcB5kI=' +set network.@wireguard_wg9[0].allowed_ips='0.0.0.0/0' +set network.@wireguard_wg9[0].endpoint_host='turbo.kapka.ru' +set network.@wireguard_wg9[0].endpoint_port='12109' +commit network +set rpcd.@rpcd[0]=rpcd +set rpcd.@rpcd[0].socket='/var/run/ubus.sock' +set rpcd.@rpcd[0].timeout='30' +set rpcd.@login[0]=login +set rpcd.@login[0].username='root' +set rpcd.@login[0].password='$p$root' +set rpcd.@login[0].read='*' +set rpcd.@login[0].write='*' +commit rpcd +set system.@system[0]=system +set system.@system[0].ttylogin='0' +set system.@system[0].log_size='64' +set system.@system[0].urandom_seed='0' +set system.@system[0].zonename='Europe/Moscow' +set system.@system[0].timezone='MSK-3' +set system.@system[0].log_proto='udp' +set system.@system[0].conloglevel='8' +set system.@system[0].cronloglevel='5' +set system.@system[0].hostname='Buran-vad' +set system.ntp=timeserver +set system.ntp.server='0.openwrt.pool.ntp.org' '1.openwrt.pool.ntp.org' '2.openwrt.pool.ntp.org' '3.openwrt.pool.ntp.org' +commit system +set ucitrack.@network[0]=network +set ucitrack.@network[0].init='network' +set ucitrack.@network[0].affects='dhcp' 'radvd' +set ucitrack.@wireless[0]=wireless +set ucitrack.@wireless[0].affects='network' +set ucitrack.@firewall[0]=firewall +set ucitrack.@firewall[0].init='firewall' +set ucitrack.@firewall[0].affects='luci-splash' 'qos' 'miniupnpd' +set ucitrack.@olsr[0]=olsr +set ucitrack.@olsr[0].init='olsrd' +set ucitrack.@dhcp[0]=dhcp +set ucitrack.@dhcp[0].init='dnsmasq' +set ucitrack.@dhcp[0].affects='odhcpd' +set ucitrack.@odhcpd[0]=odhcpd +set ucitrack.@odhcpd[0].init='odhcpd' +set ucitrack.@dropbear[0]=dropbear +set ucitrack.@dropbear[0].init='dropbear' +set ucitrack.@httpd[0]=httpd +set ucitrack.@httpd[0].init='httpd' +set ucitrack.@fstab[0]=fstab +set ucitrack.@fstab[0].exec='/sbin/block mount' +set ucitrack.@qos[0]=qos +set ucitrack.@qos[0].init='qos' +set ucitrack.@system[0]=system +set ucitrack.@system[0].init='led' +set ucitrack.@system[0].exec='/etc/init.d/log reload' +set ucitrack.@system[0].affects='luci_statistics' 'dhcp' +set ucitrack.@luci_splash[0]=luci_splash +set ucitrack.@luci_splash[0].init='luci_splash' +set ucitrack.@upnpd[0]=upnpd +set ucitrack.@upnpd[0].init='miniupnpd' +set ucitrack.@ntpclient[0]=ntpclient +set ucitrack.@ntpclient[0].init='ntpclient' +set ucitrack.@samba[0]=samba +set ucitrack.@samba[0].init='samba' +set ucitrack.@tinyproxy[0]=tinyproxy +set ucitrack.@tinyproxy[0].init='tinyproxy' +commit ucitrack +set uhttpd.main=uhttpd +set uhttpd.main.listen_http='0.0.0.0:80' '[::]:80' +set uhttpd.main.listen_https='0.0.0.0:443' '[::]:443' +set uhttpd.main.redirect_https='1' +set uhttpd.main.home='/www' +set uhttpd.main.rfc1918_filter='1' +set uhttpd.main.max_requests='3' +set uhttpd.main.max_connections='100' +set uhttpd.main.cert='/etc/uhttpd.crt' +set uhttpd.main.key='/etc/uhttpd.key' +set uhttpd.main.cgi_prefix='/cgi-bin' +set uhttpd.main.lua_prefix='/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua' +set uhttpd.main.script_timeout='60' +set uhttpd.main.network_timeout='30' +set uhttpd.main.http_keepalive='20' +set uhttpd.main.tcp_keepalive='1' +set uhttpd.main.ubus_prefix='/ubus' +set uhttpd.defaults=cert +set uhttpd.defaults.days='730' +set uhttpd.defaults.key_type='rsa' +set uhttpd.defaults.bits='2048' +set uhttpd.defaults.ec_curve='P-256' +set uhttpd.defaults.country='ZZ' +set uhttpd.defaults.state='Somewhere' +set uhttpd.defaults.location='Unknown' +set uhttpd.defaults.commonname='OpenWrt' +commit uhttpd +set wireless.radio0=wifi-device +set wireless.radio0.type='mac80211' +set wireless.radio0.hwmode='11g' +set wireless.radio0.path='1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0' +set wireless.radio0.htmode='HT20' +set wireless.radio0.channel='10' +set wireless.radio0.country='JP' +set wireless.default_radio0=wifi-iface +set wireless.default_radio0.device='radio0' +set wireless.default_radio0.network='lan' +set wireless.default_radio0.mode='ap' +set wireless.default_radio0.encryption='psk2' +set wireless.default_radio0.key='23637387581' +set wireless.default_radio0.ssid='Buran' +set wireless.default_radio0.short_preamble='0' +set wireless.radio1=wifi-device +set wireless.radio1.type='mac80211' +set wireless.radio1.hwmode='11a' +set wireless.radio1.path='1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0' +set wireless.radio1.htmode='VHT80' +set wireless.radio1.channel='56' +set wireless.radio1.country='JP' +set wireless.default_radio1=wifi-iface +set wireless.default_radio1.device='radio1' +set wireless.default_radio1.network='lan' +set wireless.default_radio1.mode='ap' +set wireless.default_radio1.encryption='psk2' +set wireless.default_radio1.key='23637387581' +set wireless.default_radio1.ssid='Buran-5G' +commit wireless +EOI +#---------------------------------------------------- +#Generating conf file +#---------------------------------------------------- +# WARNING: /etc/mosquitto не существует +# WARNING: /etc/bird.conf не существует +#Gen file /etc/bird4.conf + +mkdir -p "/etc" +cat << 'CFGEOF' > "/etc/bird4.conf" +# THIS CONFIG FILE IS NOT A COMPLETE DOCUMENTATION +# PLEASE LOOK IN THE BIRD DOCUMENTATION FOR MORE INFO + +# However, most of options used here are just for example +# and will be removed in real-life configs. + +log syslog all; + +# Override router ID +router id 172.16.17.1; + +# Turn on global debugging of all protocols +#debug protocols all; + + +table bgpban; +table ospfmy; +#table master; + + +# Define a route filter... +filter test_filter { + if net = 192.168.0.0/16 then reject; + if net = 172.16.0.0/12 then reject; + else accept; +} + +# The direct protocol automatically generates device routes to all network +# interfaces. Can exist in as many instances as you wish if you want to +# populate multiple routing tables with device routes. Because device routes +# are handled by Linux kernel, this protocol is usually not needed. +protocol direct { + interface "-wan", "*"; # Restrict network interfaces it works with + table bgpban; + table ospfmy; +} + +# This pseudo-protocol watches all interface up/down events. +protocol device { + scan time 10; # Scan interfaces every 10 seconds +} + +# Static routes (again, there can be multiple instances, so that you +# can disable/enable various groups of static routes on the fly). +protocol static { +# export all; # Default is export none +# route 0.0.0.0/0 via 62.168.0.13; +# route 10.0.0.0/8 reject; +# route 192.168.0.0/16 reject; +} + + +#protocol rip { +# disabled; +# import all; +# export all; +# export filter test_filter; + +# port 1520; +# period 7; +# infinity 16; +# garbage time 60; +# interface "*" { mode broadcast; }; +# honor neighbor; +# honor always; +# honor never; +# authentication none; +#} + + + + +######################### OSPF + +# This pseudo-protocol performs synchronization between BIRD's routing +# tables and the kernel. You can run multiple instances of the kernel +# protocol and synchronize different kernel tables with different BIRD tables. + +protocol kernel ospfMyKern { + table ospfmy; +# table bgpban; +# learn; # Learn all alien routes from the kernel +# persist; # Don't remove routes on bird shutdown + scan time 60; # Scan kernel routing table every 20 seconds +# import none; # Default is import all + import all; + export all; # Default is export none +# device routes yes; + kernel table 10; + #merge paths switch 16; + metric 10; +} + +protocol kernel bgpbanKern { +# table ospfmy; + table bgpban; +# learn; # Learn all alien routes from the kernel +# persist; # Don't remove routes on bird shutdown + scan time 60; # Scan kernel routing table every 20 seconds +# import none; # Default is import all + import all; #COMMENT tis to disable BGP table + export all; # Default is export none +# device routes yes; + kernel table 11; + #merge paths switch 16; + metric 10; +} + +#protocol kernel mast { +# table master; +## persist; +# scan time 60; +# learn; +# kernel table 254; +# export all; +#} + +#protocol pipe { +# table master; +# peer table ospfmy; +# peer table bgpban; +# import all; +#} + + + + +protocol ospf ASWG { +# disabled; + table ospfmy; + import filter test_filter; + export all; +# import filter { print ">>>>>>imp net accepted:", net; accept; }; +# export filter { print ">>>>>>exp net accepted:", net; accept; }; + +# export where source = RTS_STATIC; + + area 0 { +# networks { +# 10.0.1.0/24; +# 10.0.2.0/24; +# }; + + interface "wg17" { #17 + cost 60; + hello 10; + retransmit 5; + wait 30; + dead 40; + type pointopoint; + priority 30; +# authentication simple; +# password "pass"; + }; + + interface "wg9" { + cost 5; + hello 10; + retransmit 5; + wait 30; + dead 40; + type pointopoint; + priority 30; +# authentication simple; +# password "pass"; + }; + + + }; +} + + + + +#########################BGP +# This pseudo-protocol performs synchronization between BIRD's routing +# tables and the kernel. You can run multiple instances of the kernel +# protocol and synchronize different kernel tables with different BIRD tables. +#protocol kernel { +# table bgpban; +# learn; # Learn all alien routes from the kernel +# persist; # Don't remove routes on bird shutdown +# scan time 60; # Scan kernel routing table every 20 seconds +# import none; # Default is import all +# import all; +# export all; # Default is export none +#} + + + +protocol bgp { +# disabled; + table bgpban; + import all; + export all; +# export where source = RTS_STATIC; + + local as 65018; + neighbor 10.0.2.17 as 65017; +# multihop 20 via 10.0.2.9; +# multihop; + +# hold time 240; +# startup hold time 240; +# connect retry time 120; +# keepalive time 80; # defaults to hold time / 3 +# start delay time 5; # How long do we wait before initial connect +# error wait time 60, 300;# Minimum and maximum time we wait after an error (when consecutive +# # errors occur, we increase the delay exponentially ... +# error forget time 300; # ... until this timeout expires) +# disable after error; # Disable the protocol automatically when an error occurs +# next hop self; # Disable next hop processing and always advertise our local address as nexthop +# source address 62.168.0.14; # What