doc: Document TTGC support

doc/content/the-things-stack/host/aws/ami/deployment-guide/_index.md

@@ -36,7 +36,7 @@ The following are necessary to complete this guide:
 1. An account with AWS with access to the AWS Marketplace. If you don't have one, create it by using the [Create an AWS account](https://portal.aws.amazon.com/billing/signup#/start) page.
 2. An RSA Public-Private Key pair
 3. Sufficient rights on your account to create IAM roles
-4. A LoRaWAN® compliant Gateway
+4. A LoRaWAN compliant Gateway
 5. A LoRaWAN compliant End Device
 6. Access to a name server for DNS mapping
 7. (Optional) An AWS Secret containing TLS certificate data, if a custom TLS certificate is needed
@@ -61,9 +61,9 @@ This template allows the user to customize the deployment. The following is a li
 
 |Parameter|Description|Default|
 |---|---|---|
-|EC2 Instance Name|Name of the EC2 instance.|`the-things-enterprise-stack`|
+|EC2 Instance Name|Name of the EC2 instance.|tts|
 |Domain|Domain name. You should be able to configure DNS for the domain. TLS certificates from Let's Encrypt will automatically be requested.|-|
-|Network Title*|The title of your deployment.|`The Things Stack Enterprise for LoRaWAN`|
+|Network Title*|The title of your deployment.|The Things Stack Enterprise for LoRaWAN|
 |CIDR block|CIDR block used by the VPC.|10.0.0.0/16|
 
 > \* Optional field
@@ -72,28 +72,39 @@ This template allows the user to customize the deployment. The following is a li
 
 |**Parameter**|**Description**|**Default**|
 |---|---|---|
+|TLS Certificate*|TLS certificate to use. If left empty, TLS certificates from Let's Encrypt will automatically be requested.|-|
+|TLS Certificate Key*|TLS certificate key to use. If left empty, TLS certificates from Let's Encrypt will automatically be requested.|-|
+|TLS Certificate CA*|TLS certificate CA to use. If left empty, TLS certificates from Let's Encrypt will automatically be requested.|-|
+|TLS Certificate Secret ARN*|TLS certificate data specified as an AWS secret. If this secret is specified, TLSCertificate, TLSCertificateCA and TLSCertificateKey values will be ignored. The AWS secret must have 3 key/value pairs with the key names: cert, key, ca.|-|
+|Allow unauthenticated Basic Station connections|Allow unauthenticated Basic Station connections. This should only be set only for testing purposes.|false|
 |Admin Username|Name of the admin user.|`admin`|
-|Admin Email|Email address of the admin user.|`[email protected]`|
 |Initial Admin Password|Initial admin password. Please choose a strong password. It is recommended to change this password upon first login.|-|
+|Admin Email|Email address of the admin user.|`[email protected]`|
+|Amazon ElastiCache KMS Key ID*|Key used for Redis at-rest encryption. Leave empty to disable encryption. (Warning) A change to this field requires manual migration of the database.|-|
+|Amazon ElastiCache Password*|Password used to access Redis. Leave empty to disable TLS connection. (Warning) A change to this field requires manual migration of the database.|-|
 |Amazon RDS Database Username|Username of the relational database.|`postgres`|
 |Amazon RDS Database Password|Password for the relational database. This password is used to access the Amazon RDS database.|-|
 |SSH Key|Name of an existing EC2 KeyPair to enable SSH access to your instance.|-|
 |SendGrid API Key*|API key for [SendGrid](https://sendgrid.com/) to send emails.|-|
-|Amazon ElastiCache KMS Key ID*|Key used for Redis at-rest encryption. Leave empty to disable encryption. (Warning) A change to this field requires manual migration of the database.|-|
-|Amazon ElastiCache Password*|Password used to access Redis. Leave empty to disable TLS connection. (Warning) A change to this field requires manual migration of the database.|-|
-|TLS Certificate*|TLS certificate to use. If left empty, TLS certificates from Let's Encrypt will automatically be requested.|-|
-|TLS Certificate Key*|TLS certificate key to use. If left empty, TLS certificates from Let's Encrypt will automatically be requested.|-|
-|TLS Certificate CA*|TLS certificate CA to use. If left empty, TLS certificates from Let's Encrypt will automatically be requested.|-|
-|ARN of an AWS Secret containing the TLS certificate data*|TLS certificate data specified as an AWS secret. If this secret is specified, TLSCertificate, TLSCertificateCA and TLSCertificateKey values will be ignored. The AWS secret must have 3 key/value pairs with the key names: cert, key, ca.|-|
 
