TheThingsIndustries · johanstokking · Dec 4, 2024
@@ -36,7 +36,7 @@ The following are necessary to complete this guide:
 1. An account with AWS with access to the AWS Marketplace. If you don't have one, create it by using the [Create an AWS account](https://portal.aws.amazon.com/billing/signup#/start) page.
 2. An RSA Public-Private Key pair
 3. Sufficient rights on your account to create IAM roles
-4. A LoRaWAN® compliant Gateway
+4. A LoRaWAN compliant Gateway
 5. A LoRaWAN compliant End Device
 6. Access to a name server for DNS mapping
 7. (Optional) An AWS Secret containing TLS certificate data, if a custom TLS certificate is needed
@@ -61,9 +61,9 @@ This template allows the user to customize the deployment. The following is a li
 
 |Parameter|Description|Default|
 |---|---|---|
-|EC2 Instance Name|Name of the EC2 instance.|`the-things-enterprise-stack`|
+|EC2 Instance Name|Name of the EC2 instance.|tts|
 |Domain|Domain name. You should be able to configure DNS for the domain. TLS certificates from Let's Encrypt will automatically be requested.|-|
-|Network Title*|The title of your deployment.|`The Things Stack Enterprise for LoRaWAN`|
+|Network Title*|The title of your deployment.|The Things Stack Enterprise for LoRaWAN|
 |CIDR block|CIDR block used by the VPC.|10.0.0.0/16|
 
 > \* Optional field
@@ -72,28 +72,39 @@ This template allows the user to customize the deployment. The following is a li
 
 |**Parameter**|**Description**|**Default**|
 |---|---|---|
+|TLS Certificate*|TLS certificate to use. If left empty, TLS certificates from Let's Encrypt will automatically be requested.|-|
+|TLS Certificate Key*|TLS certificate key to use. If left empty, TLS certificates from Let's Encrypt will automatically be requested.|-|
+|TLS Certificate CA*|TLS certificate CA to use. If left empty, TLS certificates from Let's Encrypt will automatically be requested.|-|
+|TLS Certificate Secret ARN*|TLS certificate data specified as an AWS secret. If this secret is specified, TLSCertificate, TLSCertificateCA and TLSCertificateKey values will be ignored. The AWS secret must have 3 key/value pairs with the key names: cert, key, ca.|-|
+|Allow unauthenticated Basic Station connections|Allow unauthenticated Basic Station connections. This should only be set only for testing purposes.|false|
 |Admin Username|Name of the admin user.|`admin`|
-|Admin Email|Email address of the admin user.|`[email protected]`|
 |Initial Admin Password|Initial admin password. Please choose a strong password. It is recommended to change this password upon first login.|-|
+|Admin Email|Email address of the admin user.|`[email protected]`|
+|Amazon ElastiCache KMS Key ID*|Key used for Redis at-rest encryption. Leave empty to disable encryption. (Warning) A change to this field requires manual migration of the database.|-|
+|Amazon ElastiCache Password*|Password used to access Redis. Leave empty to disable TLS connection. (Warning) A change to this field requires manual migration of the database.|-|
 |Amazon RDS Database Username|Username of the relational database.|`postgres`|
 |Amazon RDS Database Password|Password for the relational database. This password is used to access the Amazon RDS database.|-|
 |SSH Key|Name of an existing EC2 KeyPair to enable SSH access to your instance.|-|
 |SendGrid API Key*|API key for [SendGrid](https://sendgrid.com/) to send emails.|-|
-|Amazon ElastiCache KMS Key ID*|Key used for Redis at-rest encryption. Leave empty to disable encryption. (Warning) A change to this field requires manual migration of the database.|-|
-|Amazon ElastiCache Password*|Password used to access Redis. Leave empty to disable TLS connection. (Warning) A change to this field requires manual migration of the database.|-|
-|TLS Certificate*|TLS certificate to use. If left empty, TLS certificates from Let's Encrypt will automatically be requested.|-|
-|TLS Certificate Key*|TLS certificate key to use. If left empty, TLS certificates from Let's Encrypt will automatically be requested.|-|
-|TLS Certificate CA*|TLS certificate CA to use. If left empty, TLS certificates from Let's Encrypt will automatically be requested.|-|
-|ARN of an AWS Secret containing the TLS certificate data*|TLS certificate data specified as an AWS secret. If this secret is specified, TLSCertificate, TLSCertificateCA and TLSCertificateKey values will be ignored. The AWS secret must have 3 key/value pairs with the key names: cert, key, ca.|-|
 