local address we use for the TCP connection +# password "secret" # Password used for MD5 authentication +# rr client; # I am a route reflector and the neighor is my client +# rr cluster id 1.0.0.1 # Use this value for cluster id instead of my router id +# }; +} +CFGEOF + +#---------------------------------------------------- +#Generating cron +#---------------------------------------------------- + +3 3 12 12 * /usr/bin/nginx-util 'add_ssl' '_lan' + +#save config to muromec +0 3 * * 1 sh /root/bkpscript/backup_script.sh + + diff --git a/bkps/wrt-bkp-172.16.21.1.sh b/bkps/wrt-bkp-172.16.21.1.sh new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/bkps/wrt-bkp-172.16.21.1.sh @@ -0,0 +1 @@ + diff --git a/bkps/wrt-bkp-172.16.30.1.sh b/bkps/wrt-bkp-172.16.30.1.sh new file mode 100644 index 0000000..e217ee2 --- /dev/null +++ b/bkps/wrt-bkp-172.16.30.1.sh @@ -0,0 +1,1804 @@ + +#hostname= Buran-pruj +#DISTRIB_DESCRIPTION='OpenWrt 22.03.0 r19685-512e76967f' +#profile = xiaomi_mi-router-3g +#target = ramips +#soc = mt7621 +#arch = mipsel_24kc +#Xiaomi Mi Router 3G custom default settings +#---------------------------------------------------- +#Generating cmd for install pkg +#---------------------------------------------------- +opkg install luci-proto-wireguard +opkg install iwinfo +opkg install cgi-io +opkg install luci-lib-base +opkg install opkg +opkg install luci-app-opkg +opkg install ubus +opkg install rpcd +opkg install luci-lib-ip +opkg install kmod-nft-fib +opkg install kmod-nfnetlink +opkg install libubus-lua +opkg install kmod-crypto-hash +opkg install kmod-nf-reject6 +opkg install libiwinfo-lua +opkg install luci-mod-system +opkg install kmod-nf-flow +opkg install kmod-lib-crc-ccitt +opkg install getrandom +opkg install ucode-mod-ubus +opkg install minicom +opkg install kmod-gre +opkg install luci-theme-bootstrap +opkg install kmod-pppoe +opkg install kmod-usb-net-huawei-cdc-ncm +opkg install kmod-pppox +opkg install luci-app-wireguard +opkg install kmod-nf-reject +opkg install procd-ujail +opkg install base-files +opkg install kmod-nf-nat +opkg install kmod-crypto-crc32c +opkg install ucode-mod-uci +opkg install netifd +opkg install uboot-envtools +opkg install dnsmasq +opkg install 3ginfo-text +opkg install usbutils +opkg install ubusd +opkg install kmod-lib-crc32c +opkg install luci-mod-status +opkg install kmod-pptp +opkg install kmod-usb-net-rndis +opkg install luci-proto-modemmanager +opkg install kmod-nft-nat +opkg install kmod-usb2 +opkg install kmod-usb-serial-option +opkg install kmod-usb3 +opkg install luci-app-firewall +opkg install kmod-fs-nfs-v3 +opkg install kmod-fs-nfs-v4 +opkg install tcpdump +opkg install ubi-utils +opkg install nfs-utils +opkg install odhcp6c +opkg install fstools +opkg install lftp +opkg install iptables-mod-ipopt +opkg install uci +opkg install lua +opkg install ucode-mod-fs +opkg install luci-ssl +opkg install dropbear +opkg install luci-proto-3g +opkg install curl +opkg install rpcd-mod-file +opkg install mtd +opkg install odhcpd-ipv6only +opkg install procd-seccomp +opkg install luci-proto-qmi +opkg install libiwinfo-data +opkg install usb-modeswitch +opkg install ucode +opkg install rpcd-mod-luci +opkg install kmod-nf-log +opkg install urandom-seed +opkg install luci-proto-ppp +opkg install luci-mod-admin-full +opkg install ppp +opkg install luci-base +opkg install luci-app-commands +opkg install socat +opkg install kmod-leds-gpio +opkg install kmod-gpio-button-hotplug +opkg install logd +opkg install kmod-mt7603 +opkg install ppp-mod-pptp +opkg install kmod-nf-log6 +opkg install kmod-usb-net +opkg install kmod-wireguard +opkg install wireguard-tools +opkg install kmod-usb-serial +opkg install luci-proto-ipv6 +opkg install kmod-nf-nathelper-extra +opkg install jshn +opkg install kmod-ppp +opkg install kmod-nft-offload +opkg install uhttpd +opkg install kmod-nf-conntrack +opkg install kmod-fs-nfs +opkg install usign +opkg install kmod-usb-serial-ipw +opkg install modemmanager +opkg install luci-lib-nixio +opkg install comgt-ncm +opkg install liblucihttp-lua +opkg install luci-lib-jsonc +opkg install kmod-ipt-ipopt +opkg install luci +opkg install kmod-nf-conntrack6 +opkg install kmod-usb-ledtrig-usbport +opkg install coreutils-stty +opkg install ubox +opkg install kernel +opkg install rpcd-mod-iwinfo +opkg install kmod-mt76x2 +opkg install luci-mod-network +opkg install kmod-nft-core +opkg install kmod-mppe +opkg install uhttpd-mod-ubus +opkg install fwtool +opkg install jsonfilter +opkg install hostapd-common +opkg install kmod-usb-net-cdc-ether +opkg install urngd +opkg install kmod-slhc +opkg install rpcd-mod-rrdns +opkg install ppp-mod-pppoe +opkg install luci-proto-ncm +#---------------------------------------------------- +#Generating configuration Xiaomi Mi Router 3G +#---------------------------------------------------- +uci -q batch << EOI +set 3ginfo.@3ginfo[0]=3ginfo +set 3ginfo.@3ginfo[0].http_port='81' +set 3ginfo.@3ginfo[0].network='wan' +set 3ginfo.@3ginfo[0].device='/dev/ttyUSB1' +set 3ginfo.@3ginfo[0].language='en' +commit 3ginfo +set dhcp.@dnsmasq[0]=dnsmasq +set dhcp.@dnsmasq[0].domainneeded='1' +set dhcp.@dnsmasq[0].localise_queries='1' +set dhcp.@dnsmasq[0].rebind_protection='1' +set dhcp.@dnsmasq[0].rebind_localhost='1' +set dhcp.@dnsmasq[0].expandhosts='1' +set dhcp.@dnsmasq[0].authoritative='1' +set dhcp.@dnsmasq[0].readethers='1' +set dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases' +set dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.d/resolv.conf.auto' +set dhcp.@dnsmasq[0].localservice='1' +set dhcp.@dnsmasq[0].ednspacket_max='1232' +set dhcp.@dnsmasq[0].local='/pruj.loc/' +set dhcp.@dnsmasq[0].domain='pruj.loc' +set dhcp.@dnsmasq[0].server='/lan/10.0.254.1' +set dhcp.lan=dhcp +set dhcp.lan.interface='lan' +set dhcp.lan.start='100' +set dhcp.lan.limit='150' +set dhcp.lan.leasetime='12h' +set dhcp.lan.dhcpv4='server' +set dhcp.lan.dhcpv6='server' +set dhcp.lan.ra='server' +set dhcp.lan.ra_flags='managed-config' 'other-config' +set dhcp.wan=dhcp +set dhcp.wan.interface='wan' +set dhcp.wan.ignore='1' +set dhcp.wan.start='100' +set dhcp.wan.limit='150' +set dhcp.wan.leasetime='12h' +set dhcp.odhcpd=odhcpd +set dhcp.odhcpd.maindhcp='0' +set dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd' +set dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update' +set dhcp.odhcpd.loglevel='4' +commit dhcp +set dropbear.@dropbear[0]=dropbear +set dropbear.@dropbear[0].PasswordAuth='on' +set dropbear.@dropbear[0].RootPasswordAuth='on' +set dropbear.@dropbear[0].Port='22' +commit dropbear +set firewall.@defaults[0]=defaults +set firewall.@defaults[0].output='ACCEPT' +set firewall.@defaults[0].forward='REJECT' +set firewall.@defaults[0].synflood_protect='1' +set firewall.@defaults[0].input='REJECT' +set firewall.@zone[0]=zone +set firewall.@zone[0].name='lan' +set firewall.@zone[0].input='ACCEPT' +set firewall.@zone[0].output='ACCEPT' +set firewall.@zone[0].forward='ACCEPT' +set firewall.@zone[0].network='lan' +set firewall.@zone[1]=zone +set firewall.@zone[1].name='wan' +set firewall.@zone[1].input='REJECT' +set firewall.@zone[1].output='ACCEPT' +set firewall.@zone[1].forward='REJECT' +set firewall.@zone[1].masq='1' +set firewall.@zone[1].mtu_fix='1' +set firewall.@zone[1].network='wan' 'wan6' '3g' +set firewall.@rule[0]=rule +set firewall.@rule[0].name='Allow-DHCP-Renew' +set firewall.@rule[0].src='wan' +set firewall.@rule[0].proto='udp' +set firewall.@rule[0].dest_port='68' +set firewall.@rule[0].target='ACCEPT' +set firewall.@rule[0].family='ipv4' +set firewall.@rule[1]=rule +set firewall.@rule[1].name='Allow-Ping' +set firewall.@rule[1].src='wan' +set firewall.@rule[1].proto='icmp' +set firewall.@rule[1].icmp_type='echo-request' +set firewall.@rule[1].family='ipv4' +set firewall.@rule[1].target='ACCEPT' +set firewall.@rule[2]=rule +set firewall.@rule[2].name='Allow-IGMP' +set firewall.@rule[2].src='wan' +set firewall.@rule[2].proto='igmp' +set firewall.@rule[2].family='ipv4' +set firewall.@rule[2].target='ACCEPT' +set firewall.@rule[3]=rule +set firewall.@rule[3].name='Allow-DHCPv6' +set firewall.@rule[3].src='wan' +set firewall.@rule[3].proto='udp' +set firewall.@rule[3].dest_port='546' +set firewall.@rule[3].family='ipv6' +set firewall.@rule[3].target='ACCEPT' +set firewall.@rule[4]=rule +set firewall.@rule[4].name='Allow-MLD' +set firewall.@rule[4].src='wan' +set firewall.@rule[4].proto='icmp' +set firewall.@rule[4].src_ip='fe80::/10' +set firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0' +set firewall.@rule[4].family='ipv6' +set firewall.@rule[4].target='ACCEPT' +set firewall.@rule[5]=rule +set firewall.@rule[5].name='Allow-ICMPv6-Input' +set firewall.@rule[5].src='wan' +set firewall.@rule[5].proto='icmp' +set firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement' +set firewall.@rule[5].limit='1000/sec' +set firewall.@rule[5].family='ipv6' +set firewall.@rule[5].target='ACCEPT' +set firewall.@rule[6]=rule +set firewall.@rule[6].name='Allow-ICMPv6-Forward' +set firewall.@rule[6].src='wan' +set firewall.@rule[6].dest='*' +set firewall.@rule[6].proto='icmp' +set firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' +set firewall.@rule[6].limit='1000/sec' +set firewall.@rule[6].family='ipv6' +set firewall.@rule[6].target='ACCEPT' +set firewall.@rule[7]=rule +set firewall.@rule[7].name='Allow-IPSec-ESP' +set firewall.@rule[7].src='wan' +set firewall.@rule[7].dest='lan' +set firewall.@rule[7].proto='esp' +set firewall.@rule[7].target='ACCEPT' +set firewall.@rule[8]=rule +set firewall.@rule[8].name='Allow-ISAKMP' +set firewall.@rule[8].src='wan' +set firewall.@rule[8].dest='lan' +set firewall.@rule[8].dest_port='500' +set firewall.@rule[8].proto='udp' +set firewall.@rule[8].target='ACCEPT' +set firewall.@zone[2]=zone +set firewall.@zone[2].name='wg' +set firewall.@zone[2].input='ACCEPT' +set firewall.@zone[2].output='ACCEPT' +set firewall.@zone[2].network='wg25' 'wg30' +set firewall.@zone[2].forward='ACCEPT' +set firewall.@forwarding[0]=forwarding +set firewall.@forwarding[0].src='wg' +set firewall.@forwarding[0].dest='lan' +set firewall.@forwarding[1]=forwarding +set firewall.