 > \* Optional field
 
+#### Email Settings
+
+|**Parameter**|**Description**|**Default**|
+|---|---|---|
+|Email Provider|Email provider for The Things Stack Identity Server|sendgrid|
+|SendGrid API Key|If email provider is sendgrid: API key for SendGrid (https://sendgrid.com/) to send emails.||
+|SMTP Server Address|If email provider is smtp: Address of the SMTP server.||
+|SMTP Username|If email provider is smtp: Username for the SMTP server.||
+|SMTP Password|If email provider is smtp: Password for the SMTP server.||
+
 #### External Connectivity
 
-|**Parameter**|**Description**|
-|---|---|
-|Restrict SSH Access to IP Range|The source IP address range that can be used to connect via SSH to the EC2 instances. Use 0.0.0.0/0 for global SSH access.|
-|Restrict Service Access to IP Range|The source IP address range that can be used to connect to the deployed services. Use 0.0.0.0/0 for global access.|
+|**Parameter**|**Description**|**Default**|
+|---|---|---|
+|Restrict SSH Access to IP Range|The source IP address range that can be used to connect via SSH to the EC2 instances. Use 0.0.0.0/0 for global SSH access.|0.0.0.0/0|
+|Restrict Service Access to IP Range|The source IP address range that can be used to connect to the deployed services. Use 0.0.0.0/0 for global access.|0.0.0.0/0|
 
 #### User Registration
 
@@ -118,13 +129,13 @@ This template allows the user to customize the deployment. The following is a li
 |---|---|---|
 |EC2 Instance Type|EC2 Instance Type.|t3.small|
 |Redis Backup Retention Period*|The retention period for daily Redis backups (days).|7|
-|Redis Instance Type|The size of machine for the Redis instance.|cache.t2.small|
+|Redis Instance Type|The size of machine for the Redis instance.|cache.t4g.small|
 |Enable Multi-AZ for Redis| If true, replicas of Redis are created. If true, RedisNumCacheClusters property must be greater than 1.|false|
 |Number of Redis Multi-AZ Instances|The number of replicas for this replication group. If RedisMultiAZSupport is true, this value must be greater than 1. Note that this multiplies the Amazon ElastiCache Redis instance costs.|1|
 |Amazon RDS Database Name|Name of the relational database. (Warning) A change to this field requires manual migration of the database.|ttn_lorawan|
-|Amazon RDS Instance Type|The instance type for the Amazon RDS database.|db.t3.small|
+|Amazon RDS Instance Type|The instance type for the Amazon RDS database.|db.t4g.small|
 |Amazon RDS Backup Retention Period|The retention period for daily Amazon RDS backups (days). (Warning) A change to this field requires manual migration of the database.|7|
-|Amazon RDS Postgres Version|PostgreSQL version for the Amazon RDS database.|11.4|
+|Amazon RDS Postgres Version|PostgreSQL version for the Amazon RDS database.|16.4|
 |Enable Multi-AZ for Amazon RDS| If true, a failover instance is created in case the primary instance fails. Note that this doubles the Amazon RDS instance costs.|false|
 
 #### LoRaWAN Network Server Settings
@@ -137,6 +148,14 @@ This template allows the user to customize the deployment. The following is a li
 |LoRaWAN DevAddr Prefix|Prefix for the LoRaWAN DevAddrs that are handled by this network.|00000000/7|
 |LoRaWAN NetID|The LoRaWAN NetID that is assigned through [LoRa Alliance membership](https://lora-alliance.org/become-a-member). This is required if your network needs interoperability (e.g. roaming, peering, join flow) with other networks. If you do not have a NetID, please use 000000 or 000001.|000000|
 
+#### Managed Gateways
+
+{{< note >}} All of following parameters are optional. {{</ note >}}
+
+|**Parameter**|**Description**|**Default**|
+|---|---|---|
+|The Things Gateway Controller|If set to true, The Things Stack connects to The Things Gateway Controller for claiming and configuring managed gateways (including The Things Indoor Gateway Pro). If you are using a TLS certificate that is signed by a private CA, contact [email protected] to get your CA configured in The Things Gateway Controller.|false|
+
 #### AWS IoT settings
 
 |**Parameter**|**Description**|**Default**|

doc/content/the-things-stack/host/aws/ami/post-deployment/_index.md

@@ -91,15 +91,15 @@ sudo journalctl -f -u lorawan-stack.service
 
 ## Routing LoRaWAN Traffic
 
-Now that your stack has been successfully deployed, let's look at how to connect a LoRaWAN® Gateway, Register a LoRaWAN Device and read traffic from this device.
+Now that your stack has been successfully deployed, let's look at how to connect a LoRaWAN Gateway, register a LoRaWAN device and read traffic from this device.
 
