Complete ISP Operations & Management Platform β A per-tenant infrastructure framework for Internet Service Providers (ISPs), Fiber-to-the-Home (FTTH) networks, and Wireless ISP (WISP) operations. Each ISP receives its own isolated stack (API, frontend, data-plane services, RADIUS) while DotMac supplies the shared control plane, automation tooling, and observability needed to run fleets of tenants efficientlyβwhether DotMac hosts the stack or the ISP deploys it on their own hardware.
A full-stack ISP management platform that combines Business Support Systems (BSS) and Operations Support Systems (OSS) to streamline ISP operations from subscriber management to network infrastructure monitoring.
Built for ISPs, WISPs, and fiber network operators who need:
- π Per-tenant ISP stacks with shared automation (framework, not a single shared SaaS)
- π‘ FTTH Management - GPON/XGS-PON OLT/ONU provisioning
- πΆ Wireless Management - Point-to-point and point-to-multipoint networks
- π AAA Services - Multi-tenant RADIUS for subscriber authentication
- π Network Inventory - Integrated IPAM/DCIM for IP and device management
- π οΈ Device Management - TR-069 ACS for CPE configuration
- π Secure Connectivity - Per-tenant VPN for OLT-to-cloud connections
- π Monitoring - Unified SNMP, metrics, and dashboard tooling
DotMac separates responsibilities:
- Control plane (shared): platform-admin portal, licensing, AWX/Terraform automation, observability, and artifact registry run once.
- Data plane (per tenant): each ISP gets its own FastAPI backend, Next.js frontend, PostgreSQL schema or database, Redis slice, FreeRADIUS instance, Celery workers, ingress, and SSL/DNS configuration. Deployments can target DotMac-managed clusters or customer-hosted infrastructure using the same playbooks.
This repository focuses on the application code and the automation templates that stamp out tenant environments. Local development and CI use Docker Compose bundles to model a single tenant stack end-to-end.
Infrastructure for development/testing runs through two Compose files. Each file contains the backend API and its paired frontend for a single tenant environment. Databases, caches, storage, and observability tooling should be provided externally (managed cloud services or per-tenant deployments). Use the Makefile wrappersβor call Compose directlyβto launch what you need when building or validating a tenant bundle:
# Platform API + admin frontend
make start-platform
# ISP API + operations frontend
make start-isp
# Both stacks at once
make start-allUnder the hood the targets execute (per tenant/dev environment):
docker compose -f docker-compose.base.yml up -d platform-backend platform-frontend
docker compose -f docker-compose.isp.yml up -d isp-backend isp-frontendThe helper script ./scripts/infra.sh powers these targets and supports start, status, logs, restart, and clean actions for platform, isp, or all.
β Billing & Revenue Management
- Subscription management with multiple plans
- Usage-based billing and quotas
- Invoice generation and payment processing
- Multi-currency support
- Tax calculation and credit notes
β Customer Relationship Management (CRM)
- Complete customer lifecycle management
- Contact management and user profiles
- Partner management with commissions
- Tenant management and isolation
β Communications
- Email service with templates
- SMS notifications (carrier gateway)
- Webhook management
- Event-driven architecture
π Network Authentication (AAA)
- RADIUS AAA service - Authentication and accounting
- Multi-tenant RADIUS with bandwidth profiles
- Session tracking and usage monitoring
- NAS (Network Access Server) management
π Network Inventory & Management
- IPAM/DCIM platform - IP address management and infrastructure modeling
- IP pool management and allocation
- Device inventory and rack management
- Cable management and connections
π FTTH Management
- OLT controller - Virtual hardware abstraction (planned)
- TR-069 ACS - CPE management
- OLT/ONU provisioning and management
- Fiber infrastructure tracking
π Network Connectivity
- VPN gateway - Secure OLT-to-cloud connections
- Per-tenant VPN isolation
- Automated VPN provisioning
π Monitoring & Observability
- SNMP monitoring stack - Network device telemetry
- Prometheus - Metrics collection
- Grafana - Visualization dashboards
- Jaeger - Distributed tracing
π Automation
- Automation controller - Network automation (planned)
- Service lifecycle automation
- Zero-touch provisioning
The platform continues to expect the supporting infrastructure listed below, but the simplified Compose files no longer provision them automatically. Run these services via your preferred tooling (managed databases, Kubernetes, separate Compose bundles, etc.) and point the application environment variables at those endpoints.