@forwarding[1].src='wg' +set firewall.@forwarding[1].dest='wan' +set firewall.@forwarding[2]=forwarding +set firewall.@forwarding[2].src='lan' +set firewall.@forwarding[2].dest='wg' +set firewall.@forwarding[3]=forwarding +set firewall.@forwarding[3].src='lan' +set firewall.@forwarding[3].dest='wan' +commit firewall +set luci.main=core +set luci.main.lang='auto' +set luci.main.mediaurlbase='/luci-static/bootstrap' +set luci.main.resourcebase='/luci-static/resources' +set luci.main.ubuspath='/ubus/' +set luci.flash_keep=extern +set luci.flash_keep.uci='/etc/config/' +set luci.flash_keep.dropbear='/etc/dropbear/' +set luci.flash_keep.openvpn='/etc/openvpn/' +set luci.flash_keep.passwd='/etc/passwd' +set luci.flash_keep.opkg='/etc/opkg.conf' +set luci.flash_keep.firewall='/etc/firewall.user' +set luci.flash_keep.uploads='/lib/uci/upload/' +set luci.languages=internal +set luci.sauth=internal +set luci.sauth.sessionpath='/tmp/luci-sessions' +set luci.sauth.sessiontime='3600' +set luci.ccache=internal +set luci.ccache.enable='1' +set luci.themes=internal +set luci.themes.Bootstrap='/luci-static/bootstrap' +set luci.themes.BootstrapDark='/luci-static/bootstrap-dark' +set luci.themes.BootstrapLight='/luci-static/bootstrap-light' +set luci.apply=internal +set luci.apply.rollback='90' +set luci.apply.holdoff='4' +set luci.apply.timeout='5' +set luci.apply.display='1.5' +set luci.diag=internal +set luci.diag.dns='openwrt.org' +set luci.diag.ping='openwrt.org' +set luci.diag.route='openwrt.org' +set luci.@command[0]=command +set luci.@command[0].name='signal' +set luci.@command[0].command='echo AT+CSQ | socat - /dev/ttyUSB1,crnl | grep ^+CSQ | cut -f2 -d'\'' '\''' +set luci.@command[1]=command +set luci.@command[1].name='тип подключения' +set luci.@command[1].command='echo AT^SYSINFOEX | socat - /dev/ttyUSB1,crnl ' +set luci.@command[2]=command +set luci.@command[2].name='4G > 3G' +set luci.@command[2].command='echo '\''AT^SYSCFGEX="0302",3fffffff,2,4,7fffffffffffffff,,'\'' | socat - /dev/ttyUSB1,crnl' +set luci.@command[3]=command +set luci.@command[3].name='4G > 3G > 2G' +set luci.@command[3].command='echo '\''AT^SYSCFGEX="030201",3fffffff,2,4,7fffffffffffffff,,'\'' | socat - /dev/ttyUSB1,crnl' +set luci.@command[4]=command +set luci.@command[4].name='3G > 2G' +set luci.@command[4].command='echo '\''AT^SYSCFGEX="0201",3fffffff,2,4,7fffffffffffffff,,'\'' | socat - /dev/ttyUSB1,crnl' +set luci.@command[5]=command +set luci.@command[5].name='Auto' +set luci.@command[5].command='echo '\''AT^SYSCFGEX="00",3fffffff,2,4,7fffffffffffffff,,'\'' | socat - /dev/ttyUSB1,crnl' +set luci.@command[6]=command +set luci.@command[6].name='Route add' +set luci.@command[6].command='route add -net 172.16.11.0/24 gw 10.0.1.26 metric 1000' +commit luci +set mosquitto.owrt=owrt +set mosquitto.owrt.use_uci='0' +set mosquitto.mosquitto=mosquitto +set mosquitto.persistence=persistence +commit mosquitto +set network.loopback=interface +set network.loopback.device='lo' +set network.loopback.proto='static' +set network.loopback.ipaddr='127.0.0.1' +set network.loopback.netmask='255.0.0.0' +set network.globals=globals +set network.globals.packet_steering='1' +set network.globals.ula_prefix='fdd0:523b:82cd::/48' +set network.@device[0]=device +set network.@device[0].name='br-lan' +set network.@device[0].type='bridge' +set network.@device[0].ports='lan1' 'lan2' +set network.lan=interface +set network.lan.device='br-lan' +set network.lan.proto='static' +set network.lan.netmask='255.255.255.0' +set network.lan.ip6assign='60' +set network.lan.ipaddr='172.16.30.1' +set network.wan=interface +set network.wan.device='wan' +set network.wan.proto='static' +set network.wan.ipaddr='172.16.104.211' +set network.wan.netmask='255.255.255.192' +set network.wan.gateway='172.16.104.193' +set network.wan.dns='10.0.254.1' '188.128.84.20' '95.167.167.95' '9.9.9.9' +set network.wan6=interface +set network.wan6.device='wan' +set network.wan6.proto='dhcpv6' +set network.3g=interface +set network.3g.proto='3g' +set network.3g.ipv6='auto' +set network.3g.username='gdata' +set network.3g.password='gdata' +set network.3g.service='umts' +set network.3g.device='/dev/ttyUSB0' +set network.3g.delegate='0' +set network.3g.apn='internet' +set network.wg30=interface +set network.wg30.proto='wireguard' +set network.wg30.delegate='0' +set network.wg30.mtu='1420' +set network.wg30.private_key='EJmoZBKfkcO80Hve5C+cuCyGZ4mnA/9qVSSeWZ1GwW0=' +set network.wg30.addresses='10.0.2.30/30' +set network.@wireguard_wg30[0]=wireguard_wg30 +set network.@wireguard_wg30[0].description='muromec' +set network.@wireguard_wg30[0].endpoint_host='muromec.kapka.ru' +set network.@wireguard_wg30[0].persistent_keepalive='60' +set network.@wireguard_wg30[0].endpoint_port='12029' +set network.@wireguard_wg30[0].public_key='DPs/wFbmVzx1c0emUunwXs5oVlAA9TMOQHLjM1VlABg=' +set network.@wireguard_wg30[0].allowed_ips='0.0.0.0/0' +set network.wg25=interface +set network.wg25.proto='wireguard' +set network.wg25.mtu='1420' +set network.wg25.private_key='wGveq/NTjQqYyA5ovz+uIWfeX/8PLLEOjxtXDt7fBm8=' +set network.wg25.addresses='10.0.1.26/30' +set network.@wireguard_wg25[0]=wireguard_wg25 +set network.@wireguard_wg25[0].description='turbo.kapka.ru' +set network.@wireguard_wg25[0].endpoint_host='turbo.kapka.ru' +set network.@wireguard_wg25[0].endpoint_port='12125' +set network.@wireguard_wg25[0].public_key='VDfyo+MoeratWuQAzjljHyuD76ldn6YMG+1D0bs/cWc=' +set network.@wireguard_wg25[0].private_key='OBWaGPKSlRw2rilY1zY8KFkwmLlenR7WhgRE/UBSRXg=' +set network.@wireguard_wg25[0].allowed_ips='0.0.0.0/0' +commit network +set rpcd.@rpcd[0]=rpcd +set rpcd.@rpcd[0].socket='/var/run/ubus/ubus.sock' +set rpcd.@rpcd[0].timeout='30' +set rpcd.@login[0]=login +set rpcd.@login[0].username='root' +set rpcd.@login[0].read='*' +set rpcd.@login[0].write='*' +commit rpcd +set socat.http=socat +set socat.http.enable='0' +set socat.http.SocatOptions='-d -d TCP6-LISTEN:8000,fork TCP4:192.168.1.20:80' +set socat.http.user='nobody' +commit socat +set system.@system[0]=system +set system.@system[0].ttylogin='0' +set system.@system[0].log_size='64' +set system.@system[0].urandom_seed='0' +set system.@system[0].compat_version='1.1' +set system.@system[0].zonename='Europe/Moscow' +set system.@system[0].timezone='MSK-3' +set system.@system[0].log_proto='udp' +set system.@system[0].conloglevel='8' +set system.@system[0].cronloglevel='5' +set system.@system[0].hostname='Buran-pruj' +set system.ntp=timeserver +set system.ntp.enable_server='1' +set system.ntp.interface='lan' +set system.ntp.server='ntp.ix.ru' 'ntp0.nl.net' +commit system +set ubootenv.@ubootenv[0]=ubootenv +set ubootenv.@ubootenv[0].dev='/dev/mtd1' +set ubootenv.@ubootenv[0].offset='0x0' +set ubootenv.@ubootenv[0].envsize='0x1000' +set ubootenv.@ubootenv[0].secsize='0x20000' +set ubootenv.@ubootsys[0]=ubootsys +set ubootenv.@ubootsys[0].dev='/dev/mtd2' +set ubootenv.@ubootsys[0].offset='0x0' +set ubootenv.@ubootsys[0].envsize='0x4000' +set ubootenv.@ubootsys[0].secsize='0x20000' +commit ubootenv +set ucitrack.@network[0]=network +set ucitrack.@network[0].init='network' +set ucitrack.@network[0].affects='dhcp' +set ucitrack.@wireless[0]=wireless +set ucitrack.@wireless[0].affects='network' +set ucitrack.@firewall[0]=firewall +set ucitrack.@firewall[0].init='firewall' +set ucitrack.@firewall[0].affects='luci-splash' 'qos' 'miniupnpd' +set ucitrack.@olsr[0]=olsr +set ucitrack.@olsr[0].init='olsrd' +set ucitrack.@dhcp[0]=dhcp +set ucitrack.@dhcp[0].init='dnsmasq' +set ucitrack.@dhcp[0].affects='odhcpd' +set ucitrack.@odhcpd[0]=odhcpd +set ucitrack.@odhcpd[0].init='odhcpd' +set ucitrack.@dropbear[0]=dropbear +set ucitrack.@dropbear[0].init='dropbear' +set ucitrack.@httpd[0]=httpd +set ucitrack.@httpd[0].init='httpd' +set ucitrack.@fstab[0]=fstab +set ucitrack.@fstab[0].exec='/sbin/block mount' +set ucitrack.@qos[0]=qos +set ucitrack.@qos[0].init='qos' +set ucitrack.@system[0]=system +set ucitrack.@system[0].init='led' +set ucitrack.@system[0].exec='/etc/init.d/log reload' +set ucitrack.@system[0].affects='luci_statistics' 'dhcp' +set ucitrack.@luci_splash[0]=luci_splash +set ucitrack.@luci_splash[0].init='luci_splash' +set ucitrack.@upnpd[0]=upnpd +set ucitrack.@upnpd[0].init='miniupnpd' +set ucitrack.@ntpclient[0]=ntpclient +set ucitrack.@ntpclient[0].init='ntpclient' +set ucitrack.@samba[0]=samba +set ucitrack.@samba[0].init='samba' +set ucitrack.@tinyproxy[0]=tinyproxy +set ucitrack.@tinyproxy[0].init='tinyproxy' +commit ucitrack +set uhttpd.main=uhttpd +set uhttpd.main.listen_http='0.0.0.0:80' '[::]:80' +set uhttpd.main.listen_https='0.0.0.0:443' '[::]:443' +set uhttpd.main.redirect_https='0' +set uhttpd.main.home='/www' +set uhttpd.main.rfc1918_filter='1' +set uhttpd.main.max_requests='3' +set uhttpd.main.max_connections='100' +set uhttpd.main.cert='/etc/uhttpd.crt' +set uhttpd.main.key='/etc/uhttpd.key' +set uhttpd.main.cgi_prefix='/cgi-bin' +set uhttpd.main.script_timeout='60' +set uhttpd.main.network_timeout='30' +set uhttpd.main.http_keepalive='20' +set uhttpd.main.tcp_keepalive='1' +set uhttpd.main.ubus_prefix='/ubus' +set uhttpd.main.lua_prefix='/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua' +set uhttpd.defaults=cert +set uhttpd.defaults.days='730' +set uhttpd.defaults.key_type='ec' +set uhttpd.defaults.bits='2048' +set uhttpd.defaults.ec_curve='P-256' +set uhttpd.defaults.country='ZZ' +set uhttpd.defaults.state='Somewhere' +set uhttpd.defaults.location='Unknown' +set uhttpd.defaults.commonname='OpenWrt' +commit uhttpd +set wireless.radio0=wifi-device +set wireless.radio0.type='mac80211' +set wireless.radio0.path='1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0' +set wireless.radio0.band='2g' +set wireless.radio0.channel='auto' +set wireless.radio0.cell_density='0' +set wireless.radio0.htmode='HT40' +set wireless.default_radio0=wifi-iface +set wireless.default_radio0.device='radio0' +set wireless.default_radio0.network='lan' +set wireless.default_radio0.mode='ap' +set wireless.default_radio0.encryption='sae-mixed' +set wireless.default_radio0.key='23637387581' +set wireless.default_radio0.ssid='Buran' +set wireless.default_radio0.short_preamble='0' +set