Add TLS-enabled PostgreSQL and ThingsBoard integration, update README

deploy/services/README.md

@@ -12,12 +12,15 @@ The following services can be installed:
   The **MQTT plugin** of this broker has been enabled.
   So, it can also be used as **MQTT** broker.
 * **MongoDB** database server
+* **ThingsBoard** IoT device management and data visualization platform
+* **PostgreSQL** database server for ThingsBoard
 
 ## Directory Structure
 
 * **config** is used for storing the service configuration
 * **data** is used by the services for storing data
-* **certs** is used for storing the TLS certificates needed by the services.
+* **log** is used by the services for logging
+* **certs** is used for storing the TLS certificates needed by the services
 * **script** contains scripts for creating user accounts
 
 ## Installation steps
@@ -39,7 +42,7 @@ Please replace the same with your server's hostname.
 
   ```bash
   cat certs/services.foo.com/privkey.pem \
-    certs/services.foo.com/fullchain.pem > certs/foo.com/combined.pem
+    certs/services.foo.com/fullchain.pem > certs/services.foo.com/combined.pem
   chmod 600 certs/services.foo.com/combined.pem
   chown 999:999 certs/services.foo.com/combined.pem
   ```
@@ -59,6 +62,37 @@ Please replace the same with your server's hostname.
   chown 999 certs/services.foo.com/privkey-rabbitmq.pem
   ```
 
+* Adjust permissions of certificates for PostgreSQL user in docker container.
+
+  ```bash
+  cp certs/services.foo.com/privkey.pem \
+    certs/services.foo.com/postgres.key
+  cp certs/services.foo.com/fullchain.pem \
+    certs/services.foo.com/postgres.crt
+  chown 999:999 certs/services.foo.com/postgres.key certs/services.foo.com/postgres.crt
+  chmod 600 certs/services.foo.com/postgres.key
+  chmod 644 certs/services.foo.com/postgres.crt
+  ```
+
+* Adjust permissions of certificates for ThingsBoard user in docker container.
+
+  ```bash
+  cp certs/services.foo.com/privkey.pem \
+   certs/services.foo.com/privkey-thingsboard.pem
+  cp certs/services.foo.com/fullchain.pem \
+   certs/services.foo.com/fullchain-thingsboard.pem
+  chown 799:799 certs/services.foo.com/privkey-thingsboard.pem
+  chown 799:799 certs/services.foo.com/fullchain-thingsboard.pem
+  chmod 600 certs/services.foo.com/privkey-thingsboard.pem
+  chmod 644 certs/services.foo.com/fullchain-thingsboard.pem
+  ```
+* Set required permissions for ThingsBoard data and log directories.
+
+  ```bash
+  sudo chown -R 799:799 data/thingsboard
+  sudo chown -R 799:799 log/thingsboard
+  ```
+
 * Note down your userid and groupid on Linux systems.
 
   ```bash
@@ -73,6 +107,17 @@ Please replace the same with your server's hostname.
   cp config/services.env.template config/services.env
   ```
 
+* Start PostgreSQL and run ThingsBoard install.
+
+  ```bash
+  docker compose -f compose.services.secure.yml \
+    --env-file config/services.env \
+    up -d postgres
+  docker compose -f compose.services.secure.yml \
+    --env-file config/services.env \
+    run --rm -e INSTALL_TB=true -e LOAD_DEMO=false thingsboard-ce
+  ```
+
 * Start or stop services.
 
   ```bash
@@ -95,9 +140,10 @@ at the following ports / URLs.
 | Influx | services.foo.com:8086 |
 | MongoDB database | services.foo.com:8087 |
 | Grafana | services.foo.com:8088 |
+| ThingsBoard | services.foo.com:8089 |
 
 Please note that the TCP ports used by the services can be changed
-by updating the `config/service.env` file and rerunning the docker commands.
+by updating the `config/services.env` file and rerunning the docker commands.
 
 The firewall and network access settings of corporate / cloud network
 need to be configured to allow external access to the services.
@@ -106,8 +152,8 @@ services from their user workspaces.
 
 ## New User Accounts
 
-There are ready to use scripts for adding accounts in **InfluxDB** and
-**RabbitMQ** services.
+There are ready to use scripts for adding accounts in **InfluxDB**,
+**RabbitMQ**, and **ThingsBoard** services.
 
 Copy the user accounts template and add user account credentials.
 
@@ -116,6 +162,13 @@ cp config/credentials.csv.template config/credentials.csv
 # edit credentials.csv file
 ```
 
+Use the following commands to add new users to **ThingsBoard** service.
+
+```bash
+chmod +x script/thingsboard.py
+python3 script/thingsboard.py
+```
+
 Use the following commands to add new users to **InfluxDB** service.
 
