# ============================================================================== # Hostname # ============================================================================== # # Uncomment the next line to override the default hostname of this device. # # hostname = "my-device" # ============================================================================== # Parent hostname # ============================================================================== # # If this is a Nested Edge device, uncomment the next line to set the # parent hostname of this device. # # parent_hostname = "my-parent-device" # ============================================================================== # Trust bundle cert # ============================================================================== # # If you have any trusted CA certificates required for Edge module communication, # uncomment the next line and set the value to a file URI for # the path of the file. # # trust_bundle_cert = "file:///var/secrets/trust-bundle.pem" # ============================================================================== # Elevated Docker Permissions Flag # ============================================================================== # # Some docker capabilities can be used to gain root access. # By default, the --privileged flag and all capabilities listed in the CapAdd # field of the docker HostConfig are allowed. # # In a future release, this will be disabled by default and the flag will be required # run as privileged. # # If no modules require privileged or additional capabilities, uncomment the following # line to improve the security of the device. # # allow_elevated_docker_permissions = false # ============================================================================== # Module identity cache preference # ============================================================================== # # The default behavior is to request module identities from IoT Hub and fall back to a # cached backup if the Hub request fails. This keeps identities in sync with IoT Hub, # but results in extra requests to Hub that may not be necessary depending on use case. # # Setting prefer_module_identity_cache to true reverses the behavior so that the cached # identities are preferred to IoT Hub requests. Requests to Hub are still made if identities # are not found in the cache. # # prefer_module_identity_cache = false # ============================================================================== # Provisioning # ============================================================================== # Optional auto reprovisioning mode # ------------------------------------ # This property specifies the conditions under which the device attempts to # automatically reprovision with the cloud. It is ignored if the device has # been provisioned manually. One of the following values can be set: # Dynamic: Reprovision when the device detects that it may have # been moved from one IoT Hub to another. This is the default. # AlwaysOnStartup: Reprovision when the device is rebooted or a crash causes # the daemon(s) to restart. # OnErrorOnly: Never trigger device reprovisioning automatically. # Device reprovisioning only occurs as fallback, if the device # is unable to connect to IoT Hub during identity provisioning # due to connectivity errors. This fallback behavior is implicit # in Dynamic and AlwaysOnStartup modes as well. # # auto_reprovisioning_mode = Dynamic # # ============================================================================== # Cloud Timeout and Retry Behavior # ============================================================================== # # These settings control the timeout and retries for cloud operations, such as # communication with DPS during provisioning or IoT Hub for module identity creation. # # cloud_timeout_sec is the deadline (in seconds) for a network request (such as # an HTTP request) to the aforementioned cloud services. A response from the cloud # must be received before this deadline, or the request will fail as timed out. # # cloud_retries controls how many times a request may be retried should it fail. # The client will always send at least one attempt, so its value will be the number # of retries after the first attempt should that fail (i.e. cloud_retries = 2 # means that the client will make a total of 3 attempts). # # cloud_timeout_sec = 10 # cloud_retries = 1 # Provisioning configuration # -------------------------- # Uncomment one block and replace the stub values with yours. ## Manual provisioning with connection string # # [provisioning] # source = "manual" # connection_string = "HostName=example.azure-devices.net;DeviceId=my-device;SharedAccessKey=YXppb3QtaWRlbnRpdHktc2VydmljZXxhemlvdC1pZGU=" ## Manual