stacks/nginx-proxy/config/stream.d/mqtt.conf

# MQTT-TLS reverse proxy.
# Public:   mqtt.wbd-rd.nl:8883 (TLS, terminated here)
# Upstream: rabbitmq:1883 (plaintext on internal `app` network)

server {
    listen 8883 ssl;

    ssl_certificate     /etc/letsencrypt/live/infra/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/infra/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;

    proxy_pass rabbitmq:1883;
    proxy_timeout 10m;
    proxy_connect_timeout 5s;
}
feat(cloud): harden nginx-proxy + sql foundation; HTTP-01 interim cert plan Wire up the three foundation stacks (nginx-proxy, sql, portainer) in cloud/compose.yml and add real configs for the first two. nginx-proxy - Base nginx.conf with http + stream contexts, modern TLS profile, client_max_body_size baseline for gitea LFS / mlflow artifacts. - Vhosts under conf.d/: grafana, gitea, keycloak, nodered, mlflow, jupyter, portainer (HTTPS upstream), rabbitmq, jenkins. WebSocket upgrade headers where needed (grafana live, node-red editor, jupyterhub kernels, jenkins agents). - conf.d/00-default.conf serves /.well-known/acme-challenge/ on :80 and 301-redirects everything else. - stream.d/mqtt.conf terminates MQTT-TLS at 8883, proxies to rabbitmq:1883 internally. - All vhosts reference /etc/letsencrypt/live/infra/* — a stable path via certbot --cert-name infra, so the wildcard migration changes nothing in the vhost files. - README documents: HTTP-01 SAN interim during Versio period → DNS-01 wildcard via certbot-dns-transip after migration; bootstrap procedure (self-signed fallback → real cert issuance → reload). sql - config/init.d/01-databases.sh provisions gitea/keycloak/mlflow databases + roles on first start. Idempotent only via fresh data volume — change the script after first run requires manual psql or a volume wipe. - compose env extended with GITEA_DB_PASSWORD, KEYCLOAK_DB_PASSWORD, MLFLOW_DB_PASSWORD. cloud - include: now wires nginx-proxy + sql + portainer. Other stacks stay commented for future rounds. - .env.example adds KEYCLOAK_DB_PASSWORD and sensible defaults (LETSENCRYPT_EMAIL, GRAFANA_ROOT_URL, KEYCLOAK_HOSTNAME, GITEA_ROOT_URL, POSTFIX_FROM_DOMAIN all pointing at wbd-rd.nl). - Operator note inline: bring portainer's standalone instance down before deploying via cloud compose; comment its ports: block. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-21 13:43:35 +02:00			`# MQTT-TLS reverse proxy.`
			`# Public: mqtt.wbd-rd.nl:8883 (TLS, terminated here)`
			# Upstream: rabbitmq:1883 (plaintext on internal `app` network)

			`server {`
			`listen 8883 ssl;`

			`ssl_certificate /etc/letsencrypt/live/infra/fullchain.pem;`
			`ssl_certificate_key /etc/letsencrypt/live/infra/privkey.pem;`
			`ssl_protocols TLSv1.2 TLSv1.3;`
			`ssl_ciphers HIGH:!aNULL:!MD5;`

			`proxy_pass rabbitmq:1883;`
			`proxy_timeout 10m;`
			`proxy_connect_timeout 5s;`
			`}`