 > \* Optional field
 
+#### Email Settings
+
+|**Parameter**|**Description**|**Default**|
+|---|---|---|
+|Email Provider|Email provider for The Things Stack Identity Server|sendgrid|
+|SendGrid API Key|If email provider is sendgrid: API key for SendGrid (https://sendgrid.com/) to send emails.||
+|SMTP Server Address|If email provider is smtp: Address of the SMTP server.||
+|SMTP Username|If email provider is smtp: Username for the SMTP server.||
+|SMTP Password|If email provider is smtp: Password for the SMTP server.||
+
 #### External Connectivity
 
-|**Parameter**|**Description**|
-|---|---|
-|Restrict SSH Access to IP Range|The source IP address range that can be used to connect via SSH to the EC2 instances. Use 0.0.0.0/0 for global SSH access.|
-|Restrict Service Access to IP Range|The source IP address range that can be used to connect to the deployed services. Use 0.0.0.0/0 for global access.|
+|**Parameter**|**Description**|**Default**|
+|---|---|---|
+|Restrict SSH Access to IP Range|The source IP address range that can be used to connect via SSH to the EC2 instances. Use 0.0.0.0/0 for global SSH access.|0.0.0.0/0|
+|Restrict Service Access to IP Range|The source IP address range that can be used to connect to the deployed services. Use 0.0.0.0/0 for global access.|0.0.0.0/0|
 
 #### User Registration
 
@@ -118,13 +129,13 @@ This template allows the user to customize the deployment. The following is a li
 |---|---|---|
 |EC2 Instance Type|EC2 Instance Type.|t3.small|
 |Redis Backup Retention Period*|The retention period for daily Redis backups (days).|7|
-|Redis Instance Type|The size of machine for the Redis instance.|cache.t2.small|
+|Redis Instance Type|The size of machine for the Redis instance.|cache.t4g.small|
 |Enable Multi-AZ for Redis| If true, replicas of Redis are created. If true, RedisNumCacheClusters property must be greater than 1.|false|
 |Number of Redis Multi-AZ Instances|The number of replicas for this replication group. If RedisMultiAZSupport is true, this value must be greater than 1. Note that this multiplies the Amazon ElastiCache Redis instance costs.|1|
 |Amazon RDS Database Name|Name of the relational database. (Warning) A change to this field requires manual migration of the database.|ttn_lorawan|
-|Amazon RDS Instance Type|The instance type for the Amazon RDS database.|db.t3.small|
+|Amazon RDS Instance Type|The instance type for the Amazon RDS database.|db.t4g.small|
 |Amazon RDS Backup Retention Period|The retention period for daily Amazon RDS backups (days). (Warning) A change to this field requires manual migration of the database.|7|
-|Amazon RDS Postgres Version|PostgreSQL version for the Amazon RDS database.|11.4|
+|Amazon RDS Postgres Version|PostgreSQL version for the Amazon RDS database.|16.4|
 |Enable Multi-AZ for Amazon RDS| If true, a failover instance is created in case the primary instance fails. Note that this doubles the Amazon RDS instance costs.|false|
 
 #### LoRaWAN Network Server Settings
@@ -137,6 +148,14 @@ This template allows the user to customize the deployment. The following is a li
 |LoRaWAN DevAddr Prefix|Prefix for the LoRaWAN DevAddrs that are handled by this network.|00000000/7|
 |LoRaWAN NetID|The LoRaWAN NetID that is assigned through [LoRa Alliance membership](https://lora-alliance.org/become-a-member). This is required if your network needs interoperability (e.g. roaming, peering, join flow) with other networks. If you do not have a NetID, please use 000000 or 000001.|000000|
 
+#### Managed Gateways
+
+{{< note >}} All of following parameters are optional. {{</ note >}}
+
+|**Parameter**|**Description**|**Default**|
+|---|---|---|
+|The Things Gateway Controller|If set to true, The Things Stack connects to The Things Gateway Controller for claiming and configuring managed gateways (including The Things Indoor Gateway Pro). If you are using a TLS certificate that is signed by a private CA, contact [email protected] to get your CA configured in The Things Gateway Controller.|false|
+
 #### AWS IoT settings
 
 |**Parameter**|**Description**|**Default**|

@@ -91,15 +91,15 @@ sudo journalctl -f -u lorawan-stack.service
 
 ## Routing LoRaWAN Traffic
 
-Now that your stack has been successfully deployed, let's look at how to connect a LoRaWAN® Gateway, Register a LoRaWAN Device and read traffic from this device.
+Now that your stack has been successfully deployed, let's look at how to connect a LoRaWAN Gateway, register a LoRaWAN device and read traffic from this device.
 
 ### Connecting a Gateway
 
-Please check [Gateways]({{< relref "gateways" >}}) section to find an extensive connecting guide for the particular brand/model of your gateway.
+Please check [Gateways]({{< ref "gateways/concepts/adding-gateways" >}}) section to learn how to add gateways.
 