| Service | Purpose | Port | Provisioning |
|---|---|---|---|
| PostgreSQL | Main database | 5432 | External (required) |
| Redis | Cache & sessions | 6379 | External (required) |
| MinIO / Object storage | File & asset storage | 9000/9001 | External (optional) |
| OpenBao / Vault | Secrets management | 8200 | External (optional) |
| MongoDB | ACS database | 27017 | External (if ACS enabled) |
| TimescaleDB | Time-series metrics | 5433 | External (if metrics required) |
| Service | Purpose | Port | Provisioning |
|---|---|---|---|
| RADIUS AAA service | Authentication | 1812/1813 (UDP) | External (recommended) |
| IPAM/DCIM platform | Network inventory | 8080 | External (recommended) |
| TR-069 ACS | CPE management | 7547, 7557, 7567 | External (recommended) |
| VPN gateway | Encrypted transport | 51820 (UDP) | External (optional) |
| SNMP monitoring stack | Network monitoring | 8000 | External (optional) |
| Service | Purpose | Port | Provisioning |
|---|---|---|---|
| Prometheus | Metrics collection | 9090 | External (optional) |
| Grafana | Dashboards | 3400 | External (optional) |
| Jaeger | Distributed tracing | 16686 | External (optional) |
Need to provision a production host? Follow the Remote Server Deployment Guide for an end-to-end walkthrough covering prerequisites, Docker deployment, Nginx, backups, and hardening.
If containers are unhealthy, follow the condensed runbook (full details in docs/STACK_HEALTH_RUNBOOK.md):
- Bring up infra + OpenBao with
docker compose -f docker-compose.infra.yml up -d(OpenBao healthcheck now usesbao status). - Seed Vault/OpenBao dev secrets (minimum:
secret/app/secret_key,secret/auth/jwt_secret,secret/database/password, Redis/MinIO creds, Alertmanager webhook, Paystacksk_test_/pk_test_). - Ensure worker env includes
VAULT__URL,VAULT__TOKEN, andSECRET_KEY(already indocker-compose.prod.yml). - Prune stray
dotmac/platform-api:latestmigration containers:docker rm -f $(docker ps -aq --filter ancestor=dotmac/platform-api:latest) - Restart backend + worker and verify:
docker compose -f docker-compose.base.yml up -d platform-backend platform-worker docker ps --format 'table {{.Names}}\t{{.Status}}' curl -f http://localhost:8000/health
- Docker Desktop 20.10+ with Compose v2
- Python 3.12+ and Poetry
- Node.js 18+ and pnpm 9+
- At least 8GB RAM and 50GB disk space free
git clone https://github.com/your-org/dotmac-isp-ops.git
cd dotmac-isp-opscp .env.example .env
# Update secrets as needed (development defaults work out of the box)Provision PostgreSQL, Redis, object storage, and Vault (if used) outside of Docker Compose. Update .env with the connection strings so the application containers can reach those services.
make start-platform # platform backend + admin frontend
make status-platform # verify healthmake start-isp # ISP backend + operations frontend
make status-isppoetry install --with dev # only needed for tooling/scripts
poetry run alembic upgrade head # apply migrations inside local database
# Start the FastAPI app in Docker (press Ctrl+C to stop)
make dev
# or run in detached mode
docker compose -f docker-compose.base.yml up platform-backendFastAPI docs: http://localhost:8000/docs
βΉοΈ Need to debug on the host? Use
make dev-host, but remember to disable observability or pointOBSERVABILITY__ALERTMANAGER_BASE_URL/PROMETHEUS_BASE_URL/GRAFANA_BASE_URLathttp://localhost:β¦so the health checks succeed.
cd frontend
pnpm install
# ISP tenant experience
pnpm dev:isp # http://localhost:3001
# Platform super-admin console
pnpm dev:admin # http://localhost:3002
Press Ctrl+C in the make dev terminal to stop the API container, and use make stop-platform /
make stop-isp when you are done.
Use the new centralized settings to rebrand the platform without touching code:
# backend/.env
BRAND__PRODUCT_NAME="FiberCloud Control"
BRAND__COMPANY_NAME="FiberCloud Networks"
BRAND__SUPPORT_EMAIL="support@fibercloud.example"
BRAND__NOTIFICATION_DOMAIN="alerts.fibercloud.example"
URLS__ACTIVATION_DOMAIN_TEMPLATE="https://{slug}.fibercloud.example"
URLS__BILLING_PORTAL_BASE_URL="https://billing.fibercloud.example"
URLS__EXIT_SURVEY_BASE_URL="https://feedback.fibercloud.example/exit"
# frontend/apps/*/.env.local
NEXT_PUBLIC_PRODUCT_NAME="FiberCloud Control"
NEXT_PUBLIC_SUPPORT_EMAIL="support@fibercloud.example"
NEXT_PUBLIC_DOCS_URL="https://docs.fibercloud.example"
NEXT_PUBLIC_SUPPORT_PORTAL_URL="https://support.fibercloud.example"
NEXT_PUBLIC_TERMS_URL="https://fibercloud.example/terms"
NEXT_PUBLIC_PRIVACY_URL="https://fibercloud.example/privacy"All backend emails, provisioning flows, and frontend headers automatically pick up these values. See
docs/ENVIRONMENT_VARIABLES.md for the complete matrix of BRAND__*,
URLS__*, and NEXT_PUBLIC_* options. After onboarding, each ISP can fine-tune its own branding
directly inside the ISP Operations UI under Settings β Brandingβno platform-admin changes needed.
