feat(cloud): harden nginx-proxy + sql foundation; HTTP-01 interim cert plan
Wire up the three foundation stacks (nginx-proxy, sql, portainer) in
cloud/compose.yml and add real configs for the first two.
nginx-proxy
- Base nginx.conf with http + stream contexts, modern TLS profile,
client_max_body_size baseline for gitea LFS / mlflow artifacts.
- Vhosts under conf.d/: grafana, gitea, keycloak, nodered, mlflow,
jupyter, portainer (HTTPS upstream), rabbitmq, jenkins. WebSocket
upgrade headers where needed (grafana live, node-red editor,
jupyterhub kernels, jenkins agents).
- conf.d/00-default.conf serves /.well-known/acme-challenge/ on :80
and 301-redirects everything else.
- stream.d/mqtt.conf terminates MQTT-TLS at 8883, proxies to
rabbitmq:1883 internally.
- All vhosts reference /etc/letsencrypt/live/infra/* — a stable path
via certbot --cert-name infra, so the wildcard migration changes
nothing in the vhost files.
- README documents: HTTP-01 SAN interim during Versio period →
DNS-01 wildcard via certbot-dns-transip after migration; bootstrap
procedure (self-signed fallback → real cert issuance → reload).
sql
- config/init.d/01-databases.sh provisions gitea/keycloak/mlflow
databases + roles on first start. Idempotent only via fresh
data volume — change the script after first run requires
manual psql or a volume wipe.
- compose env extended with GITEA_DB_PASSWORD, KEYCLOAK_DB_PASSWORD,
MLFLOW_DB_PASSWORD.
cloud
- include: now wires nginx-proxy + sql + portainer. Other stacks
stay commented for future rounds.
- .env.example adds KEYCLOAK_DB_PASSWORD and sensible defaults
(LETSENCRYPT_EMAIL, GRAFANA_ROOT_URL, KEYCLOAK_HOSTNAME,
GITEA_ROOT_URL, POSTFIX_FROM_DOMAIN all pointing at wbd-rd.nl).
- Operator note inline: bring portainer's standalone instance down
before deploying via cloud compose; comment its ports: block.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 13:43:35 +02:00
|
|
|
server {
|
|
|
|
|
listen 443 ssl;
|
|
|
|
|
http2 on;
|
2026-05-21 13:54:57 +02:00
|
|
|
server_name flow.wbd-rd.nl;
|
feat(cloud): harden nginx-proxy + sql foundation; HTTP-01 interim cert plan
Wire up the three foundation stacks (nginx-proxy, sql, portainer) in
cloud/compose.yml and add real configs for the first two.
nginx-proxy
- Base nginx.conf with http + stream contexts, modern TLS profile,
client_max_body_size baseline for gitea LFS / mlflow artifacts.
- Vhosts under conf.d/: grafana, gitea, keycloak, nodered, mlflow,
jupyter, portainer (HTTPS upstream), rabbitmq, jenkins. WebSocket
upgrade headers where needed (grafana live, node-red editor,
jupyterhub kernels, jenkins agents).
- conf.d/00-default.conf serves /.well-known/acme-challenge/ on :80
and 301-redirects everything else.
- stream.d/mqtt.conf terminates MQTT-TLS at 8883, proxies to
rabbitmq:1883 internally.
- All vhosts reference /etc/letsencrypt/live/infra/* — a stable path
via certbot --cert-name infra, so the wildcard migration changes
nothing in the vhost files.
- README documents: HTTP-01 SAN interim during Versio period →
DNS-01 wildcard via certbot-dns-transip after migration; bootstrap
procedure (self-signed fallback → real cert issuance → reload).
sql
- config/init.d/01-databases.sh provisions gitea/keycloak/mlflow
databases + roles on first start. Idempotent only via fresh
data volume — change the script after first run requires
manual psql or a volume wipe.
- compose env extended with GITEA_DB_PASSWORD, KEYCLOAK_DB_PASSWORD,
MLFLOW_DB_PASSWORD.
cloud
- include: now wires nginx-proxy + sql + portainer. Other stacks
stay commented for future rounds.
- .env.example adds KEYCLOAK_DB_PASSWORD and sensible defaults
(LETSENCRYPT_EMAIL, GRAFANA_ROOT_URL, KEYCLOAK_HOSTNAME,
GITEA_ROOT_URL, POSTFIX_FROM_DOMAIN all pointing at wbd-rd.nl).
- Operator note inline: bring portainer's standalone instance down
before deploying via cloud compose; comment its ports: block.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 13:43:35 +02:00
|
|
|
|
|
|
|
|
ssl_certificate /etc/letsencrypt/live/infra/fullchain.pem;
|
|
|
|
|
ssl_certificate_key /etc/letsencrypt/live/infra/privkey.pem;
|
|
|
|
|
|
|
|
|
|
location / {
|
|
|
|
|
proxy_pass http://node-red:1880;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
|
|
|
|
|
# Node-RED editor + deploy API use WebSockets
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
|
|
|
proxy_set_header Connection "upgrade";
|
|
|
|
|
|
|
|
|
|
proxy_read_timeout 1h;
|
|
|
|
|
}
|
|
|
|
|
}
|