wireless.radio1=wifi-device +set wireless.radio1.type='mac80211' +set wireless.radio1.path='1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0' +set wireless.radio1.channel='36' +set wireless.radio1.band='5g' +set wireless.radio1.cell_density='0' +set wireless.radio1.htmode='VHT80' +set wireless.default_radio1=wifi-iface +set wireless.default_radio1.device='radio1' +set wireless.default_radio1.network='lan' +set wireless.default_radio1.mode='ap' +set wireless.default_radio1.encryption='sae-mixed' +set wireless.default_radio1.key='23637387581' +set wireless.default_radio1.ssid='Buran-5G' +set wireless.default_radio1.short_preamble='0' +commit wireless +EOI +#---------------------------------------------------- +#Generating conf file +#---------------------------------------------------- +mkdir -p "/etc/mosquitto" + +mkdir -p "/etc/mosquitto" + +#Gen file /etc/mosquitto/mosquitto.conf + +mkdir -p "/etc/mosquitto" +cat << 'CFGEOF' > "/etc/mosquitto/mosquitto.conf" +# Config file for mosquitto +# +# See mosquitto.conf(5) for more information. +# +# Default values are shown, uncomment to change. +# +# Use the # character to indicate a comment, but only if it is the +# very first character on the line. + +# ================================================================= +# General configuration +# ================================================================= + +# Use per listener security settings. +# +# It is recommended this option be set before any other options. +# +# If this option is set to true, then all authentication and access control +# options are controlled on a per listener basis. The following options are +# affected: +#use for the default listener. +listener 1883 0.0.0.0 +# anonymous +allow_anonymous true +# persistence +persistence true +# name of the file for persistence +#persistence_file mosquitto.db +# location of the file for persistence +#persistence_location /mnt/sda1/mosquitto/ +persistence_location /root/bkpscript/ +#how often to save to the persistence file +#autosave_interval 432000 # once 5day +autosave_interval 86400 # once a day + +#log_timestamp true +#log_dest file /mnt/sda1/mosquitto/mosquitto.log +#log_dest stdout +#password_file /etc/mosquitto/passwords.txt +#allow_anonymous true + +# +# acl_file +# allow_anonymous +# allow_zero_length_clientid +# auto_id_prefix +# password_file +# plugin +# plugin_opt_* +# psk_file +# +# Note that if set to true, then a durable client (i.e. with clean session set +# to false) that has disconnected will use the ACL settings defined for the +# listener that it was most recently connected to. +# +# The default behaviour is for this to be set to false, which maintains the +# setting behaviour from previous versions of mosquitto. +#per_listener_settings false + + +# This option controls whether a client is allowed to connect with a zero +# length client id or not. This option only affects clients using MQTT v3.1.1 +# and later. If set to false, clients connecting with a zero length client id +# are disconnected. If set to true, clients will be allocated a client id by +# the broker. This means it is only useful for clients with clean session set +# to true. +#allow_zero_length_clientid true + +# If allow_zero_length_clientid is true, this option allows you to set a prefix +# to automatically generated client ids to aid visibility in logs. +# Defaults to 'auto-' +#auto_id_prefix auto- + +# This option affects the scenario when a client subscribes to a topic that has +# retained messages. It is possible that the client that published the retained +# message to the topic had access at the time they published, but that access +# has been subsequently removed. If check_retain_source is set to true, the +# default, the source of a retained message will be checked for access rights +# before it is republished. When set to false, no check will be made and the +# retained message will always be published. This affects all listeners. +#check_retain_source true + +# QoS 1 and 2 messages will be allowed inflight per client until this limit +# is exceeded. Defaults to 0. (No maximum) +# See also max_inflight_messages +#max_inflight_bytes 0 + +# The maximum number of QoS 1 and 2 messages currently inflight per +# client. +# This includes messages that are partway through handshakes and +# those that are being retried. Defaults to 20. Set to 0 for no +# maximum. Setting to 1 will guarantee in-order delivery of QoS 1 +# and 2 messages. +#max_inflight_messages 20 + +# For MQTT v5 clients, it is possible to have the server send a "server +# keepalive" value that will override the keepalive value set by the client. +# This is intended to be used as a mechanism to say that the server will +# disconnect the client earlier than it anticipated, and that the client should +# use the new keepalive value. The max_keepalive option allows you to specify +# that clients may only connect with keepalive less than or equal to this +# value, otherwise they will be sent a server keepalive telling them to use +# max_keepalive. This only applies to MQTT v5 clients. The default, and maximum +# value allowable, is 65535. +# +# Set to 0 to allow clients to set keepalive = 0, which means no keepalive +# checks are made and the client will never be disconnected by the broker if no +# messages are received. You should be very sure this is the behaviour that you +# want. +# +# For MQTT v3.1.1 and v3.1 clients, there is no mechanism to tell the client +# what keepalive value they should use. If an MQTT v3.1.1 or v3.1 client +# specifies a keepalive time greater than max_keepalive they will be sent a +# CONNACK message with the "identifier rejected" reason code, and disconnected. +# +#max_keepalive 65535 + +# For MQTT v5 clients, it is possible to have the server send a "maximum packet +# size" value that will instruct the client it will not accept MQTT packets +# with size greater than max_packet_size bytes. This applies to the full MQTT +# packet, not just the payload. Setting this option to a positive value will +# set the maximum packet size to that number of bytes. If a client sends a +# packet which is larger than this value, it will be disconnected. This applies +# to all clients regardless of the protocol version they are using, but v3.1.1 +# and earlier clients will of course not have received the maximum packet size +# information. Defaults to no limit. Setting below 20 bytes is forbidden +# because it is likely to interfere with ordinary client operation, even with +# very small payloads. +#max_packet_size 0 + +# QoS 1 and 2 messages above those currently in-flight will be queued per +# client until this limit is exceeded. Defaults to 0. (No maximum) +# See also max_queued_messages. +# If both max_queued_messages and max_queued_bytes are specified, packets will +# be queued until the first limit is reached. +#max_queued_bytes 0 + +# Set the maximum QoS supported. Clients publishing at a QoS higher than +# specified here will be disconnected. +#max_qos 2 + +# The maximum number of QoS 1 and 2 messages to hold in a queue per client +# above those that are currently in-flight. Defaults to 1000. Set +# to 0 for no maximum (not recommended). +# See also queue_qos0_messages. +# See also max_queued_bytes. +#max_queued_messages 1000 +# +# This option sets the maximum number of heap memory bytes that the broker will +# allocate, and hence sets a hard limit on memory use by the broker. Memory +# requests that exceed this value will be denied. The effect will vary +# depending on what has been denied. If an incoming message is being processed, +# then the message will be dropped and the publishing client will be +# disconnected. If an outgoing message is being sent, then the individual +# message will be dropped and the receiving client will be disconnected. +# Defaults to no limit. +#memory_limit 0 + +# This option sets the maximum publish payload size that the broker will allow. +# Received messages that exceed this size will not be accepted by the broker. +# The default value is 0, which means that all valid MQTT messages are +# accepted. MQTT imposes a maximum payload size of 268435455 bytes. +#message_size_limit 0 + +# This option allows the session of persistent clients (those with clean +# session set to false) that are not currently connected to be removed if they +# do not reconnect within a certain time frame. This is a non-standard option +# in MQTT v3.1. MQTT v3.1.1 and v5.0 allow brokers to remove client sessions. +# +# Badly designed clients may set clean session to false whilst using a randomly +# generated client id. This leads to persistent clients that connect once and +# never reconnect. This option allows these clients to be removed. This option +# allows persistent clients (those with clean session set to false) to be +# removed if they do not reconnect within a certain time frame. +# +# The expiration period should be an integer followed by one of h d w m y for +# hour, day, week, month and year respectively. For example +# +# persistent_client_expiration 2m +# persistent_client_expiration 14d +# persistent_client_expiration 1y +# +# The default if not set is to never expire persistent clients. +#persistent_client_expiration + +# Write process id to a file. Default is a blank string which means +# a pid file shouldn't be written. +# This should be set to /var/run/mosquitto/mosquitto.pid if mosquitto is +# being run automatically on boot with an init script and +# start-stop-daemon or similar. +#pid_file + +# Set to true to queue messages with QoS 0 when a persistent client is +# disconnected. These messages are included in the limit imposed by +# max_queued_messages and max_queued_bytes +# Defaults to false. +# This is a non-standard option for the MQTT v3.1 spec but is allowed in +# v3.1.1. +#queue_qos0_messages false + +# Set to false to disable retained message support. If a client publishes a +# message with the retain bit set, it will be disconnected if this is set to +# false. +#retain_available true + +# Disable Nagle's algorithm on client sockets. This has the effect of reducing +# latency of individual messages at the