 ### Connecting a Gateway
 
-Please check [Gateways]({{< relref "gateways" >}}) section to find an extensive connecting guide for the particular brand/model of your gateway.
+Please check [Gateways]({{< ref "gateways/concepts/adding-gateways" >}}) section to learn how to add gateways.
 
 ### Registering a Device
 
-Please check the [Adding Devices]({{< relref "devices/adding-devices" >}}) guide.
+Please check the [Adding Devices]({{< ref "devices/adding-devices" >}}) guide.
 
 ## AWS IoT
 

doc/content/the-things-stack/host/docker/certificates.md

@@ -111,10 +111,10 @@ Be sure to configure `docker-compose.yml` and `ttn-lw-stack-docker.yml` for your
 
 ## Using Custom Certificates
 
-To use CA certificates you already have or [self-signed certificates](#custom-certificate-authority), you will need to uncomment the custom certificates section of `docker-compose.yml`:
+To use CA certificates you already have or [self-signed certificates](#custom-certificate-authority), you will need to specify the custom certificates section of `docker-compose.yml`:
 
-{{< highlight yaml "linenos=table,linenostart=66" >}}
-{{< readfile path="/content/the-things-stack/host/docker/configuration/docker-compose-custom-certificates.yml" from=66 to=79 >}}
+{{< highlight yaml "linenos=table,linenostart=67" >}}
+{{< readfile path="/content/the-things-stack/host/docker/configuration/docker-compose-custom-certificates.yml" from=67 to=80 >}}
 {{< /highlight >}}
 
 You will also need to comment out the Let's Encrypt section of `ttn-lw-stack-docker.yml`:

doc/content/the-things-stack/host/docker/configuration/docker-compose-custom-certificates.yml

@@ -61,6 +61,7 @@ services:
       - "8886:8886"
       - "1887:1887"
       - "8887:8887"
+      - "8889:8889"
       - "1700:1700/udp"
 
     # If using custom certificates:

doc/content/the-things-stack/host/docker/configuration/docker-compose-enterprise.yml

@@ -5,7 +5,7 @@ services:
     # In production, replace 'latest' with tag from https://hub.docker.com/r/timescale/timescaledb/tags
     # If you are not using the Storage Integration nor Network Operations Center, you can use vanilla Postgres.
     # The minimum Postgres version supported is 14.x.
-    image: "timescale/timescaledb:latest-pg14"
+    image: "timescale/timescaledb:latest-pg16"
     restart: unless-stopped
     environment:
       - POSTGRES_PASSWORD=root
@@ -95,6 +95,7 @@ services:
       - "8887:8887"
       - "1888:1888"
       - "8888:8888"
+      - "8889:8889"
       - "1700:1700/udp"
 
     # If using custom certificates:

doc/content/the-things-stack/host/docker/configuration/docker-compose-open-source.yml

@@ -61,6 +61,7 @@ services:
       - "8886:8886"
       - "1887:1887"
       - "8887:8887"
+      - "8889:8889"
       - "1700:1700/udp"
 
     # If using custom certificates:

doc/content/the-things-stack/host/docker/configuration/index.md

@@ -172,7 +172,7 @@ The databases used by {{% tts %}} are configured in the `environment` section. I
 The `ports` section exposes {{% tts %}}'s ports outside the Docker container. Port `80` and `443` are mapped to the internal HTTP and HTTPS ports. The other ports have a direct mapping. If you don't need support for gateways and applications that don't use TLS, you can remove ports starting with `188`:
 
 {{< highlight yaml "linenos=table,linenostart=78" >}}
-{{< readfile path="/content/the-things-stack/host/docker/configuration/docker-compose-enterprise.yml" from=78 to=98 >}}
+{{< readfile path="/content/the-things-stack/host/docker/configuration/docker-compose-enterprise.yml" from=78 to=99 >}}
 {{< /highlight >}}
 
 {{< note >}} Be sure to provide network access to these ports on the machine you are running {{% tts %}}. {{</ note >}}
@@ -222,21 +222,19 @@ host, and also to use it as the default host.
 