provisioning with symmetric key # [provisioning] # source = "manual" # iothub_hostname = "example.azure-devices.net" # device_id = "my-device" # # [provisioning.authentication] # method = "sas" # # device_id_pk = { value = "YXppb3QtaWRlbnRpdHktc2VydmljZXxhemlvdC1pZGU=" } # inline key (base64), or... # device_id_pk = { uri = "file:///var/secrets/device-id.key" } # file URI, or... # device_id_pk = { uri = "pkcs11:slot-id=0;object=device%20id?pin-value=1234" } # PKCS#11 URI ## Manual provisioning with X.509 certificate # [provisioning] # source = "manual" # iothub_hostname = "example.azure-devices.net" # device_id = "my-device" # # [provisioning.authentication] # method = "x509" # ## identity certificate private key # identity_pk = "file:///var/secrets/device-id.key.pem" # file URI, or... # identity_pk = "pkcs11:slot-id=0;object=device%20id?pin-value=1234" # PKCS#11 URI # ## identity certificate # identity_cert = "file:///var/secrets/device-id.pem" # file URI, or... # [provisioning.authentication.identity_cert] # dynamically issued via... # method = "est" # - EST # method = "local_ca" # - a local CA # common_name = "my-device" # with the given common name, or... # subject = { L = "AQ", ST = "Antarctica", CN = "my-device" } # with the given DN fields ## DPS provisioning with symmetric key # [provisioning] # source = "dps" # global_endpoint = "https://global.azure-devices-provisioning.net" # id_scope = "0ab1234C5D6" # ## Uncomment to send a custom payload during DPS registration # payload = { uri = "file:///var/secrets/aziot/identityd/dps-additional-data.json" } # # [provisioning.attestation] # method = "symmetric_key" # registration_id = "my-device" # # symmetric_key = { value = "YXppb3QtaWRlbnRpdHktc2VydmljZXxhemlvdC1pZGVudGl0eS1zZXJ2aWNlfGF6aW90LWlkZW50aXR5LXNlcg==" } # inline key (base64), or... # symmetric_key = { uri = "file:///var/secrets/device-id.key" } # file URI, or... # symmetric_key = { uri = "pkcs11:slot-id=0;object=device%20id?pin-value=1234" } # PKCS#11 URI ## DPS provisioning with X.509 certificate # [provisioning] # source = "dps" # global_endpoint = "https://global.azure-devices-provisioning.net/" # id_scope = "0ab1234C5D6" # ## Uncomment to send a custom payload during DPS registration # payload = { uri = "file:///var/secrets/aziot/identityd/dps-additional-data.json" } # # [provisioning.attestation] # method = "x509" # registration_id = "my-device" # ## identity certificate private key # identity_pk = "file:///var/secrets/device-id.key.pem" # file URI, or... # identity_pk = "pkcs11:slot-id=0;object=device%20id?pin-value=1234" # PKCS#11 URI # ## identity certificate # identity_cert = "file:///var/secrets/device-id.pem" # file URI, or... # [provisioning.attestation.identity_cert] # dynamically issued via... # method = "est" # - EST # method = "local_ca" # - a local CA # common_name = "my-device" # with the given common name, or... # subject = { L = "AQ", ST = "Antarctica", CN = "my-device" } # with the given DN fields # ## Uncomment the section below to enable automatic renewal of the device ID certificate. ## Auto-renewal requires a known certificate issuance method. This generally means that ## 'method' is either 'est' or 'local_ca'. ## ## IMPORTANT: ## ONLY ENABLE AUTO-RENEWAL IF THIS DEVICE IS CONFIGURED FOR CA-BASED DPS ENROLLMENT. ## USING AUTO-RENEWAL FOR AN INDIVIDUAL ENROLLMENT WILL CAUSE THE DEVICE TO BE UNABLE ## TO REPROVISION. # [provisioning.attestation.identity_cert.auto_renew] # rotate_key = true # threshold = "80%" # retry = "4%" ## DPS provisioning with TPM # [provisioning] # source = "dps" # global_endpoint = "https://global.azure-devices-provisioning.net" # id_scope = "0ab1234C5D6" # ## Uncomment to send a custom payload during DPS registration # payload = { uri = "file:///var/secrets/aziot/identityd/dps-additional-data.json" } # # [provisioning.attestation] # method = "tpm" # registration_id = "my-device" # ============================================================================== # Cert issuance # ============================================================================== # # If you configured any dynamically issued certs above, uncomment the block # corresponding to the issuance method and replace the stub values with yours. # Cert issuance via EST # --------------------- # [cert_issuance.est] # trusted_certs = [ # "file:///var/secrets/est-id-ca.pem", # ] # # [cert_issuance.est.auth] # username = "estuser" # password = "estpwd" # # # EST ID cert already on device, or... # identity_cert = "file:///var/secrets/est-id.pem" # # identity_pk = "file:///var/secrets/est-id.key.pem" # file URI, or... # identity_pk = "pkcs11:slot-id=0;object=est-id?pin-value=1234" # PKCS#11 URI # # # EST ID cert requested via EST bootstrap ID cert # bootstrap_identity_cert = "file:///var/secrets/est-bootstrap-id.pem" # # bootstrap_identity_pk = "file:///var/secrets/est-bootstrap-id.key.pem" # file URI, or... # bootstrap_identity_pk = "pkcs11:slot-id=0;object=est-bootstrap-id?pin-value=1234" # PKCS#11 URI # ## Controls the renewal of EST identity certs. These certs are issued by the EST server after ## initial authentication with the bootstrap cert and managed by Certificates Service. # [cert_issuance.est.identity_auto_renew] # rotate_key = true # threshold = "80%" # retry = "4%" # # [cert_issuance.est.urls] # default = "https://example.org/.well-known/est" # Cert issuance via local CA # -------------------------- # [cert_issuance.local_ca] # cert = "file:///var/secrets/local-ca.pem" # # pk = "file:///var/secrets/local-ca.key.pem" # file URI, or... # pk = "pkcs11:slot-id=0;object=local-ca?pin-value=1234" # PKCS#11 URI # ============================================================================== # TPM # ============================================================================== # # If special configuration is required for the TPM when using DPS TPM # provisioning, uncomment any pertinent sections below. # [tpm] # # TCTI loader string; see "TCG TSS 2.0 TPM Command Transmission # # Interface (TCTI) API Specification" section 3.5 for an overview of # # acceptable TCTI loader strings. By default, this is "device". Setting # # this to the empty string will cause the TCTI loader library to try # # loading a predefined set of TCTI modules in order. # # Ref: https://github.com/tpm2-software/tpm2-tss/blob/3.1.1/src/tss2-tcti/tctildr-dl.c#L28-L59 # tcti = "swtpm:port=2321" # # # The TPM index at which to persist the DPS authentication key. The index is # # taken as an offset from the base address for persistent objects # # (0x81000000), and must lie in the range 0x00_00_00--0x7F_FF_FF. The default # # value is 0x00_01_00. # auth_key_index = "0x00_01_00" # # Authorization values for use of the endorsement and owner hierarchies, if # # necessary. By default, these are empty strings. # [tpm.hierarchy_authorization] # endorsement = "hello" # owner = "world" # ============================================================================== # PKCS#11 # ============================================================================== # # If you used any PKCS#11 URIs above, uncomment the next block and # replace the stub values with your PKCS#11 configuration. # [aziot_keys] # pkcs11_lib_path = "/usr/lib/libmypkcs11.so" # pkcs11_base_slot = "pkcs11:slot-id=0?pin-value=1234" # ============================================================================== # Default Edge Agent # ============================================================================== # # If you need to override the parameters of the default Edge Agent module, # uncomment this section and replace the values in this section with your own. # # Note that the agent.config.createOptions field is specified as # a TOML inline table. This format looks similar to JSON but it is not JSON. # See https://toml.io/en/v1.0.0#inline-table for documentation. # [agent] # name = "edgeAgent" # type = "docker" # imagePullPolicy = "..." # "on-create" or "never". Defaults to "on-create" # [agent.config] # image = "mcr.microsoft.com/azureiotedge-agent:1.5" # createOptions = { HostConfig = { Binds = ["/iotedge/storage:/iotedge/storage"] } } # [agent.config.auth] # serveraddress = "example.azurecr.io" # username = "username" # password = "password" # [agent.env] # "RuntimeLogLevel" = "debug" # "UpstreamProtocol" = "AmqpWs" # "storageFolder" = "/iotedge/storage" # ============================================================================== # Daemon management and workload API endpoints # ============================================================================== # # If you need to override the management and workload API endpoints, # uncomment this section and replace the values in this section with your own. # [connect] # workload_uri = "@connect_workload_uri@" # management_uri = "@connect_management_uri@" # # [listen] # workload_uri = "@listen_workload_uri@" # management_uri = "@listen_management_uri@" # ============================================================================== # Edge Agent watchdog # ============================================================================== # # If you need to override the default Edge Agent watchdog settings, # uncomment this section and replace the values with your own. # # [watchdog] # max_retries = "infinite" # the string "infinite" or a positive integer. Defaults to "infinite" # ============================================================================== # Edge