feat(cloud): single-shot deploy.sh + FROST stack + healthchecks

Stage 5 — make the cloud composition spin up in one command and add
the SensorThings (FROST) stack as a fully segregated tenant.

cloud/deploy.sh — idempotent, 7-step bring-up:
  preflight → validate → up + wait → cert state → issue/renew →
  service status → endpoint smoke test. Reissues LE cert only when
  current issuer no longer matches ACME_CA_URI. Move-aside-then-
  restore-on-failure so the bootstrap cert survives a failed certbot.

stacks/frost — new stack, segregated from shared sql/rabbitmq:
  - dedicated postgis container (frost-db)
  - dedicated internal mosquitto bus (frost-mosquitto)
  - frost-http + frost-mqtt on a private frost-internal network,
    joined to cloud-app only for nginx ingress at frost.wbd-rd.nl
  - shared mosquitto stack deleted; rabbitmq remains the only public
    MQTT broker (mqtt.wbd-rd.nl:8883 via stream proxy)

stacks/sql — pg_isready healthcheck so keycloak/gitea/mlflow can gate
on service_healthy via cloud-level depends_on overrides.

stacks/nginx-proxy:
  - nginx-init service generates a self-signed bootstrap cert on
    fresh deploy so nginx starts before certbot has issued a real one
  - frost.wbd-rd.nl vhost (/FROST-Server → frost-http:8080,
    /mqtt → frost-mqtt:9876 WebSocket)

stacks/mlflow — custom Dockerfile (upstream + psycopg2-binary) so the
official image can speak to the shared sql backend.

stacks/jupyterhub — DummyAuthenticator stub gated by
JUPYTERHUB_ADMIN_PASSWORD; TODO comments point at OIDC + DockerSpawner.

stacks/rabbitmq — config/{enabled_plugins,rabbitmq.conf} stubs
(management + mqtt plugins, MQTT auth required).

stacks/portainer — ports unpublished; nginx now the only ingress.

stacks/node-red — pin to 4.1 (the floating "4" tag does not exist).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

stacks/jupyterhub/compose.yml

@@ -14,6 +14,9 @@ services:
       TZ: ${TZ:-Europe/Amsterdam}
       DOCKER_NOTEBOOK_IMAGE: ${JUPYTER_NOTEBOOK_IMAGE:-jupyter/datascience-notebook:latest}
       DOCKER_NETWORK_NAME: cloud-app
+      # Stub auth — DummyAuthenticator gates on this shared password until OIDC is wired.
+      JUPYTERHUB_ADMIN_PASSWORD: ${JUPYTERHUB_ADMIN_PASSWORD}
+      JUPYTERHUB_ADMIN_USERS: ${JUPYTERHUB_ADMIN_USERS}
     # TODO: DockerSpawner config in jupyterhub_config.py; Keycloak OAuthAuthenticator;
     #       preinstalled libraries; per-user persistent volumes; CPU/memory limits
 

stacks/jupyterhub/config/jupyterhub_config.py

@@ -0,0 +1,33 @@
+# JupyterHub bootstrap config.
+#
+# WARNING: this is a STUB. It uses DummyAuthenticator with a single shared
+# password and LocalProcessSpawner. It boots, it's password-gated, but it is
+# NOT the production setup. Before exposing this to anything beyond the
+# cloud-host operator, swap to:
+#   - GenericOAuthenticator pointed at Keycloak (wbd realm, jupyterhub client)
+#   - DockerSpawner with per-user persistent volumes
+# See stacks/jupyterhub/README.md TODO.
+
+import os
+
+c = get_config()  # noqa: F821 — provided by JupyterHub
+
+# --- Authenticator (stub) -----------------------------------------------------
+c.JupyterHub.authenticator_class = "dummy"
+c.DummyAuthenticator.password = os.environ["JUPYTERHUB_ADMIN_PASSWORD"]
+
+admin_users = os.environ.get("JUPYTERHUB_ADMIN_USERS", "").strip()
+if admin_users:
+    c.Authenticator.admin_users = {u.strip() for u in admin_users.split(",") if u.strip()}
+c.Authenticator.allow_all = True  # stub: any username, single shared password
+
+# --- Spawner (stub) -----------------------------------------------------------
+# LocalProcessSpawner runs notebooks as OS processes inside the hub container.
+# Fine for a single operator on the stub; production should use DockerSpawner.
+c.JupyterHub.spawner_class = "simple"
+c.Spawner.default_url = "/lab"
+
+# --- Hub posture --------------------------------------------------------------
+c.JupyterHub.bind_url = "http://:8000"
+c.JupyterHub.hub_bind_url = "http://0.0.0.0:8081"
+c.JupyterHub.cleanup_servers = True