 If using Let's Encrypt, certificates will automatically be requested the first time you access {{% tts %}}. You will notice that the page takes some time to load while certificates are obtained in the background.
 
-See the [TLS Options configuration reference]({{< ref "/reference/configuration/the-things-stack#tls-options" >}}) for more information.
-
-Make sure that you use the correct `tls` configuration depending on whether you are using Let's Encrypt or your own certificate files.
+{{< highlight yaml "linenos=table,linenostart=61" >}}
+{{< readfile path="/the-things-stack/host/docker/configuration/ttn-lw-stack-docker-enterprise.yml" from=61 to=71 >}}
+{{< /highlight >}}
 
 If you are using your own certificate files, make sure to uncomment the lines that define `source` type, `root-ca`, `certificate` and `key`. The paths assigned to these do not need to be altered, because they point to the location of these files inside the Docker container, and not on your machine.
 
 {{< highlight yaml "linenos=table,linenostart=53" >}}
 {{< readfile path="/the-things-stack/host/docker/configuration/ttn-lw-stack-docker-enterprise.yml" from=53 to=59 >}}
 {{< /highlight >}}
 
-If you are using Let's Encrypt in a multi-tenant {{% tts %}} environment, all tenant addresses have to be specified in the `ttn-lw-stack-docker.yml` file using `tls.acme.hosts` configuration option with `*.thethings.example.com` wildcard.
+See the [TLS Options configuration reference]({{< ref "/reference/configuration/the-things-stack#tls-options" >}}) for more information.
 
-{{< highlight yaml "linenos=table,linenostart=61" >}}
-{{< readfile path="/the-things-stack/host/docker/configuration/ttn-lw-stack-docker-enterprise.yml" from=61 to=70 >}}
-{{< /highlight >}}
+Make sure that you use the correct `tls` configuration depending on whether you are using Let's Encrypt or your own certificate files.
 
 ### Console Component URLs
 
@@ -254,6 +252,24 @@ The `client-secret` will be needed later when authorizing the Console. Be sure t
 {{< readfile path="/the-things-stack/host/docker/configuration/ttn-lw-stack-docker-enterprise.yml" from=116 to=121 >}}
 {{< /highlight >}}
 
+### Managed Gateways
+
+If you want to connected managed gateways, e.g. [The Things Indoor Gateway Pro]({{< ref "/gateways/models/thethingsindoorgatewaypro" >}}), you need to enable The Things Gateway Controller. This is a central service operated by The Things Industries that allows for claiming and remotely managing gateways. {{% tts %}} is natively integrated with The Things Gateway Controller.
+
+To authenticate with The Things Gateway Controller, {{% tts %}} typically uses the same TLS certificate as used for the TLS server, either Let's Encrypt or custom certificates.
+
+When using Let's Encrypt:
+
+{{< highlight yaml "linenos=table,linenostart=142" >}}
+{{< readfile path="/the-things-stack/host/docker/configuration/ttn-lw-stack-docker-enterprise.yml" from=142 to=150 >}}
+{{< /highlight >}}
+
+When using custom certificates:
+
+{{< highlight yaml "linenos=table,linenostart=151" >}}
+{{< readfile path="/the-things-stack/host/docker/configuration/ttn-lw-stack-docker-enterprise.yml" from=151 to=155 >}}
+{{< /highlight >}}
+
 ### NOC
 
 {{< distributions "Enterprise" >}} The `noc` section configures the Network Operations Center.
@@ -262,25 +278,25 @@ Besides `ui` and `oauth` settings, storage settings need to be configured in the
 
 To authorize the NOC, be sure to set and remember the client secret.
 
-{{< highlight yaml "linenos=table,linenostart=161" >}}
-{{< readfile path="/the-things-stack/host/docker/configuration/ttn-lw-stack-docker-enterprise.yml" from=161 to=170 >}}
+{{< highlight yaml "linenos=table,linenostart=157" >}}
+{{< readfile path="/the-things-stack/host/docker/configuration/ttn-lw-stack-docker-enterprise.yml" from=157 to=173 >}}
 {{< /highlight >}}
 
 To visualize data, configure the `grafana` section.
 
