feat: SQL=postgres, nginx+certbot, MQTT split, ML stacks, gitea HTTPS-only, gemaal1 site

Round-2 changes locking in scaffold-phase decisions and adding ML/notebook stacks.

Locked decisions
- sql: postgres 16-alpine (was TBD); init.d/ mount for per-app DB provisioning
- nginx-proxy: stock nginx + certbot sidecar (was nginx:alpine TODO).
  Chose stock over nginxproxy/nginx-proxy because stream{} is required for
  MQTT-TLS reverse-proxy on tcp/8883 to rabbitmq:1883.
- gitea: HTTPS-only (DISABLE_SSH=true). No SSH port published.

MQTT split
- Remove stacks/mqtt placeholder.
- Add stacks/rabbitmq — general-purpose broker (AMQP + MQTT plugin),
  used at both cloud and edge. External MQTT clients reach cloud broker
  via nginx stream-proxy on 8883.
- Add stacks/mosquitto — reserved for the FROST (SensorThings) stack
  only. Cloud-only. Internal to its own stack; no external ingress.

ML / notebooks (cloud-only)
- stacks/mlflow — experiment tracking + model registry. Postgres backend
  on sql stack; local volume for artifacts (S3/MinIO is a TODO).
- stacks/jupyterhub — multi-user notebook server. DockerSpawner via
  mounted docker.sock; users spawn into cloud-app network so they can
  reach mlflow, influxdb (via grafana), rabbitmq.

Sites
- sites/gemaal1 — first edge deployment scaffold. Site-local override
  template for binding nginx to PLANT_LAN_IP.

Docs
- README + docs/architecture.md updated: stacks table now lists 15 stacks,
  ingress + attachment tables reflect mlflow/jupyterhub, TLS strategy
  section locked, MQTT-split section added, Gitea HTTPS-only noted.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

stacks/nginx-proxy/.env.example

@@ -1,2 +1,4 @@
-# nginx-proxy — config-file-driven, no env vars in stub
-# Domain + cert settings will land here once SSL strategy is chosen
+LETSENCRYPT_EMAIL=
+# Production CA: https://acme-v02.api.letsencrypt.org/directory
+# Staging CA (testing): https://acme-staging-v02.api.letsencrypt.org/directory
+ACME_CA_URI=https://acme-v02.api.letsencrypt.org/directory

stacks/nginx-proxy/README.md

@@ -1,12 +1,47 @@
 # nginx-proxy
 
-The single web ingress. Reverse-proxies HTTPS UIs and stream-proxies MQTT-TLS.
+The single web ingress for cloud + edge. Reverse-proxies HTTPS UIs and stream-proxies MQTT-TLS to RabbitMQ. TLS certificates managed by a certbot sidecar (Let's Encrypt, HTTP-01 webroot challenge).
 