Once deployed, access these services:
- Platform Backend API: http://localhost:8000/docs (FastAPI Swagger)
- ISP Backend API: http://localhost:8001/docs (FastAPI Swagger, when ISP stack is running)
- ISP Operations App: http://localhost:3001/dashboard β tenant-facing operations (subscribers, devices, billing, automation)
- Platform Admin App: http://localhost:3002/dashboard/platform-admin β super-admin controls (feature flags, plugins, licensing, jobs)
- IPAM/DCIM portal: http://localhost:8080 (admin / admin)
- TR-069 ACS: http://localhost:7567 (device management)
- SNMP monitoring console: http://localhost:8000 (admin / admin)
- Grafana: http://localhost:3400 (admin / admin)
- Prometheus: http://localhost:9090
- Jaeger: http://localhost:16686
- MinIO Console: http://localhost:9001 (minioadmin / change-me)
- OpenBao: http://localhost:8200
Start with these active resources:
- docs/INDEX.md β curated map of production-ready documentation
- INFRASTRUCTURE.md & README-INFRASTRUCTURE.md β platform/ISP deployment workflows
- docs/ENVIRONMENT_VARIABLES.md β backend/frontend configuration matrix
- docs/DATABASE_SCHEMA.md β canonical entity model overview
- docs/API_SPECIFICATIONS.md β REST and integration surface area
- docs/FIBER_INFRASTRUCTURE_IMPLEMENTATION_OVERVIEW.md β fiber data model and workflows
- Frontend architecture: see frontend/PRODUCTION_GUIDE.md for the current production layout and deployment plan
- Backend architecture: see BACKEND_PRODUCTION_GUIDE.md for service topology, configuration, and deployment
- Python 3.12+ with FastAPI
- SQLAlchemy 2.0 ORM
- PostgreSQL 14+ database
- Redis 7+ for caching
- Celery for background tasks
- Pydantic v2 for validation
- Next.js 14 with React 18
- TypeScript for type safety
- TanStack Query for data fetching
- Tailwind CSS for styling
- Leaflet for maps
- ReactFlow for topology diagrams
@dotmac/isp-ops-app(port 3001) delivers tenant-facing dashboards for subscribers, network assets, automation, and operations.@dotmac/platform-admin-app(port 3002) provides platform-level controls (feature flags, plugins, licensing, jobs) while retaining visibility into ISP views.
Each app shares the same domain-focused portals (operations, billing, diagnostics, partners, customer management) via the frontend/shared workspace packages. Refer to docs/architecture/PORTAL_ARCHITECTURE.md and the multi-app guides above for navigation details.
- Docker & Docker Compose
- Kubernetes (production)
- Prometheus & Grafana (monitoring)
- OpenTelemetry (observability)
- RADIUS AAA service - Authentication and accounting
- IPAM/DCIM platform - Inventory and addressing
- TR-069 ACS - Device configuration
- VPN gateway - Secure transport
- SNMP monitoring stack - Network telemetry
- OLT controller - Fiber access management (planned)
- Automation controller - Workflow engine (planned)
- Row-level security (RLS) in PostgreSQL
- Tenant isolation across all services
- Per-tenant licensing based on subscriber count
- Automated tenant suspension when limits exceeded
- Subscriber activation β RADIUS credentials
- IP allocation from pools β IPAM/DCIM
- ONU provisioning β OLT controller + ACS
- CPE configuration β TR-069 ACS
- Billing activation β Usage tracking
- Monitoring setup β SNMP monitoring stack
- IPAM - IP address planning and allocation
- Device inventory - Track all network devices
- Topology mapping - Visual network diagrams
- Configuration management - Backup and restore
- Performance monitoring - Real-time metrics
- OLT management - Multiple vendors (Huawei, ZTE, Nokia)
- ONU discovery - Automatic device discovery
- Splitter management - Fiber splitter tracking
- Fiber cable management - Complete fiber infrastructure
- Signal quality monitoring - RX power, distance
- Tower management - Location and coverage
- Sector management - Antenna configuration
- Subscriber CPE - Radio management
- RF planning - Coverage prediction
- Link quality monitoring - Signal strength, latency
- Multi-tenant isolation with RLS
- JWT authentication (RS256/HS256)
- RBAC with granular permissions
- MFA support (TOTP, SMS, Email)
- API key management for service-to-service
- Secrets in Vault (never in code)
- Encryption at rest (PostgreSQL TDE, MinIO SSE)
- Encryption in transit (TLS 1.3, per-tenant VPN overlay)
- Audit logging (7-year retention)
- GDPR-ready (data retention, right-to-delete)