-{{< highlight yaml "linenos=table,linenostart=179" >}}
-{{< readfile path="/the-things-stack/host/docker/configuration/ttn-lw-stack-docker-enterprise.yml" from=179 to=184 >}}
+{{< highlight yaml "linenos=table,linenostart=175" >}}
+{{< readfile path="/the-things-stack/host/docker/configuration/ttn-lw-stack-docker-enterprise.yml" from=175 to=180 >}}
 {{< /highlight >}}
 
 ### Multi-tenancy
 
 {{< distributions "Enterprise" >}} If running a multi-tenant environment, we need to configure the default tenant ID, and the base domain from which tenant IDs are inferred. See the [`tenancy` configuration reference]({{< ref "/reference/configuration/the-things-stack#multi-tenancy" >}}).
 
-{{< highlight yaml "linenos=table,linenostart=188" >}}
-{{< readfile path="/the-things-stack/host/docker/configuration/ttn-lw-stack-docker-enterprise.yml" from=188 to=191 >}}
+{{< highlight yaml "linenos=table,linenostart=184" >}}
+{{< readfile path="/the-things-stack/host/docker/configuration/ttn-lw-stack-docker-enterprise.yml" from=184 to=187 >}}
 {{< /highlight >}}
 
-For multi-tenant environments you'll also need to configure tenant admin keys:
+For multi-tenant environments you'll also need to configure tenant admin keys in the `is` section:
 
 {{< highlight yaml "linenos=table,linenostart=40" >}}
 {{< readfile path="/content/the-things-stack/host/docker/configuration/ttn-lw-stack-docker-enterprise.yml" from=40 to=42 >}}

doc/content/the-things-stack/host/docker/configuration/ttn-lw-stack-docker-custom-certificates.yml

@@ -47,12 +47,13 @@ tls:
 
 # Let's encrypt for "thethings.example.com"
 # tls:
-#   source: 'acme'
+#   source: acme
 #   acme:
-#     dir: '/var/lib/acme'
-#     email: '[email protected]'
-#     hosts: ['thethings.example.com']
-#     default-host: 'thethings.example.com'
+#     enable: true
+#     dir: /var/lib/acme
+#     email: "[email protected]"
+#     hosts: ["thethings.example.com"]
+#     default-host: "thethings.example.com"
 
 # If Gateway Server enabled, defaults for "thethings.example.com":
 gs:
@@ -68,9 +69,6 @@ gcs:
   basic-station:
     default:
       lns-uri: "wss://thethings.example.com:8887"
-  the-things-gateway:
-    default:
-      mqtt-server: "mqtts://thethings.example.com:8881"
 
 # Web UI configuration for "thethings.example.com":
 console:
@@ -87,6 +85,8 @@ console:
       base-url: "https://thethings.example.com/api/v3"
     js:
       base-url: "https://thethings.example.com/api/v3"
+    gcs:
+      base-url: "https://thethings.example.com/api/v3"
     qrg:
       base-url: "https://thethings.example.com/api/v3"
     edtc:
@@ -109,21 +109,17 @@ as:
     downlink:
       public-address: "thethings.example.com:1885/api/v3"
 
-# If Device Claiming Server enabled, defaults for "thethings.example.com":
-dcs:
-  oauth:
-    authorize-url: "https://thethings.example.com/oauth/authorize"
-    token-url: "https://thethings.example.com/oauth/token"
-    logout-url: "https://thethings.example.com/oauth/logout"
-    client-id: "device-claiming"
-    client-secret: "device-claiming" # choose or generate a secret
-  ui:
-    canonical-url: "https://thethings.example.com/claim"
-    as:
-      base-url: "https://thethings.example.com/api/v3"
-    dcs:
-      base-url: "https://thethings.example.com/api/v3"
-    is:
-      base-url: "https://thethings.example.com/api/v3"
-    ns:
-      base-url: "https://thethings.example.com/api/v3"
+# Managed gateway configuration, defaults for "thethings.example.com".
+# This configures a connection with The Things Gateway Controller, a service operated by The Things Industries.
+# This allows connecting, for example, The Things Indoor Gateway Pro.
+ttgc:
+  enabled: true
+  domain: thethings.example.com
+  # If using custom certificates (the X.509 Extended Key Usage must include Client Authentication):
+  tls:
+    source: file
+    certificate: /run/secrets/cert.pem
+    key: /run/secrets\
+  # If using Let's Encrypt (see above):
+  # tls:
+  #   source: acme