 ### Registering a Device
 
-Please check the [Adding Devices]({{< relref "devices/adding-devices" >}}) guide.
+Please check the [Adding Devices]({{< ref "devices/adding-devices" >}}) guide.
 
 ## AWS IoT
 

@@ -111,10 +111,10 @@ Be sure to configure `docker-compose.yml` and `ttn-lw-stack-docker.yml` for your
 
 ## Using Custom Certificates
 
-To use CA certificates you already have or [self-signed certificates](#custom-certificate-authority), you will need to uncomment the custom certificates section of `docker-compose.yml`:
+To use CA certificates you already have or [self-signed certificates](#custom-certificate-authority), you will need to specify the custom certificates section of `docker-compose.yml`:
 
-{{< highlight yaml "linenos=table,linenostart=66" >}}
-{{< readfile path="/content/the-things-stack/host/docker/configuration/docker-compose-custom-certificates.yml" from=66 to=79 >}}
+{{< highlight yaml "linenos=table,linenostart=67" >}}
+{{< readfile path="/content/the-things-stack/host/docker/configuration/docker-compose-custom-certificates.yml" from=67 to=80 >}}
 {{< /highlight >}}
 
 You will also need to comment out the Let's Encrypt section of `ttn-lw-stack-docker.yml`:

@@ -61,6 +61,7 @@ services:
       - "8886:8886"
       - "1887:1887"
       - "8887:8887"
+      - "8889:8889"
       - "1700:1700/udp"
 
     # If using custom certificates:

@@ -5,7 +5,7 @@ services:
     # In production, replace 'latest' with tag from https://hub.docker.com/r/timescale/timescaledb/tags
     # If you are not using the Storage Integration nor Network Operations Center, you can use vanilla Postgres.
     # The minimum Postgres version supported is 14.x.
-    image: "timescale/timescaledb:latest-pg14"
+    image: "timescale/timescaledb:latest-pg16"
     restart: unless-stopped
     environment:
       - POSTGRES_PASSWORD=root
@@ -95,6 +95,7 @@ services:
       - "8887:8887"
       - "1888:1888"
       - "8888:8888"
+      - "8889:8889"
       - "1700:1700/udp"
 
     # If using custom certificates:

@@ -61,6 +61,7 @@ services:
       - "8886:8886"
       - "1887:1887"
       - "8887:8887"
+      - "8889:8889"
       - "1700:1700/udp"
 
     # If using custom certificates:

@@ -172,7 +172,7 @@ The databases used by {{% tts %}} are configured in the `environment` section. I
 The `ports` section exposes {{% tts %}}'s ports outside the Docker container. Port `80` and `443` are mapped to the internal HTTP and HTTPS ports. The other ports have a direct mapping. If you don't need support for gateways and applications that don't use TLS, you can remove ports starting with `188`:
 
 {{< highlight yaml "linenos=table,linenostart=78" >}}
-{{< readfile path="/content/the-things-stack/host/docker/configuration/docker-compose-enterprise.yml" from=78 to=98 >}}
+{{< readfile path="/content/the-things-stack/host/docker/configuration/docker-compose-enterprise.yml" from=78 to=99 >}}
 {{< /highlight >}}
 
 {{< note >}} Be sure to provide network access to these ports on the machine you are running {{% tts %}}. {{</ note >}}
@@ -222,21 +222,19 @@ host, and also to use it as the default host.
 
 If using Let's Encrypt, certificates will automatically be requested the first time you access {{% tts %}}. You will notice that the page takes some time to load while certificates are obtained in the background.
 
-See the [TLS Options configuration reference]({{< ref "/reference/configuration/the-things-stack#tls-options" >}}) for more information.
-
-Make sure that you use the correct `tls` configuration depending on whether you are using Let's Encrypt or your own certificate files.
+{{< highlight yaml "linenos=table,linenostart=61" >}}
+{{< readfile path="/the-things-stack/host/docker/configuration/ttn-lw-stack-docker-enterprise.yml" from=61 to=71 >}}
+{{< /highlight >}}
 
 If you are using your own certificate files, make sure to uncomment the lines that define `source` type, `root-ca`, `certificate` and `key`. The paths assigned to these do not need to be altered, because they point to the location of these files inside the Docker container, and not on your machine.
 
 {{< highlight yaml "linenos=table,linenostart=53" >}}
 {{< readfile path="/the-things-stack/host/docker/configuration/ttn-lw-stack-docker-enterprise.yml" from=53 to=59 >}}
 {{< /highlight >}}
 
-If you are using Let's Encrypt in a multi-tenant {{% tts %}} environment, all tenant addresses have to be specified in the `ttn-lw-stack-docker.yml` file using `tls.acme.hosts` configuration option with `*.thethings.example.com` wildcard.
+See the [TLS Options configuration reference]({{< ref "/reference/configuration/the-things-stack#tls-options" >}}) for more information.
 
