doc: Improve the installation guide

TheThingsIndustries · Dec 29, 2020 · 6074178 · 6074178
1 parent 89383de
commit 6074178
Show file tree

Hide file tree

Showing 5 changed files with 127 additions and 87 deletions.
diff --git a/doc/content/getting-started/installation/_index.md b/doc/content/getting-started/installation/_index.md
@@ -12,13 +12,11 @@ This is a guide for setting up a private LoRaWAN network server using {{% tts %}
 ## Prerequisites
 
 1. A server with a recommended 4 virtual CPUs and 16GB RAM running [Docker](https://docs.docker.com/engine/) and [Docker Compose](https://docs.docker.com/compose/)*
-2. DNS records pointing to your server's IP address
+2. DNS records pointing to your server's IP address (skip if using `localhost`)
 3. A [license](https://thethingsindustries.com/technology/pricing) for {{% tts %}} {{< distributions-inline "Enterprise" >}}
 
 <!--more-->
 
-In this guide we will get everything up and running on a server using [Docker](https://docs.docker.com/engine/) and [Docker Compose](https://docs.docker.com/compose/). If you are comfortable with configuring servers and working with command line, this is the perfect place to start.
+This guide shows you how to get everything up and running on a server. If you are comfortable with configuring servers and working with command line, this is the perfect place to start, but first, follow the guides to [install Docker](https://docs.docker.com/install/#supported-platforms) and to [install Docker Compose](https://docs.docker.com/compose/install/#install-compose).
 
-Since we're going to install {{% tts %}} using Docker and Docker Compose, follow the guides to [install Docker](https://docs.docker.com/install/#supported-platforms) and to [install Docker Compose](https://docs.docker.com/compose/install/#install-compose).
-
-{{< note >}} *Benchmark for 100K devices with 12 confirmed uplinks per day. Your requirements will vary depending on your load and desired redundancy. {{</ note >}}
+> *Benchmark for 100K devices with 12 confirmed uplinks per day. Your requirements will vary depending on your load and desired redundancy.
diff --git a/doc/content/getting-started/installation/certificates.md b/doc/content/getting-started/installation/certificates.md
@@ -4,11 +4,13 @@ description: ""
 weight: 3
 ---
 
-## Trusted Certificates
+{{% tts %}} needs to be configured with Transport Layer Security (TLS) and HTTPS. This requires a TLS certificate and a corresponding key.
 
-{{% tts %}} will be configured with Transport Layer Security (TLS) and HTTPS. This requires a TLS certificate and a corresponding key. In this guide we'll request a free, trusted certificate from [Let's Encrypt](https://letsencrypt.org/getting-started/), but if you already have a certificate (`cert.pem`) and key (`key.pem`), you can also use those.
+<!--more-->
 
-### Automatic Certificate Management (ACME)
+In this guide, we show you how to request a free, trusted certificate from [Let's Encrypt](https://letsencrypt.org/getting-started/), but if you already have a certificate (`cert.pem`) and a corresponding key (`key.pem`), you can also use those. For local deployments, you can set up your own Certificate Authority and issue a certificate-key pair.
+
+## Automatic Certificate Management (ACME)
 
 {{% tts %}} can be configured to automatically retrieve and update Let's Encrypt certificates. Assuming you followed the [configuration]({{< relref "configuration" >}}) steps, create an `acme` directory where {{% tts %}} can store the certificate data:
 
@@ -17,7 +19,9 @@ $ mkdir ./acme
 $ sudo chown 886:886 ./acme
 ```
 
-Your directory should look like this:
+{{< warning >}} `886` is the `UID` and the `GID` of the user that runs {{% tts %}} in the Docker container. If you don't set these permissions, you may encounter an error resembling `open /var/lib/acme/acme_account+key<...>: permission denied`. {{</ warning >}}
+
+The directory hierarchy should look like this:
 
 ```bash
 acme/
@@ -27,7 +31,19 @@ config/
     └── ttn-lw-stack-docker.yml    # configuration file for {{% tts %}}
 ```
 
-{{< note >}} `886` is the uid and the gid of the user that runs {{% tts %}} in the Docker container. If you don't set these permissions, you'll get an error saying something like `open /var/lib/acme/acme_account+key<...>: permission denied`. {{</ note >}}
+### Using Custom Certificates
+
+To use [CA certificates you already have](#certificates-from-a-certificate-authority) or [self-signed certificates](#custom-certificate-authority), you will need to uncomment the custom certificates section of `docker-compose.yml`:
+
+{{< highlight yaml "linenos=table,linenostart=84" >}}
+{{< readfile path="/content/getting-started/installation/configuration/docker-compose-enterprise.yml" from=84 to=97 >}}
+{{< /highlight >}}
+
+You will also need to comment out the Let's Encrypt section of `ttn-lw-stack-docker.yml`, and uncomment the custom certificates section:
+
+{{< highlight yaml "linenos=table,linenostart=48" >}}
+{{< readfile path="/content/getting-started/installation/configuration/ttn-lw-stack-docker-enterprise.yml" from=48 to=62 >}}
+{{< /highlight >}}
 
 ### Using Custom Certificates
 
@@ -51,7 +67,9 @@ If you want to use the certificate (`cert.pem`) and key (`key.pem`) that you alr
 $ sudo chown 886:886 ./cert.pem ./key.pem
 ```
 
-Your directory should look like this:
+{{< warning >}} If you don't set these permissions, you may encounter an error resembling `/run/secrets/key.pem: permission denied`. {{</ warning >}}
+
+The directory hierarchy should look like this:
 
 ```bash
 cert.pem
@@ -62,11 +80,9 @@ config/
     └── ttn-lw-stack-docker.yml    # configuration file for {{% tts %}}
 ```
 
-{{< note >}} If you don't set these permissions, you'll get an error saying something like `/run/secrets/key.pem: permission denied`. {{</ note >}}
+## Custom Certificate Authority
 
-### Custom Certificate Authority
-
-To use TLS on a local or offline deployment, you can use your own Certificate Authority. In order to set that up, you can use CloudFlare's PKI/TLS toolkit, `cfssl`. Installation instructions can be found [in the README of `cfssl`](https://github.com/cloudflare/cfssl#installation).
+To use TLS on a local or offline deployment, you can use your own Certificate Authority. In order to set that up, you can use `cfssl`, CloudFlare's PKI/TLS toolkit. The `cfssl` installation instructions can be found [here](https://github.com/cloudflare/cfssl#installation).
 
 Write the configuration for your CA to `ca.json`:
 
@@ -95,15 +111,17 @@ Now write the configuration for your certificate to `cert.json`:
 }
 ```
 
-And run the following command to generate the server key and certificate:
+{{< note >}} Remember to replace `thethings.example.com` with your server address! {{</ note >}}
+
+Then, run the following command to generate the server key and certificate:
 
 ```bash
 $ cfssl gencert -ca ca.pem -ca-key ca-key.pem cert.json | cfssljson -bare cert
 ```
 
 The next steps assume the certificate key is called `key.pem`, so you'll need to rename `cert-key.pem` to `key.pem`.
 
-Your directory should look like this:
+At the end, your directory should look like this:
 
 ```bash
 cert.pem