potential cost of increasing the number +# of packets being sent. +#set_tcp_nodelay false + +# Time in seconds between updates of the $SYS tree. +# Set to 0 to disable the publishing of the $SYS tree. +#sys_interval 10 + +# The MQTT specification requires that the QoS of a message delivered to a +# subscriber is never upgraded to match the QoS of the subscription. Enabling +# this option changes this behaviour. If upgrade_outgoing_qos is set true, +# messages sent to a subscriber will always match the QoS of its subscription. +# This is a non-standard option explicitly disallowed by the spec. +#upgrade_outgoing_qos false + +# When run as root, drop privileges to this user and its primary +# group. +# Set to root to stay as root, but this is not recommended. +# If set to "mosquitto", or left unset, and the "mosquitto" user does not exist +# then it will drop privileges to the "nobody" user instead. +# If run as a non-root user, this setting has no effect. +# Note that on Windows this has no effect and so mosquitto should be started by +# the user you wish it to run as. +#user mosquitto + +# ================================================================= +# Listeners +# ================================================================= + +# Listen on a port/ip address combination. By using this variable +# multiple times, mosquitto can listen on more than one port. If +# this variable is used and neither bind_address nor port given, +# then the default listener will not be started. +# The port number to listen on must be given. Optionally, an ip +# address or host name may be supplied as a second argument. In +# this case, mosquitto will attempt to bind the listener to that +# address and so restrict access to the associated network and +# interface. By default, mosquitto will listen on all interfaces. +# Note that for a websockets listener it is not possible to bind to a host +# name. +# +# On systems that support Unix Domain Sockets, it is also possible +# to create a # Unix socket rather than opening a TCP socket. In +# this case, the port number should be set to 0 and a unix socket +# path must be provided, e.g. +# listener 0 /tmp/mosquitto.sock +# +# listener port-number [ip address/host name/unix socket path] +#listener + +# By default, a listener will attempt to listen on all supported IP protocol +# versions. If you do not have an IPv4 or IPv6 interface you may wish to +# disable support for either of those protocol versions. In particular, note +# that due to the limitations of the websockets library, it will only ever +# attempt to open IPv6 sockets if IPv6 support is compiled in, and so will fail +# if IPv6 is not available. +# +# Set to `ipv4` to force the listener to only use IPv4, or set to `ipv6` to +# force the listener to only use IPv6. If you want support for both IPv4 and +# IPv6, then do not use the socket_domain option. +# +#socket_domain + +# Bind the listener to a specific interface. This is similar to +# the [ip address/host name] part of the listener definition, but is useful +# when an interface has multiple addresses or the address may change. If used +# with the [ip address/host name] part of the listener definition, then the +# bind_interface option will take priority. +# Not available on Windows. +# +# Example: bind_interface eth0 +#bind_interface + +# When a listener is using the websockets protocol, it is possible to serve +# http data as well. Set http_dir to a directory which contains the files you +# wish to serve. If this option is not specified, then no normal http +# connections will be possible. +#http_dir + +# The maximum number of client connections to allow. This is +# a per listener setting. +# Default is -1, which means unlimited connections. +# Note that other process limits mean that unlimited connections +# are not really possible. Typically the default maximum number of +# connections possible is around 1024. +#max_connections -1 + +# The listener can be restricted to operating within a topic hierarchy using +# the mount_point option. This is achieved be prefixing the mount_point string +# to all topics for any clients connected to this listener. This prefixing only +# happens internally to the broker; the client will not see the prefix. +#mount_point + +# Choose the protocol to use when listening. +# This can be either mqtt or websockets. +# Certificate based TLS may be used with websockets, except that only the +# cafile, certfile, keyfile, ciphers, and ciphers_tls13 options are supported. +#protocol mqtt + +# Set use_username_as_clientid to true to replace the clientid that a client +# connected with with its username. This allows authentication to be tied to +# the clientid, which means that it is possible to prevent one client +# disconnecting another by using the same clientid. +# If a client connects with no username it will be disconnected as not +# authorised when this option is set to true. +# Do not use in conjunction with clientid_prefixes. +# See also use_identity_as_username. +# This does not apply globally, but on a per-listener basis. +#use_username_as_clientid + +# Change the websockets headers size. This is a global option, it is not +# possible to set per listener. This option sets the size of the buffer used in +# the libwebsockets library when reading HTTP headers. If you are passing large +# header data such as cookies then you may need to increase this value. If left +# unset, or set to 0, then the default of 1024 bytes will be used. +#websockets_headers_size + +# ----------------------------------------------------------------- +# Certificate based SSL/TLS support +# ----------------------------------------------------------------- +# The following options can be used to enable certificate based SSL/TLS support +# for this listener. Note that the recommended port for MQTT over TLS is 8883, +# but this must be set manually. +# +# See also the mosquitto-tls man page and the "Pre-shared-key based SSL/TLS +# support" section. Only one of certificate or PSK encryption support can be +# enabled for any listener. + +# Both of certfile and keyfile must be defined to enable certificate based +# TLS encryption. + +# Path to the PEM encoded server certificate. +#certfile + +# Path to the PEM encoded keyfile. +#keyfile + +# If you wish to control which encryption ciphers are used, use the ciphers +# option. The list of available ciphers can be optained using the "openssl +# ciphers" command and should be provided in the same format as the output of +# that command. This applies to TLS 1.2 and earlier versions only. Use +# ciphers_tls1.3 for TLS v1.3. +#ciphers + +# Choose which TLS v1.3 ciphersuites are used for this listener. +# Defaults to "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" +#ciphers_tls1.3 + +# If you have require_certificate set to true, you can create a certificate +# revocation list file to revoke access to particular client certificates. If +# you have done this, use crlfile to point to the PEM encoded revocation file. +#crlfile + +# To allow the use of ephemeral DH key exchange, which provides forward +# security, the listener must load DH parameters. This can be specified with +# the dhparamfile option. The dhparamfile can be generated with the command +# e.g. "openssl dhparam -out dhparam.pem 2048" +#dhparamfile + +# By default an TLS enabled listener will operate in a similar fashion to a +# https enabled web server, in that the server has a certificate signed by a CA +# and the client will verify that it is a trusted certificate. The overall aim +# is encryption of the network traffic. By setting require_certificate to true, +# the client must provide a valid certificate in order for the network +# connection to proceed. This allows access to the broker to be controlled +# outside of the mechanisms provided by MQTT. +#require_certificate false + +# cafile and capath define methods of accessing the PEM encoded +# Certificate Authority certificates that will be considered trusted when +# checking incoming client certificates. +# cafile defines the path to a file containing the CA certificates. +# capath defines a directory that will be searched for files +# containing the CA certificates. For capath to work correctly, the +# certificate files must have ".crt" as the file ending and you must run +# "openssl rehash " each time you add/remove a certificate. +#cafile +#capath + + +# If require_certificate is true, you may set use_identity_as_username to true +# to use the CN value from the client certificate as a username. If this is +# true, the password_file option will not be used for this listener. +#use_identity_as_username false + +# ----------------------------------------------------------------- +# Pre-shared-key based SSL/TLS support +# ----------------------------------------------------------------- +# The following options can be used to enable PSK based SSL/TLS support for +# this listener. Note that the recommended port for MQTT over TLS is 8883, but +# this must be set manually. +# +# See also the mosquitto-tls man page and the "Certificate based SSL/TLS +# support" section. Only one of certificate or PSK encryption support can be +# enabled for any listener. + +# The psk_hint option enables pre-shared-key support for this listener and also +# acts as an identifier for this listener. The hint is sent to clients and may +# be used locally to aid authentication. The hint is a free form string that +# doesn't have much meaning in itself, so feel free to be creative. +# If this option is provided, see psk_file to define the pre-shared keys to be +# used or create a security plugin to handle them. +#psk_hint + +# When using PSK, the encryption ciphers used will be chosen from the list of +# available PSK ciphers. If you want to control which ciphers are available, +# use the "ciphers" option. The list of available ciphers can be optained +# using the "openssl ciphers" command and should be provided in the same format +# as the output of that command. +#ciphers + +# Set use_identity_as_username to have the psk identity sent by the client used +# as its username. Authentication will be carried out