+- **Image**: stock `nginx:1.27-alpine` (we don't use `nginxproxy/nginx-proxy` because we need the `stream {}` context for MQTT-TLS, which that image doesn't expose cleanly)
+- **Sidecar**: `certbot/certbot:latest` — renews every 12h, shared `nginx-certs` + `nginx-acme-challenge` volumes
 - **Networks**: `edge` (the only port-publisher) + `app` (talks to upstream services)
 - **Host ports**: `tcp/80`, `tcp/443`, `tcp/8883`
-- **Config**:
-  - `config/nginx.conf` — base
-  - `config/conf.d/*.conf` — HTTP vhosts (one per upstream UI)
-  - `config/stream.d/mqtt.conf` — MQTT-TLS stream block, SNI route to mqtt broker
-  - `config/certs/` — TLS certs (volume-mounted from cert manager)
-- **TODO**: pick SSL strategy (acme-companion sidecar vs certbot vs internal PKI), write vhost templates per upstream
+
+## Config layout
+
+```
+config/
+├── nginx.conf            # base config — must include `stream {}` directive
+├── conf.d/               # HTTP vhosts (one per upstream UI)
+│   ├── grafana.conf
+│   ├── node-red.conf
+│   ├── gitea.conf
+│   └── ...
+└── stream.d/
+    └── mqtt.conf         # MQTT-TLS stream block, SNI route to rabbitmq:1883
+```
+
+Volumes:
+- `nginx-certs` — Let's Encrypt cert chains (`/etc/letsencrypt`), read-only mounted into nginx, writable from certbot
+- `nginx-acme-challenge` — webroot for HTTP-01 challenges (`/var/www/certbot`)
+
+## Initial cert issuance
+
+1. Start with HTTP-only nginx config (serving `/.well-known/acme-challenge/`).
+2. Issue:
+   ```bash
+   docker compose run --rm certbot certonly \
+     --webroot -w /var/www/certbot \
+     --email "$LETSENCRYPT_EMAIL" --agree-tos --no-eff-email \
+     -d gitea.example.com -d grafana.example.com -d nodered.example.com
+   ```
+3. Drop HTTPS vhost configs into `config/conf.d/` and reload nginx.
+
+The sidecar then renews automatically.
+
+## TODO
+
+- Write base `config/nginx.conf` (`http` + `stream` contexts)
+- Per-upstream vhost templates with OIDC `auth_request` to Keycloak
+- Decide internal PKI vs Let's Encrypt for cloud-internal hostnames not reachable from the public internet
+- Edge-side variant: bind to plant-LAN IP only, internal CA for plant.local hostnames

stacks/nginx-proxy/compose.yml

@@ -1,22 +1,44 @@
-# nginx-proxy — TLS reverse proxy (HTTPS + MQTT-TLS)
+# nginx-proxy — TLS reverse proxy (HTTPS + MQTT-TLS stream proxy)
+# Stock nginx + certbot sidecar for Let's Encrypt automation.
 # Networks: edge (port publisher) + app (proxy targets)
 # Publishes: 80, 443, 8883 on the host
 
 services:
-  nginx-proxy:
+  nginx:
     image: nginx:1.27-alpine
     restart: unless-stopped
     networks: [edge, app]
     ports:
       - "80:80"
       - "443:443"
-      - "8883:8883"    # MQTT-TLS via stream{} block
+      - "8883:8883"        # MQTT-TLS via stream{} block, SNI route to rabbitmq
     volumes:
+      - ./config/nginx.conf:/etc/nginx/nginx.conf:ro
       - ./config/conf.d:/etc/nginx/conf.d:ro
       - ./config/stream.d:/etc/nginx/stream.d:ro
-      - ./config/nginx.conf:/etc/nginx/nginx.conf:ro
-      - nginx-certs:/etc/nginx/certs:ro
-    # TODO: SSL strategy (acme-companion sidecar vs certbot vs internal PKI)
+      - nginx-certs:/etc/letsencrypt:ro
+      - nginx-acme-challenge:/var/www/certbot:ro
+    depends_on:
+      - certbot
+
+  certbot:
+    image: certbot/certbot:latest
+    restart: unless-stopped
+    volumes:
+      - nginx-certs:/etc/letsencrypt
+      - nginx-acme-challenge:/var/www/certbot
+    entrypoint: /bin/sh -c
+    command: >
+      "trap exit TERM;
+       while :; do
+         certbot renew --webroot -w /var/www/certbot --quiet;
+         sleep 12h & wait $${!};
+       done"
+    # Initial issuance is manual:
+    #   docker compose run --rm certbot certonly \
+    #     --webroot -w /var/www/certbot \
+    #     --email "$LETSENCRYPT_EMAIL" --agree-tos --no-eff-email \
+    #     -d <host1> -d <host2> ...
 
 networks:
   edge:
@@ -24,3 +46,4 @@ networks:
 
 volumes:
   nginx-certs:
+  nginx-acme-challenge: