deploy(M00-E): 补充EMQX检查模板

deploy/README.md

@@ -38,7 +38,8 @@
 - HTTPS：输出固定域名、API 路径和 Nginx 配置检查。
 - Nginx：提供 `deploy/nginx/api.txyundm.cn.conf.template`，菜单第 4 项会检查模板、站点文件、TLS 和健康端点。
 - 证书：提供 `deploy/certbot/api.txyundm.cn.commands.md`，菜单第 4 项会检查 Certbot、证书文件、续期配置和 `certbot.timer`。
-- 非交互检查：`setup.sh --preflight`、`setup.sh --status`、`setup.sh --https`、`setup.sh --diagnose`。
+- EMQX：提供 `deploy/emqx/install-ubuntu24-amd64.md`、ACL 模板和授权模板，菜单第 3 项会检查命令、服务、端口和模板。
+- 非交互检查：`setup.sh --preflight`、`setup.sh --status`、`setup.sh --https`、`setup.sh --mqtt`、`setup.sh --diagnose`。
 - 状态：显示部署上下文、快检、仓库状态和当前 release manifest。
 - 备份：当前生成 manifest-only 备份记录，不触碰真实数据库。
 - 恢复/回滚：列出人工输入和回滚点，不自动改动生产数据。

deploy/VERSION

@@ -1 +1 @@
-0.1.2-m00-certbot-check
+0.1.3-m00-emqx-check

deploy/emqx/acl.conf.template

@@ -0,0 +1,29 @@
+%% Qipai EMQX ACL baseline for device topic isolation.
+%% EMQX ACL files use Erlang tuple rules and are matched from top to bottom.
+%% Replace example usernames and topic namespaces after M06 device onboarding.
+
+%% Device clients may publish telemetry/status under their own client id.
+{allow, {clientid, {re, "^qipai-device-[A-Za-z0-9_-]+$"}}, publish, [
+  "qipai/${clientid}/telemetry",
+  "qipai/${clientid}/status",
+  "qipai/${clientid}/event/#"
+]}.
+
+%% Device clients may subscribe only to commands for their own client id.
+{allow, {clientid, {re, "^qipai-device-[A-Za-z0-9_-]+$"}}, subscribe, [
+  "qipai/${clientid}/command/#"
+]}.
+
+%% Backend service may publish commands and subscribe to device events.
+{allow, {username, "qipai_backend"}, all, [
+  "qipai/+/command/#",
+  "qipai/+/telemetry",
+  "qipai/+/status",
+  "qipai/+/event/#"
+]}.
+
+%% Do not expose system topics or broad wildcards to ordinary clients.
+{deny, all, subscribe, ["$SYS/#", {eq, "#"}, {eq, "+/#"}]}.
+
+%% Production default: deny anything not explicitly allowed above.
+{deny, all}.

deploy/emqx/authorization.hocon.template

@@ -0,0 +1,11 @@
+authorization {
+  deny_action = ignore
+  no_match = deny
+  sources = [
+    {
+      type = file
+      enable = true
+      path = "etc/acl.conf"
+    }
+  ]
+}

deploy/emqx/install-ubuntu24-amd64.md

@@ -0,0 +1,49 @@
+# EMQX Ubuntu 24.04 amd64 Install Notes
+
+This project uses native Ubuntu packages only. Docker is forbidden.
+
+Official references checked on 2026-06-15:
+
+- EMQX Ubuntu installation: https://docs.emqx.com/en/emqx/latest/deploy/install-ubuntu.html
+- EMQX file authorization and ACL format: https://docs.emqx.com/en/emqx/latest/access-control/authz/file.html
+
+## Preconditions
+
+- Ubuntu Server 24.04 x86-64/amd64.
+- Production host: `101.42.38.246`.
+- Ports are restricted by firewall:
+  - `1883`: MQTT device access, not open wider than required.
+  - `18083`: EMQX dashboard, never open to arbitrary public networks.
+- MQTTX is not installed on the server.
+
+## Install
+
+EMQX official Ubuntu documentation lists apt installation for Ubuntu 24.04. The administrator must confirm the selected EMQX major version before installing.
+
+```bash
+curl -s https://packagecloud.io/install/repositories/emqx/emqx-enterprise5/script.deb.sh | sudo bash
+sudo apt-get install emqx
+sudo systemctl enable --now emqx
+```
+
+## Apply ACL Baseline
+
+```bash
+sudo install -m 0640 /opt/apps/qipai-repo/deploy/emqx/acl.conf.template /etc/emqx/acl.conf
+sudo install -m 0640 /opt/apps/qipai-repo/deploy/emqx/authorization.hocon.template /etc/emqx/conf.d/qipai-authorization.hocon
+sudo emqx ctl conf reload
+sudo systemctl restart emqx
+```
+
+## Check
+
+```bash
+emqx version
+systemctl status emqx --no-pager
+ss -ltnp | grep -E ':(1883|18083)\b'
+```
+
+## Notes
+
+- Device usernames, passwords and client IDs are not stored in Git.
+- M06 will replace the placeholder topic namespace with the final device protocol mapping.