using the PSK rather than +# the MQTT username/password and so password_file will not be used for this +# listener. +#use_identity_as_username false + + +# ================================================================= +# Persistence +# ================================================================= + +# If persistence is enabled, save the in-memory database to disk +# every autosave_interval seconds. If set to 0, the persistence +# database will only be written when mosquitto exits. See also +# autosave_on_changes. +# Note that writing of the persistence database can be forced by +# sending mosquitto a SIGUSR1 signal. +#autosave_interval 1800 + +# If true, mosquitto will count the number of subscription changes, retained +# messages received and queued messages and if the total exceeds +# autosave_interval then the in-memory database will be saved to disk. +# If false, mosquitto will save the in-memory database to disk by treating +# autosave_interval as a time in seconds. +#autosave_on_changes false + +# Save persistent message data to disk (true/false). +# This saves information about all messages, including +# subscriptions, currently in-flight messages and retained +# messages. +# retained_persistence is a synonym for this option. +#persistence false + +# The filename to use for the persistent database, not including +# the path. +#persistence_file mosquitto.db + +# Location for persistent database. +# Default is an empty string (current directory). +# Set to e.g. /var/lib/mosquitto if running as a proper service on Linux or +# similar. +#persistence_location + + +# ================================================================= +# Logging +# ================================================================= + +# Places to log to. Use multiple log_dest lines for multiple +# logging destinations. +# Possible destinations are: stdout stderr syslog topic file dlt +# +# stdout and stderr log to the console on the named output. +# +# syslog uses the userspace syslog facility which usually ends up +# in /var/log/messages or similar. +# +# topic logs to the broker topic '$SYS/broker/log/', +# where severity is one of D, E, W, N, I, M which are debug, error, +# warning, notice, information and message. Message type severity is used by +# the subscribe/unsubscribe log_types and publishes log messages to +# $SYS/broker/log/M/susbcribe or $SYS/broker/log/M/unsubscribe. +# +# The file destination requires an additional parameter which is the file to be +# logged to, e.g. "log_dest file /var/log/mosquitto.log". The file will be +# closed and reopened when the broker receives a HUP signal. Only a single file +# destination may be configured. +# +# The dlt destination is for the automotive `Diagnostic Log and Trace` tool. +# This requires that Mosquitto has been compiled with DLT support. +# +# Note that if the broker is running as a Windows service it will default to +# "log_dest none" and neither stdout nor stderr logging is available. +# Use "log_dest none" if you wish to disable logging. +#log_dest stderr + +# Types of messages to log. Use multiple log_type lines for logging +# multiple types of messages. +# Possible types are: debug, error, warning, notice, information, +# none, subscribe, unsubscribe, websockets, all. +# Note that debug type messages are for decoding the incoming/outgoing +# network packets. They are not logged in "topics". +#log_type error +#log_type warning +#log_type notice +#log_type information + + +# If set to true, client connection and disconnection messages will be included +# in the log. +#connection_messages true + +# If using syslog logging (not on Windows), messages will be logged to the +# "daemon" facility by default. Use the log_facility option to choose which of +# local0 to local7 to log to instead. The option value should be an integer +# value, e.g. "log_facility 5" to use local5. +#log_facility + +# If set to true, add a timestamp value to each log message. +#log_timestamp true + +# Set the format of the log timestamp. If left unset, this is the number of +# seconds since the Unix epoch. +# This is a free text string which will be passed to the strftime function. To +# get an ISO 8601 datetime, for example: +# log_timestamp_format %Y-%m-%dT%H:%M:%S +#log_timestamp_format + +# Change the websockets logging level. This is a global option, it is not +# possible to set per listener. This is an integer that is interpreted by +# libwebsockets as a bit mask for its lws_log_levels enum. See the +# libwebsockets documentation for more details. "log_type websockets" must also +# be enabled. +#websockets_log_level 0 + + +# ================================================================= +# Security +# ================================================================= + +# If set, only clients that have a matching prefix on their +# clientid will be allowed to connect to the broker. By default, +# all clients may connect. +# For example, setting "secure-" here would mean a client "secure- +# client" could connect but another with clientid "mqtt" couldn't. +#clientid_prefixes + +# Boolean value that determines whether clients that connect +# without providing a username are allowed to connect. If set to +# false then a password file should be created (see the +# password_file option) to control authenticated client access. +# +# Defaults to false, unless there are no listeners defined in the configuration +# file, in which case it is set to true, but connections are only allowed from +# the local machine. +#allow_anonymous false + +# ----------------------------------------------------------------- +# Default authentication and topic access control +# ----------------------------------------------------------------- + +# Control access to the broker using a password file. This file can be +# generated using the mosquitto_passwd utility. If TLS support is not compiled +# into mosquitto (it is recommended that TLS support should be included) then +# plain text passwords are used, in which case the file should be a text file +# with lines in the format: +# username:password +# The password (and colon) may be omitted if desired, although this +# offers very little in the way of security. +# +# See the TLS client require_certificate and use_identity_as_username options +# for alternative authentication options. If a plugin is used as well as +# password_file, the plugin check will be made first. +#password_file + +# Access may also be controlled using a pre-shared-key file. This requires +# TLS-PSK support and a listener configured to use it. The file should be text +# lines in the format: +# identity:key +# The key should be in hexadecimal format without a leading "0x". +# If an plugin is used as well, the plugin check will be made first. +#psk_file + +# Control access to topics on the broker using an access control list +# file. If this parameter is defined then only the topics listed will +# have access. +# If the first character of a line of the ACL file is a # it is treated as a +# comment. +# Topic access is added with lines of the format: +# +# topic [read|write|readwrite|deny] +# +# The access type is controlled using "read", "write", "readwrite" or "deny". +# This parameter is optional (unless contains a space character) - if +# not given then the access is read/write. can contain the + or # +# wildcards as in subscriptions. +# +# The "deny" option can used to explicity deny access to a topic that would +# otherwise be granted by a broader read/write/readwrite statement. Any "deny" +# topics are handled before topics that grant read/write access. +# +# The first set of topics are applied to anonymous clients, assuming +# allow_anonymous is true. User specific topic ACLs are added after a +# user line as follows: +# +# user +# +# The username referred to here is the same as in password_file. It is +# not the clientid. +# +# +# If is also possible to define ACLs based on pattern substitution within the +# topic. The patterns available for substition are: +# +# %c to match the client id of the client +# %u to match the username of the client +# +# The substitution pattern must be the only text for that level of hierarchy. +# +# The form is the same as for the topic keyword, but using pattern as the +# keyword. +# Pattern ACLs apply to all users even if the "user" keyword has previously +# been given. +# +# If using bridges with usernames and ACLs, connection messages can be allowed +# with the following pattern: +# pattern write $SYS/broker/connection/%c/state +# +# pattern [read|write|readwrite] +# +# Example: +# +# pattern write sensor/%u/data +# +# If an plugin is used as well as acl_file, the plugin check will be +# made first. +#acl_file + +# ----------------------------------------------------------------- +# External authentication and topic access plugin options +# ----------------------------------------------------------------- + +# External authentication and access control can be supported with the +# plugin option. This is a path to a loadable plugin. See also the +# plugin_opt_* options described below. +# +# The plugin option can be specified multiple times to load multiple +# plugins. The plugins will be processed in the order that they are specified +# here. If the plugin option is specified alongside either of +# password_file or acl_file then the plugin checks will be made first. +# +# If the per_listener_settings option is false, the plugin will be apply to all +# listeners. If per_listener_settings is true, then the plugin will apply to +# the current listener being defined only. +# +# This option is also available as `auth_plugin`, but this use is deprecated +# and will be removed in the future. +# +#plugin + +# If the plugin option above is used, define options to pass to the +# plugin here as described by the plugin instructions. All options named +# using the format plugin_opt_* will be passed to the plugin, for example: +# +# This option is also available as `auth_opt_*`, but this use is deprecated +# and will be removed in the future. +# +# plugin_opt_db_host +# plugin_opt_db_port +# plugin_opt_db_username +# plugin_opt_db_password + + +# ================================================================= +# Bridges +# ================================================================= + +# A bridge is a way of connecting multiple MQTT brokers together. +# Create a new bridge using the "connection" option as described below. Set +# options for the bridges using the remaining parameters. You must specify the +# address and at least one topic to subscribe to. +# +# Each connection must have a unique name. +# +# The address line may have multiple host address and ports specified. See +# below in the round_robin description for more details on bridge behaviour if +# multiple addresses are used. Note that if you use an IPv6 address, then you +# are required to specify a port. +# +# The direction that the topic will be shared can be chosen by +# specifying out, in or both, where the default value is out. +# The QoS level of the bridged communication can be specified with the next +# topic option. The default QoS level is 0, to change the QoS the topic +# direction must also be given. +# +# The local and remote prefix options allow a topic to be remapped when it is +# bridged to/from the remote broker. This provides the ability to place a topic +# tree in an appropriate location. +# +# For more details see the mosquitto.conf man page. +# +# Multiple topics can be specified per connection, but be careful +# not to create any loops. +# +# If you are using bridges with cleansession set to false (the default), then +# you may get unexpected behaviour from incoming topics if you change what +# topics you are subscribing to. This is because the remote broker keeps the +# subscription for the old topic. If you have this problem, connect your bridge +# with cleansession set to true, then reconnect with cleansession set to false +# as normal. +#connection +#address [:] [[:]] +#topic [[[out | in | both] qos-level] local-prefix remote-prefix] + +# If you need to have the bridge connect over a particular network interface, +# use bridge_bind_address to tell the bridge which local IP address the socket +# should bind to, e.g. `bridge_bind_address 192.168.1.10` +#bridge_bind_address + +# If a bridge has topics that have "out" direction, the default behaviour is to +# send an unsubscribe request to the remote broker on that topic. This means +# that changing a topic direction from "in" to "out" will not keep receiving +# incoming messages. Sending these unsubscribe requests is not always +# desirable, setting bridge_attempt_unsubscribe to false will disable sending +# the unsubscribe request. +#bridge_attempt_unsubscribe true + +# Set the version of the MQTT protocol to use with for this bridge. Can be one +# of mqttv50, mqttv311 or mqttv31. Defaults to mqttv311. +#bridge_protocol_version mqttv311 + +# Set the clean session variable for this bridge. +# When set to true, when the bridge disconnects for any reason, all +# messages and subscriptions will be cleaned up on the remote +# broker. Note that with cleansession set to true, there may be a +# significant amount of retained messages sent when the bridge +# reconnects after losing its connection. +# When set to false, the subscriptions and messages are kept on the +# remote broker, and delivered when the bridge reconnects. +#cleansession false + +# Set the amount of time a bridge using the lazy start type must be idle before +# it will be stopped. Defaults to 60 seconds. +#idle_timeout 60 + +# Set the keepalive interval for this bridge connection, in +# seconds. +#keepalive_interval 60 + +# Set the clientid to use on the local broker. If not defined, this defaults to +# 'local.'. If you are bridging a broker to itself, it is important +# that local_clientid and clientid do not match. +#local_clientid + +# If set to true, publish notification messages to the local and remote brokers +# giving information about the state of the bridge connection. Retained +# messages are published to the topic $SYS/broker/connection//state +# unless the notification_topic option is used. +# If the message is 1 then the connection is active, or 0 if the connection has +# failed. +# This uses the last will and testament feature. +#notifications true + +# Choose the topic on which notification messages for this bridge are +# published. If not set, messages are published on the topic +# $SYS/broker/connection//state +#notification_topic + +# Set the client id to use on the remote end of this bridge connection. If not +# defined, this defaults to 'name.hostname' where name is the connection name +# and hostname is the hostname of this computer. +# This replaces the old "clientid" option to avoid confusion. "clientid" +# remains valid for the time being. +#remote_clientid + +# Set the password to use when connecting to a broker that requires +# authentication. This option is only used if remote_username is also set. +# This replaces the old "password" option to avoid confusion. "password" +# remains valid for the time being. +#remote_password + +# Set the username to use when connecting to a broker that requires +# authentication. +# This replaces the old "username" option to avoid confusion. "username" +# remains valid for the time being. +#remote_username + +# Set the amount of time a bridge using the automatic start type will wait +# until attempting to reconnect. +# This option can be configured to use a constant delay time in seconds, or to +# use a backoff mechanism based on "Decorrelated Jitter", which adds a degree +# of randomness to when the restart occurs. +# +# Set a constant timeout of 20 seconds: +# restart_timeout 20 +# +# Set backoff with a base (start value) of 10 seconds and a cap (upper limit) of +# 60 seconds: +# restart_timeout 10 30 +# +# Defaults to jitter with a base of 5 and cap of 30 +#restart_timeout 5 30 + +# If the bridge has more than one address given in the address/addresses +# configuration, the round_robin option defines the behaviour of the bridge on +# a failure of the bridge connection. If round_robin is false, the default +# value, then the first address is treated as the main bridge connection. If +# the connection fails, the other secondary addresses will be attempted in +# turn. Whilst connected to a secondary bridge, the bridge will periodically +# attempt to reconnect to the main bridge until successful. +# If round_robin is true, then all addresses are treated as equals. If a +# connection fails, the next address will be tried and if successful will +# remain connected until it fails +#round_robin false + +# Set the start type of the bridge. This controls how the bridge starts and +# can be one of three types: automatic, lazy and once. Note that RSMB provides +# a fourth start type "manual" which isn't currently supported by mosquitto. +# +# "automatic" is the default start type and means that the bridge connection +# will be started automatically when the broker starts and also restarted +# after a short delay (30 seconds) if the connection fails. +# +# Bridges using the "lazy" start type will be started automatically when the +# number of queued messages exceeds the number set with the "threshold" +# parameter. It will be stopped automatically after the time set by the +# "idle_timeout" parameter. Use this start type if you wish the connection to +# only be active when it is needed. +# +# A bridge using the "once" start type will be started automatically when the +# broker starts but will not be restarted if the connection fails. +#start_type automatic + +# Set the number of messages that need to be queued for a bridge with lazy +# start type to be restarted. Defaults to 10 messages. +# Must be less than max_queued_messages. +#threshold 10 + +# If try_private is set to true, the bridge will attempt to indicate to the +# remote broker that it is a bridge not an ordinary client. If successful, this +# means that loop detection will be more effective and that retained messages +# will be propagated correctly. Not all brokers support this feature so it may +# be necessary to set try_private to false if your bridge does not connect +# properly. +#try_private true + +# Some MQTT brokers do not allow retained messages. MQTT v5 gives a mechanism +# for brokers to tell clients that they do not support retained messages, but +# this is not possible for MQTT v3.1.1 or v3.1. If you need to bridge to a +# v3.1.1 or v3.1 broker that does not support retained messages, set the +# bridge_outgoing_retain option to false. This will remove the retain bit on +# all outgoing messages to that bridge, regardless of any other setting. +#bridge_outgoing_retain true + +# If you wish to restrict the size of messages sent to a remote bridge, use the +# bridge_max_packet_size option. This sets the maximum number of bytes for +# the total message, including headers and payload. +# Note that MQTT v5 brokers may provide their own maximum-packet-size property. +# In this case, the smaller of the two limits will be used. +# Set to 0 for "unlimited". +#bridge_max_packet_size 0 + + +# ----------------------------------------------------------------- +# Certificate based SSL/TLS support +# ----------------------------------------------------------------- +# Either bridge_cafile or bridge_capath must be defined to enable TLS support +# for this bridge. +# bridge_cafile defines the path to a file containing the +# Certificate Authority certificates that have signed the remote broker +# certificate. +# bridge_capath defines a directory that will be searched for files containing +# the CA certificates. For bridge_capath to work correctly, the certificate +# files must have ".crt" as the file ending and you must run "openssl rehash +# " each time you add/remove a certificate. +#bridge_cafile +#bridge_capath + + +# If the remote broker has more than one protocol available on its port, e.g. +# MQTT and WebSockets, then use bridge_alpn to configure which protocol is +# requested. Note that WebSockets support for bridges is not yet available. +#bridge_alpn + +# When using certificate based encryption, bridge_insecure disables +# verification of the server hostname in the server certificate. This can be +# useful