AirStack Edge Configuration¶
The following configuration guide assumes that AirStack Edge has been installed on your system. If that is not the case, follow the instrucitons in the Installation Section.
Interactive Setup (Recommended)¶
The simplest way to configure your installation is to use the interactive setup command line interface (CLI) tool. This tool will walk through the default configuration options for your Edge instance. During this process, the user will:
- Activate their license
- Optionally enable TLS encryption
- Optionally install NVIDIA Triton Inference Server
- Creating an access token
Note: To succesfully run this configuration setup you will need your license key.
To start the interactive setup CLI tool, use the following command:
airstack-edge-setup init
The final step in the interactive setup is the generation of a secure access bearer token. This token must be saved as it will not be accessible again. If the token is lost, a new one must be generated by following the instructions in the Manual Setup section below.
The interactive setup tool contains the most likely user configuration options. If you would like more control over your configuration see the Manual Setup section below.
Manual Setup¶
To perform a manual setup of AirStack Edge, you will utilize the airstack-edge-setup CLI tool to sequentially configure the core components of your environment. While the init command offers an automated walkthrough for standard installations, manually executing the license, keys, and inference subcommands provides granular control over configuration paths and security parameters for custom edge deployments. Some of these steps may require administrative priviledges to your device.
Activating The License¶
This software allows for two scenarios for license activation:
Online Activation¶
The simplest scenario is connecting your device to the internet for one time setup activation. The setup service will make the activation request to the licensing server and check out an offline verification file. Once you have completed the activation step your device does not need to be re-connected to the internet until your license expires. To generate an online activation request run the command below:
airstack-edge-setup license activate <YOUR_LICENSE_KEY>
Offline Activation¶
If you are unable to connect your device to the internet please submit a support request in the Deepwave Portal for offline activation.
Enabling TLS Encryption¶
AirStack Edge may be configured to require secure communication between itself and any client. For operation, it is best to use a certificate authority to generate trusted certificates. TLS encryption may be enabled or disabled using the interactive setup CLI or by editing the /etc/airstack-edge/server.toml directly. When TLS encryption is enabled, signed certificates will be required to access the API or UI.
Note: disabling TLS Encryption is insecure and not recommended for production.
Create Self-Signed Certificates¶
For production Edge instances it is recommended to use an official Certificate Authority to generate trusted certificates; however, users may generate self-signed TLS certificates with the setup CLI for development. Self-signed certificates must be trusted by any client making API requests or browsers will flag requests as insecure. For more information on how to trust self-signed certs in a browser see here. To generate the defaults self-signed certificates run:
airstack-edge-setup certs init
Re-run the command with --force if you need to overwrite an existing certificate.
Using Certificates From an Authority¶
To use certificates from a public certificate authority instead of the self-signed certificates run:
sudo airstack-edge-setup certs set <CERTIFICATE_PATH> <PRIVATE_KEY_PATH>
Installing the Inference Server¶
AirStack Edge can optionally be configured to use an inference server for running applications on signal data. The inference server runs in a separate docker container and communicates with Edge over GRPC. This setup does not require an internet connection but will take some time to unpack the container. To initialize the server run:
sudo airstack-edge-setup inference init <PATH TO AIRSTACK EDGE INSTALLATION DIRECTORY>
For further information on setting up and configuring models to run in this container, see the inference section in application notes.
Create Access Tokens:¶
Edge uses bearer tokens to authenticate requests. A bearer token is a security credential that grants access to anyone in possession of it, acting much like a physical key where the "bearer" is assumed to be authorized.
Tokens are created and authenticated completely on the device running AirStack Edge. To keep them secure, they must be transmitted exclusively over encrypted connections (HTTPS) and stored safely in protected environments.
Creating a Bearer Token¶
To create a token use the command:
airstack-edge-setup keys new <YOUR_TOKEN_NAME>
This will by default generate a token that is valid for 1 year from the creation date, though you can optionally set your own duration at the time of generation.
List Bearer Tokens¶
To view the list of all keys currently available and their creation dates use the following command:
airstack-edge-setup keys list
Revoking a Bearer Token¶
Bearer tokens can also be revoked using the airstack-edge-setup utility with the following command:
airstack-edge-setup keys delete <YOUR_TOKEN_NAME>
Security Best Practices for Bearer Tokens¶
- Use Short Lifespans: Implement frequent token rotation to minimize the damage if a token is compromised.
- Never Log Tokens: Ensure your application does not log sensitive headers to prevent credentials from sitting in plaintext on a server.
Advanced Configuration¶
The server.toml file found in /etc/airstack-edge defines all runtime configuration for the AirStack Edge server, including network settings, performance tuning, security, and application-specific options. Any changes to this file will cause your Edge instance to automatically restart.
The [actix] section controls the underlying Actix Web server, including which host/port bindings, whether compression and logging are enabled, and various limits such as maximum connections, backlog size, worker thread count, and request timeouts. These settings allow the server to be tuned for development or high-load production environments.
The [application] section contains configuration values specific to Airstack Edge, including important runtime paths like the model directory. This section also includes CORS settings like allowed_origins. For more information on CORS settings see the application note here.
Finally, the [application.tls] section controls TLS/HTTPS support. You can enable or disable TLS and specify the certificate and private key paths used by the server. When TLS is enabled, all inbound connections are secured using your provided certificate.
Note: For production use of AirStack Edge the mode setting in the configuration file should be set to production.