 ```bash

deploy/services/compose.services.secure.yml

@@ -92,6 +92,64 @@ services:
     networks:
       - platform-services
 
+  postgres:
+    image: 'postgres:16.11'
+    container_name: postgres
+    restart: always
+    ports:
+      - '${POSTGRES_PORT}:5432'
+    volumes:
+      - './data/postgres:/var/lib/postgresql/data'
+      - './certs/${HOSTNAME}:/etc/ssl'
+      #- './config/init-thingsboard-user.sql:/docker-entrypoint-initdb.d/init-thingsboard-user.sql:ro'
+    environment:
+      POSTGRES_DB: '${POSTGRES_DB}'
+      POSTGRES_USER: '${POSTGRES_USER}'
+      POSTGRES_PASSWORD: '${POSTGRES_PASSWORD}'
+    command:
+      - postgres
+      - -c
+      - ssl=on
+      - -c
+      - ssl_cert_file=/etc/ssl/postgres.crt
+      - -c
+      - ssl_key_file=/etc/ssl/postgres.key
+    networks:
+      - platform-services
+
+  thingsboard-ce:
+    image: 'thingsboard/tb-node:4.2.1'
+    container_name: thingsboard
+    restart: always
+    ports:
+      - '${THINGSBOARD_PORT}:8080'
+      - '${THINGSBOARD_EDGE_RPC_PORT}:7070'
+      - '${THINGSBOARD_MQTT_PORT}:1883'
+      - '${THINGSBOARD_MQTT_SSL_PORT}:8883'
+      - '${THINGSBOARD_COAP_LwM2M_PORTS}:5683-5688/udp'
+    volumes:
+      - './log/thingsboard:/var/log/thingsboard'
+      - './data/thingsboard:/data'
+      - './certs/${HOSTNAME}:/certs'
+    environment:
+      TB_SERVICE_ID: tb-ce-node
+      SPRING_DATASOURCE_URL: jdbc:postgresql://postgres:5432/${POSTGRES_DB}?sslmode=require
+      SPRING_DATASOURCE_USERNAME: ${POSTGRES_USER}
+      SPRING_DATASOURCE_PASSWORD: ${POSTGRES_PASSWORD}
+      SSL_ENABLED: "true"
+      SSL_CREDENTIALS_TYPE: "PEM"
+      SSL_PEM_CERT: "/certs/fullchain-thingsboard.pem"
+      SSL_PEM_KEY: "/certs/privkey-thingsboard.pem"
+    logging:
+      driver: 'json-file'
+      options:
+        max-size: '100m'
+        max-file: '10'
+    depends_on:
+      - postgres
+    networks:
+      - platform-services
+
 networks:
   platform-services:
     name: dtaas-platform-services

deploy/services/config/init-thingsboard-user.sql

@@ -0,0 +1,42 @@
+-- 1) Create login role if it doesn't exist
+DO
+$$
+BEGIN
+   IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = 'dtaas_user') THEN
+      CREATE ROLE dtaas_user LOGIN PASSWORD 'dtaas_secret';
+   END IF;
+END
+$$;
+
+-- Ensure the database exists
+DO
+$$
+BEGIN
+   IF NOT EXISTS (SELECT FROM pg_database WHERE datname = 'thingsboard') THEN
+      CREATE DATABASE thingsboard OWNER postgres;
+   END IF;
+END
+$$;
+
+-- Allow the user to connect
+GRANT CONNECT ON DATABASE thingsboard TO dtaas_user;
+
+-- Switch into the database
+\c thingsboard
+
+-- Make dtaas_user the owner of the schema
+ALTER SCHEMA public OWNER TO dtaas_user;
+
+-- Grant broad access to schema
+GRANT ALL ON SCHEMA public TO dtaas_user;
+
+-- Existing objects (tables/sequences created later will inherit defaults)
+GRANT ALL PRIVILEGES ON ALL TABLES    IN SCHEMA public TO dtaas_user;
+GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO dtaas_user;
+
+-- Default privileges for newly created objects
+ALTER DEFAULT PRIVILEGES IN SCHEMA public
+  GRANT ALL ON TABLES TO dtaas_user;
+
+ALTER DEFAULT PRIVILEGES IN SCHEMA public
+  GRANT ALL ON SEQUENCES TO dtaas_user;

deploy/services/config/services.env.template

@@ -28,3 +28,24 @@ MONGODB_ADMIN_PASSWORD='XaphrDKDTaaS2025'
 GRAFANA_PORT=8088
 GRAFANA_ADMIN_USERNAME=dtaas
 GRAFANA_ADMIN_PASSWORD=dtaas
+
+# ThingsBoard settings
+THINGSBOARD_PORT=8089
+THINGSBOARD_EDGE_RPC_PORT=7070
+THINGSBOARD_MQTT_PORT=1883
+THINGSBOARD_MQTT_SSL_PORT=8883
+THINGSBOARD_COAP_LwM2M_PORTS=5683-5688
+# Initial credentials
+TB_SYSADMIN_EMAIL=sysadmin@thingsboard.org
+TB_SYSADMIN_DEFAULT_PASSWORD=sysadmin
+TB_SYSADMIN_NEW_PASSWORD=dtaas123
+
+TB_TENANT_TITLE=DTaaS
+TB_TENANT_ADMIN_EMAIL=dtaas-admin@example.org
+TB_TENANT_ADMIN_PASSWORD=dtaastest123
+
+# PostgreSQL settings
+POSTGRES_PORT=5432
+POSTGRES_DB=thingsboard
+POSTGRES_USER=dtaas_user
+POSTGRES_PASSWORD=dtaas_secret