when testing initial server configurations, but makes it possible for +# a malicious third party to impersonate your server through DNS spoofing, for +# example. Use this option in testing only. If you need to resort to using this +# option in a production environment, your setup is at fault and there is no +# point using encryption. +#bridge_insecure false + +# Path to the PEM encoded client certificate, if required by the remote broker. +#bridge_certfile + +# Path to the PEM encoded client private key, if required by the remote broker. +#bridge_keyfile + +# ----------------------------------------------------------------- +# PSK based SSL/TLS support +# ----------------------------------------------------------------- +# Pre-shared-key encryption provides an alternative to certificate based +# encryption. A bridge can be configured to use PSK with the bridge_identity +# and bridge_psk options. These are the client PSK identity, and pre-shared-key +# in hexadecimal format with no "0x". Only one of certificate and PSK based +# encryption can be used on one +# bridge at once. +#bridge_identity +#bridge_psk + + +# ================================================================= +# External config files +# ================================================================= + +# External configuration files may be included by using the +# include_dir option. This defines a directory that will be searched +# for config files. All files that end in '.conf' will be loaded as +# a configuration file. It is best to have this as the last option +# in the main file. This option will only be processed from the main +# configuration file. The directory specified must not contain the +# main configuration file. +# Files within include_dir will be loaded sorted in case-sensitive +# alphabetical order, with capital letters ordered first. If this option is +# given multiple times, all of the files from the first instance will be +# processed before the next instance. See the man page for examples. +#include_dir +CFGEOF + +#Gen file /etc/bird.conf + +mkdir -p "/etc" +cat << 'CFGEOF' > "/etc/bird.conf" + +# THIS CONFIG FILE IS NOT A COMPLETE DOCUMENTATION +# PLEASE LOOK IN THE BIRD DOCUMENTATION FOR MORE INFO + +# However, most of options used here are just for example +# and will be removed in real-life configs. + +log syslog all; + +# Override router ID +router id 172.16.30.1; + +# Turn on global debugging of all protocols +#debug protocols all; + + + + +ipv4 table bgpban; +ipv4 table ospfmy; +#ipv4 table master; + + +# Define a route filter... +# filter test_filter { +# if net ~ 10.0.0.0/16 then accept; +# else reject; +# } +filter fltOSPF { + if net = 192.168.0.0/16 then reject; + if net = 172.16.0.0/12 then reject; + else accept; +} + + +# The direct protocol automatically generates device routes to all network +# interfaces. Can exist in as many instances as you wish if you want to +# populate multiple routing tables with device routes. Because device routes +# are handled by Linux kernel, this protocol is usually not needed. +protocol direct { + interface "-wan0", "-wan1", "-3g-3g", "*"; # Restrict network interfaces it works with + ipv4;# { +# table ospfmy; +# table bgpban; +#import where net !=0.0.0.0/0; +#export where net !=0.0.0.0/0; +# }; +#debug all; +} + +# This pseudo-protocol watches all interface up/down events. +protocol device { + scan time 10; # Scan interfaces every 10 seconds +} + +# Static routes (again, there can be multiple instances, so that you +# can disable/enable various groups of static routes on the fly). +#protocol static { +# export all; # Default is export none +# route 0.0.0.0/0 via 62.168.0.13; +# route 10.0.0.0/8 reject; +# route 192.168.0.0/16 reject; +#} + + +#protocol rip { +# disabled; +# import all; +# export all; +# export filter test_filter; + +# port 1520; +# period 7; +# infinity 16; +# garbage time 60; +# interface "*" { mode broadcast; }; +# honor neighbor; +# honor always; +# honor never; +# authentication none; +#} + + + + +######################### OSPF + +# This pseudo-protocol performs synchronization between BIRD's routing +# tables and the kernel. You can run multiple instances of the kernel +# protocol and synchronize different kernel tables with different BIRD tables. + +protocol kernel ospfMyKern { + ipv4 { + table ospfmy; +# table bgpban; +# import filter fltOSPF; +# import all; +# import where source != RTS_DEVICE; +# export where source != RTS_DEVICE && net !=0.0.0.0/0; + export all; + }; + learn; # Learn all alien routes from the kernel +# persist; # Don't remove routes on bird shutdown + scan time 60; # Scan kernel routing table every 20 seconds +# import none; # Default is import all +# import all; +# export all; # Default is export none +# device routes yes; + kernel table 10; +# merge paths switch 16; + metric 10; +#debug all; +} + + +protocol kernel bgpbanKern { + ipv4 { + table bgpban; +# import all; + export all; + }; + learn; # Learn all alien routes from the kernel +# persist; # Don't remove routes on bird shutdown + scan time 60; # Scan kernel routing table every 20 seconds +# import none; # Default is import all +# import all; +# export all; # Default is export none +# device routes yes; + kernel table 11; +# merge paths switch 16; + metric 10; +} + +#protocol kernel { +# ipv4 { +# table master4; +## export all; +#import all; +# }; +# persist; +# learn; +# scan time 60; +# kernel table 254; +#} + +protocol pipe { + table ospfmy; + peer table master4; +# peer table bgpban; + import where net !=0.0.0.0/0; + +export where net !=0.0.0.0/0; + +#export all; +#export where source != RTS_DEVICE; +#debug all; +} + + +protocol ospf ASWG { +# disabled; + ipv4 { + table ospfmy; +# import filter fltOSPF; + import all; + export all; + }; +# import all; +# export all; +# import filter { print ">>>>>>imp net accepted:", net; accept; }; +# export filter { print ">>>>>>exp net accepted:", net; accept; }; + +# export where source = RTS_STATIC; + + area 0 { +# networks { +# 10.0.1.0/24; +# 10.0.2.0/24; +# }; + + interface "wg30" { #9 + cost 60; + hello 10; + retransmit 5; + wait 30; + dead 40; + type pointopoint; + priority 30; +# authentication simple; +# password "pass"; + }; + + interface "wg25" { + cost 5; + hello 10; + retransmit 5; + wait 30; + dead 40; + type pointopoint; + priority 5; +# authentication simple; +# password "pass"; + }; + + + }; +} + + + + +#########################BGP +# This pseudo-protocol performs synchronization between BIRD's routing +# tables and the kernel. You can run multiple instances of the kernel +# protocol and synchronize different kernel tables with different BIRD tables. +#protocol kernel { +# table bgpban; +# learn; # Learn all alien routes from the kernel +# persist; # Don't remove routes on bird shutdown +# scan time 60; # Scan kernel routing table every 20 seconds +# import none; # Default is import all +# import all; +# export all; # Default is export none +#} + + + +protocol bgp { +# disabled; + ipv4 { + table bgpban; + import all; + export all; + }; +# import all; +# export all; +# export where source = RTS_STATIC; + + local as 65030; + neighbor 10.0.2.29 as 65029; +# multihop 20 via 10.0.2.9; +# multihop; + +# hold time 240; +# startup hold time 240; +# connect retry time 120; +# keepalive time 80; # defaults to hold time / 3 +# start delay time 5; # How long do we wait before initial connect +# error wait time 60, 300;# Minimum and maximum time we wait after an error (when consecutive +# # errors occur, we increase the delay exponentially ... +# error forget time 300; # ... until this timeout expires) +# disable after error; # Disable the protocol automatically when an error occurs +# next hop self; # Disable next hop processing and always advertise our local address as nexthop +# source address 62.168.0.14; # What local address we use for the TCP connection +# password "secret" # Password used for MD5 authentication +# rr client; # I am a route reflector and the neighor is my client +# rr cluster id 1.0.0.1 # Use this value for cluster id instead of my router id +# }; +} + +CFGEOF + +# WARNING: /etc/bird4.conf не существует +#---------------------------------------------------- +#Generating cron +#---------------------------------------------------- + +#send sigtal strength +#*/10 * * * * mosquitto_pub -t /router/modem/signal -m $(echo AT+CSQ | socat - /dev/ttyUSB1,crnl | grep ^+CSQ | cut -f2 -d' ' | sed 's/,/./') +#send conn type +#*/30 * * * * mosquitto_pub -t /router/modem/conType -m $(echo AT^SYSINFOEX | socat - /dev/ttyUSB1,crnl | grep ':' | cut -d'"' -f4) +#send speed tests +15 3,9,13,19,22 * * * mosquitto_pub -t /router/modem/dspeed -m $(speedtest --output text --download | grep DOWNLOAD_SPEED|cut -d'=' -f2) + +#save config to muromec +0 3 * * 1 sh /root/bkpscript/backup_script.sh +0 3 * * 1 echo "tar cfvz - \$(sysupgrade -l) | lftp 172.16.11.7 -e 'mkdir -p /backup/$HOSTNAME; put /dev/stdin -o /backup/$HOSTNAME/wrt_$(date +%Y%m%d).tar.gz; bye'" | sh + +#@reboot echo 'AT^SYSCFGEX="0302",3fffffff,2,4,7fffffffffffffff,,' | socat - /dev/ttyUSB1,crnl +#@reboot route add -net 172.16.11.0/24 gw 10.0.1.26 metric 1000 +#@reboot ip rule add priority 10 from all lookup 10 + +#boiler power on/off +00 4 * * * mosquitto_pub -t /Heater1/relay/18 -m 1 +59 6 * * * mosquitto_pub -t /Heater1/relay/18 -m 0 + +#Heater on +#00 23 * * * mosquitto_pub -t /Heater1/relay/22 -m 1 +#Kran off +00 23 * * * mosquitto_pub -t /Heater1/relay/98 -m 0 + +#Kran on +#00 5 * * * mosquitto_pub -t /Heater1/relay/98 -m 1 +#Heater off +#00 7 * * * mosquitto_pub -t /Heater1/relay/22 -m 0 + + +#reset alarm heater +#5 * * * * if [[ `mosquitto_sub -t /Heater1/Alarm/Heat -C 1` == 1 ]] ; then mosquitto_pub -t /Heater1/relay/22 -m 0; mosquitto_pub -t /H +eater1/relay/22 -m 1; fi + + +#Manual Heat ON OFF +#on +#05 23 * * * mosquitto_pub -t /Heater1/param/pidPump/ManSpeed -m 50 && mosquitto_pub -t /Heater1/relay/97 -m 1 && mosquitto_pub -t /Heater1/param/pidHeat/ManSpeed -m 2 + +#off +#00 3 * * * mosquitto_pub -t /Heater1/param/pidPump/ManSpeed -m 0 && mosquitto_pub -t /Heater1/relay/97 -m 0 && mosquitto_pub -t /Heater1/param/pidHeat/ManSpeed -m 0 +