-{{< highlight yaml "linenos=table,linenostart=61" >}}
-{{< readfile path="/the-things-stack/host/docker/configuration/ttn-lw-stack-docker-enterprise.yml" from=61 to=70 >}}
-{{< /highlight >}}
+Make sure that you use the correct `tls` configuration depending on whether you are using Let's Encrypt or your own certificate files.
 
 ### Console Component URLs
 
@@ -254,6 +252,26 @@ The `client-secret` will be needed later when authorizing the Console. Be sure t
 {{< readfile path="/the-things-stack/host/docker/configuration/ttn-lw-stack-docker-enterprise.yml" from=116 to=121 >}}
 {{< /highlight >}}
 
+### Managed Gateways {{< new-in-version "3.34.0" >}}
+
+If you want to connected managed gateways, e.g. [The Things Indoor Gateway Pro]({{< ref "/gateways/models/thethingsindoorgatewaypro" >}}), you need to enable The Things Gateway Controller. This is a central service operated by The Things Industries that allows for claiming and remotely managing gateways. {{% tts %}} is natively integrated with The Things Gateway Controller.
+
+To authenticate with The Things Gateway Controller, {{% tts %}} typically uses the same TLS certificate as used for the TLS server, either Let's Encrypt or custom certificates.
+
+When using Let's Encrypt:
+
+{{< highlight yaml "linenos=table,linenostart=142" >}}
+{{< readfile path="/the-things-stack/host/docker/configuration/ttn-lw-stack-docker-enterprise.yml" from=142 to=150 >}}
+{{< /highlight >}}
+
+When using custom certificates:
+
+{{< highlight yaml "linenos=table,linenostart=151" >}}
+{{< readfile path="/the-things-stack/host/docker/configuration/ttn-lw-stack-docker-enterprise.yml" from=151 to=155 >}}
+{{< /highlight >}}
+
+{{< note >}} If you are using a private PKI for generating certificates (e.g. a self-signed CA), you need to share your CA file with The Things Industries in order for The Things Gateway Controller to verify your certificate and authenticate your deployment. Contact [The Things Industries support](mailto:[email protected]). {{</ note >}}
+
 ### NOC
 
 {{< distributions "Enterprise" >}} The `noc` section configures the Network Operations Center.
@@ -262,25 +280,25 @@ Besides `ui` and `oauth` settings, storage settings need to be configured in the
 
 To authorize the NOC, be sure to set and remember the client secret.
 
-{{< highlight yaml "linenos=table,linenostart=161" >}}
-{{< readfile path="/the-things-stack/host/docker/configuration/ttn-lw-stack-docker-enterprise.yml" from=161 to=170 >}}
+{{< highlight yaml "linenos=table,linenostart=157" >}}
+{{< readfile path="/the-things-stack/host/docker/configuration/ttn-lw-stack-docker-enterprise.yml" from=157 to=173 >}}
 {{< /highlight >}}
 
 To visualize data, configure the `grafana` section.
 
-{{< highlight yaml "linenos=table,linenostart=179" >}}
-{{< readfile path="/the-things-stack/host/docker/configuration/ttn-lw-stack-docker-enterprise.yml" from=179 to=184 >}}
+{{< highlight yaml "linenos=table,linenostart=175" >}}
+{{< readfile path="/the-things-stack/host/docker/configuration/ttn-lw-stack-docker-enterprise.yml" from=175 to=180 >}}
 {{< /highlight >}}
 
 ### Multi-tenancy
 
 {{< distributions "Enterprise" >}} If running a multi-tenant environment, we need to configure the default tenant ID, and the base domain from which tenant IDs are inferred. See the [`tenancy` configuration reference]({{< ref "/reference/configuration/the-things-stack#multi-tenancy" >}}).
 
-{{< highlight yaml "linenos=table,linenostart=188" >}}
-{{< readfile path="/the-things-stack/host/docker/configuration/ttn-lw-stack-docker-enterprise.yml" from=188 to=191 >}}
+{{< highlight yaml "linenos=table,linenostart=184" >}}
+{{< readfile path="/the-things-stack/host/docker/configuration/ttn-lw-stack-docker-enterprise.yml" from=184 to=187 >}}
 {{< /highlight >}}
 
-For multi-tenant environments you'll also need to configure tenant admin keys:
+For multi-tenant environments you'll also need to configure tenant admin keys in the `is` section:
 
 {{< highlight yaml "linenos=table,linenostart=40" >}}
 {{< readfile path="/content/the-things-stack/host/docker/configuration/ttn-lw-stack-docker-enterprise.yml" from=40 to=42 >}}