- Concurrent subscribers: 10,000+
- API response time (p95): < 200ms
- RADIUS auth time: < 100ms
- Service activation time: < 5 minutes
- Platform uptime: > 99.9%
- BSS modules: 95% complete β
- OSS modules: 85% complete β (AAA, IPAM/DCIM, ACS, OLT controller, wireless, monitoring stack integrated)
- Service Lifecycle: 90% complete β (Orchestration with Saga pattern)
- Infrastructure: Docker-based deployment ready β
- Test coverage: 92.24% for critical services β
(115 comprehensive tests across 5 core modules)
- Orchestration: 95.56% β
- Workflows: 87.94% β
- RADIUS: 86.45% β
- Analytics: 100.00% β
- Audit: 91.23% β
- API Routers: 88 routers registered β
- Frontend: Production-ready (98/100 score) β
- β RADIUS authentication & session management
- β IPAM/DCIM integration
- β TR-069 ACS CPE management
- β Service lifecycle automation (provision, activate, suspend, deprovision)
- β SNMP monitoring integration
- β Per-tenant VPN management
- β Admin portal (13 pages, all functional)
- β Orchestration service with Saga pattern
- β ISP-specific customer fields (26 fields)
- β Dunning & collections system
- β OLT controller integration (OLT/ONU management)
- β ONU discovery and provisioning workflows
- β PON statistics and alarm management
- β Device management API endpoints
- β Fiber infrastructure tracking models
- β Wireless device management (AP, Radio, CPE, Tower)
- β Coverage zone mapping
- β Signal quality monitoring
- β Frequency and protocol management
- β Wireless infrastructure API
- β Automation controller integration (router implemented)
- β Advanced analytics (metrics, billing, customer KPIs)
- β Fault management (alarms, SLA monitoring)
- β Diagnostics tools (ping, traceroute, bandwidth tests)
- β Deployment orchestration
- β Job scheduler with chains
- β Service Layer Testing Initiative - 92.24% average coverage across 5 critical services
- β³ Mobile apps (planned)
- β³ Enhanced customer self-service portal (basic ticketing complete)
- β³ Financial services testing (Invoice, Payment, Pricing services)
- β³ Security layer testing (RBAC, MFA, Email services)
- β³ Platform configuration testing (Settings, Catalog, Dunning services)
- β³ End-to-end workflow integration tests
- β³ Performance testing and optimization
The customer-management integration tests rely on database constraints that are only available when a real PostgreSQL instance is present. A helper compose file and script are provided:
# start a throwaway Postgres, run migrations, execute tests, and clean up
chmod +x scripts/run_customer_tests.sh
./scripts/run_customer_tests.sh
# pass additional pytest flags (examples)
./scripts/run_customer_tests.sh -k lifecycle -vvIf you already have a PostgreSQL instance running with the required schema, skip the Compose orchestration and migration steps:
export DOTMAC_DATABASE_URL=postgresql://dotmac_test:dotmac_test@localhost:6543/dotmac_test
export DOTMAC_DATABASE_URL_ASYNC=postgresql+asyncpg://dotmac_test:dotmac_test@localhost:6543/dotmac_test
SKIP_MIGRATIONS=1 ./scripts/run_customer_tests.shThe script exports DOTMAC_DATABASE_URL / DOTMAC_DATABASE_URL_ASYNC, applies the latest Alembic migration, and runs poetry run pytest tests/customer_management. If you want to keep a test database running between invocations, launch PostgreSQL separately (for example with docker run):
docker run --name dotmac-test-db -e POSTGRES_USER=dotmac_test -e POSTGRES_PASSWORD=dotmac_test \
-e POSTGRES_DB=dotmac_test -p 6543:5432 -d postgres:15
export DOTMAC_DATABASE_URL=postgresql://dotmac_test:dotmac_test@localhost:6543/dotmac_test
export DOTMAC_DATABASE_URL_ASYNC=postgresql+asyncpg://dotmac_test:dotmac_test@localhost:6543/dotmac_test
poetry run alembic upgrade head
poetry run pytest tests/customer_managementWe welcome contributions! Please see CONTRIBUTING.md for guidelines.
[Your License Here]
- Documentation: See
docs/folder - Quick Start: QUICK_START.md
- Environment Setup:
docs/ENVIRONMENT_SETUP.md - Issues: GitHub Issues
- Discussions: GitHub Discussions
Built on top of:
- DotMac Platform Services - Core BSS framework
- IPAM/DCIM platform - Network inventory
- RADIUS AAA service - Authentication
- TR-069 ACS - Device management
- SNMP monitoring stack - Network monitoring
Ready to manage your ISP operations? Let's go! π
For detailed setup instructions, see QUICK_START.md and docs/ENVIRONMENT_SETUP.md.