CA certificate # ============================================================================== # # If you have your own Edge CA certificate that you want all module certificates # to be issued by, uncomment one of the sections below and replace the values with # your own. # Edge CA certificate loaded from a file: # --------------------- # [edge_ca] # cert = "file:///var/secrets/edge-ca.pem" # file URI # # pk = "file:///var/secrets/edge-ca.key.pem" # file URI, or... # pk = "pkcs11:slot-id=0;object=edge%20ca?pin-value=1234" # PKCS#11 URI # Edge CA certificate issued over EST: # --------------------- # [edge_ca] # method = "est" # # # Optional EST configuration for issuing the Edge CA certificate below. # # If not set, the defaults in [cert_issuance.est] will be used. # # common_name = "aziot-edge CA" # expiry_days = 90 # url = "https://example.org/.well-known/est" # # username = "estuser" # password = "estpwd" # # # EST ID cert already on device, or... # identity_cert = "file:///var/secrets/est-id.pem" # # identity_pk = "file:///var/secrets/est-id.key.pem" # file URI, or... # identity_pk = "pkcs11:slot-id=0;object=est-id?pin-value=1234" # PKCS#11 URI # # # EST ID cert requested via EST bootstrap ID cert # bootstrap_identity_cert = "file:///var/secrets/est-bootstrap-id.pem" # # bootstrap_identity_pk = "file:///var/secrets/est-bootstrap-id.key.pem" # file URI, or... # bootstrap_identity_pk = "pkcs11:slot-id=0;object=est-bootstrap-id?pin-value=1234" # PKCS#11 URI # Edge CA certificate issued from a local CA certificate: # Requires [cert_issuance.local_ca] to be set. # --------------------- # [edge_ca] # method = "local_ca" # # # Optional configuration below. # # common_name = "aziot-edge CA" # expiry_days = 90 # ============================================================================== # Edge CA certificate (Quickstart) # ============================================================================== # # If you do not have your own Edge CA certificate that you want all # module certificates to be issued by, you can uncomment this section and # set the number of days for the lifetime of the auto-generated # self-signed Edge CA certificate. Defaults to 90 days. # # SECURITY NOTE: this setting is NOT recommended for production usage. Please # configure your own Edge CA certificate in the Edge CA certificate section # above instead. # # [edge_ca] # auto_generated_edge_ca_expiry_days = 90 # ============================================================================== # Edge CA certificate auto-renewal # ============================================================================== # # Manage auto-renewal of the Edge CA certificate. Generally, this applies when the # Edge CA is configured as Quickstart or when the Edge CA has an issuance `method` # set. Edge CA certs loaded from files generally cannot be auto-renewed as the Edge # runtime will not have enough information to renew them. # # Renewal of an Edge CA requires all server certificates issued by that CA to be # regenerated. This is done by restarting all modules. The time of Edge CA renewal # cannot be guaranteed, so if random module restarts are unacceptable for your use # case, disable auto renewal. # # Note that for auto-generated (quickstart) certificates, both the certificate and key # must be regenerated on renewal so rotate_key must be true. Another issuance method # is required if rotate_key = false. # # [edge_ca.auto_renew] # rotate_key = true # threshold = "80%" # retry = "4%" # ============================================================================== # Image garbage collection # ============================================================================== # # If you need to override the default image garbage collection configuration, # uncomment this section and replace the values in this section with your own. # # 'enabled' controls whether image garbage collection runs or not. # 'cleanup_recurrence' is how frequently you want the image gc to run. # 'image_age_cleanup_threshold' is the "age" of unused images, after which they will be cleaned up. # 'cleanup_time' in 24-hour HH:MM format is a best efforts dictate of when the cleanup job runs. # [image_garbage_collection] # enabled = true # cleanup_recurrence = "1d" # image_age_cleanup_threshold = "7d" # cleanup_time = "00:00" # ============================================================================== # Moby runtime # ============================================================================== # # If you need to override the default Moby runtime configuration, # uncomment this section and replace the values in this section with your own. # [moby_runtime] # uri = "unix:///var/run/docker.sock" # network = "azure-iot-edge"