sites/gemaal1/README.md

# gemaal1

Edge deployment for pumping station **Gemaal1** — first production site.

## Hardware (fill in when provisioned)

- Edge gateway model: ?
- Plant LAN subnet: ?.?.?.0/24
- WAN: ?
- OT VLAN (PLC + OPCUA): ?.?.?.0/24
- OPCUA endpoint: opc.tcp://?

## What runs here

nginx-proxy (plant-LAN-facing, certbot for TLS), wireguard-client (outbound tunnel to cloud), keycloak (local realm), portainer, influxdb (local DB), grafana (local SCADA), node-red, rabbitmq (general broker, internal only), postfix.

## Run

```bash
cp .env.example .env     # fill in real secrets + PLANT_LAN_IP
docker compose up -d
docker compose ps
```

## Ingress

| Port | Bound to |
|---|---|
| tcp/80, 443 | `${PLANT_LAN_IP}` only |

Remote ops reach the same nginx via the WireGuard tunnel from cloud (no extra port published).

## OT uplink

Node-RED + EVOLV nodes talk to the OPCUA server on the OT VLAN. The edge gateway must have a NIC on that VLAN. OPCUA + PLC are **managed outside this repo**.

See [`../../docs/architecture.md`](../../docs/architecture.md) for the full topology.
feat: SQL=postgres, nginx+certbot, MQTT split, ML stacks, gitea HTTPS-only, gemaal1 site Round-2 changes locking in scaffold-phase decisions and adding ML/notebook stacks. Locked decisions - sql: postgres 16-alpine (was TBD); init.d/ mount for per-app DB provisioning - nginx-proxy: stock nginx + certbot sidecar (was nginx:alpine TODO). Chose stock over nginxproxy/nginx-proxy because stream{} is required for MQTT-TLS reverse-proxy on tcp/8883 to rabbitmq:1883. - gitea: HTTPS-only (DISABLE_SSH=true). No SSH port published. MQTT split - Remove stacks/mqtt placeholder. - Add stacks/rabbitmq — general-purpose broker (AMQP + MQTT plugin), used at both cloud and edge. External MQTT clients reach cloud broker via nginx stream-proxy on 8883. - Add stacks/mosquitto — reserved for the FROST (SensorThings) stack only. Cloud-only. Internal to its own stack; no external ingress. ML / notebooks (cloud-only) - stacks/mlflow — experiment tracking + model registry. Postgres backend on sql stack; local volume for artifacts (S3/MinIO is a TODO). - stacks/jupyterhub — multi-user notebook server. DockerSpawner via mounted docker.sock; users spawn into cloud-app network so they can reach mlflow, influxdb (via grafana), rabbitmq. Sites - sites/gemaal1 — first edge deployment scaffold. Site-local override template for binding nginx to PLANT_LAN_IP. Docs - README + docs/architecture.md updated: stacks table now lists 15 stacks, ingress + attachment tables reflect mlflow/jupyterhub, TLS strategy section locked, MQTT-split section added, Gitea HTTPS-only noted. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-21 13:22:46 +02:00			`# gemaal1`

			`Edge deployment for pumping station Gemaal1 — first production site.`

			`## Hardware (fill in when provisioned)`

			`- Edge gateway model: ?`
			`- Plant LAN subnet: ?.?.?.0/24`
			`- WAN: ?`
			`- OT VLAN (PLC + OPCUA): ?.?.?.0/24`
			`- OPCUA endpoint: opc.tcp://?`

			`## What runs here`

			`nginx-proxy (plant-LAN-facing, certbot for TLS), wireguard-client (outbound tunnel to cloud), keycloak (local realm), portainer, influxdb (local DB), grafana (local SCADA), node-red, rabbitmq (general broker, internal only), postfix.`

			`## Run`

			```bash
			`cp .env.example .env # fill in real secrets + PLANT_LAN_IP`
			`docker compose up -d`
			`docker compose ps`
			```

			`## Ingress`

			`\| Port \| Bound to \|`
			`\|---\|---\|`
			\| tcp/80, 443 \| `${PLANT_LAN_IP}` only \|

			`Remote ops reach the same nginx via the WireGuard tunnel from cloud (no extra port published).`

			`## OT uplink`

			`Node-RED + EVOLV nodes talk to the OPCUA server on the OT VLAN. The edge gateway must have a NIC on that VLAN. OPCUA + PLC are managed outside this repo.`

			See [`../../docs/architecture.md`](../../docs/architecture.md) for the full topology.