cloud/README.md

# cloud

The single central hub. One deployment, internet-facing.

## What runs here

nginx-proxy, wireguard-server, keycloak, portainer, influxdb, grafana, node-red, mqtt, postfix, gitea, jenkins, sql.

See [`../docs/architecture.md`](../docs/architecture.md) for the full network topology and ingress table.

## Run

```bash
cp .env.example .env     # fill in real secrets first
docker compose up -d
docker compose ps
```

## Ingress (host port bindings)

| Port | Container |
|---|---|
| tcp/80, 443 | nginx-proxy |
| tcp/8883 | nginx-proxy (MQTT-TLS via stream block) |
| udp/51820 | wireguard-server |

Everything else stays on the internal `app` / `data` / `mgmt` networks.

## Adding a new stack

1. Create `stacks/<name>/` with `compose.yml`, `.env.example`, `README.md`.
2. Uncomment (or add) the `include:` entry in `compose.yml`.
3. Add the stack's env vars to `.env.example`.
4. `docker compose pull && docker compose up -d`.
scaffold: hub-and-spoke layout, 4-network topology, 13 stack stubs Initial structure for R&D infrastructure: - stacks/ — 13 reusable, runnable stack stubs (kebab-case) cloud-and-edge: node-red, influxdb, grafana, keycloak, portainer, nginx-proxy, mqtt, postfix cloud-only: wireguard-server, gitea, jenkins, sql (postgres stub) edge-only: wireguard-client - cloud/ — single central hub composition with 4 networks (edge, app, data internal, mgmt) and include: stubs - sites/ — per-plant edge folders (template README only for now) - docs/architecture.md — hub-and-spoke + ingress + segmentation rationale Network model: only nginx-proxy (80/443/8883) and wireguard-server (51820/udp) publish ports on the cloud host. Edge nginx publishes 80/443 on plant-LAN interface only. MQTT cloud-side via nginx stream proxy; MQTT edge-side internal-only; Postfix outbound-only. OT layer (OPCUA, PLCs) is out of scope for this repo. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-21 12:37:59 +02:00			`# cloud`

			`The single central hub. One deployment, internet-facing.`

			`## What runs here`

			`nginx-proxy, wireguard-server, keycloak, portainer, influxdb, grafana, node-red, mqtt, postfix, gitea, jenkins, sql.`

			See [`../docs/architecture.md`](../docs/architecture.md) for the full network topology and ingress table.

			`## Run`

			```bash
			`cp .env.example .env # fill in real secrets first`
			`docker compose up -d`
			`docker compose ps`
			```

			`## Ingress (host port bindings)`

			`\| Port \| Container \|`
			`\|---\|---\|`
			`\| tcp/80, 443 \| nginx-proxy \|`
			`\| tcp/8883 \| nginx-proxy (MQTT-TLS via stream block) \|`
			`\| udp/51820 \| wireguard-server \|`

			Everything else stays on the internal `app` / `data` / `mgmt` networks.

			`## Adding a new stack`

			1. Create `stacks/<name>/` with `compose.yml`, `.env.example`, `README.md`.
			2. Uncomment (or add) the `include:` entry in `compose.yml`.
			3. Add the stack's env vars to `.env.example`.
			4. `docker compose pull && docker compose up -d`.