feat(cloud): single-shot deploy.sh + FROST stack + healthchecks

Stage 5 — make the cloud composition spin up in one command and add the SensorThings (FROST) stack as a fully segregated tenant. cloud/deploy.sh — idempotent, 7-step bring-up: preflight → validate → up + wait → cert state → issue/renew → service status → endpoint smoke test. Reissues LE cert only when current issuer no longer matches ACME_CA_URI. Move-aside-then- restore-on-failure so the bootstrap cert survives a failed certbot. stacks/frost — new stack, segregated from shared sql/rabbitmq: - dedicated postgis container (frost-db) - dedicated internal mosquitto bus (frost-mosquitto) - frost-http + frost-mqtt on a private frost-internal network, joined to cloud-app only for nginx ingress at frost.wbd-rd.nl - shared mosquitto stack deleted; rabbitmq remains the only public MQTT broker (mqtt.wbd-rd.nl:8883 via stream proxy) stacks/sql — pg_isready healthcheck so keycloak/gitea/mlflow can gate on service_healthy via cloud-level depends_on overrides. stacks/nginx-proxy: - nginx-init service generates a self-signed bootstrap cert on fresh deploy so nginx starts before certbot has issued a real one - frost.wbd-rd.nl vhost (/FROST-Server → frost-http:8080, /mqtt → frost-mqtt:9876 WebSocket) stacks/mlflow — custom Dockerfile (upstream + psycopg2-binary) so the official image can speak to the shared sql backend. stacks/jupyterhub — DummyAuthenticator stub gated by JUPYTERHUB_ADMIN_PASSWORD; TODO comments point at OIDC + DockerSpawner. stacks/rabbitmq — config/{enabled_plugins,rabbitmq.conf} stubs (management + mqtt plugins, MQTT auth required). stacks/portainer — ports unpublished; nginx now the only ingress. stacks/node-red — pin to 4.1 (the floating "4" tag does not exist). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 16:37:58 +02:00
parent 035ac757ae
commit 4117ec6063
25 changed files with 660 additions and 95 deletions
--- a/stacks/nginx-proxy/compose.yml
+++ b/stacks/nginx-proxy/compose.yml
@@ -4,6 +4,27 @@
 # Publishes: 80, 443, 8883 on the host

 services:
+  # One-shot init: generate a self-signed dummy cert if /etc/letsencrypt/live/infra/
+  # doesn't already have one. Lets nginx start on a fresh deploy before certbot has
+  # issued the real cert via HTTP-01.  Subsequent runs are no-ops.
+  nginx-init:
+    image: alpine/openssl:latest
+    restart: "no"
+    volumes:
+      - nginx-certs:/etc/letsencrypt
+    entrypoint: ["/bin/sh", "-c"]
+    command:
+      - |
+        set -eu
+        d=/etc/letsencrypt/live/infra
+        if [ ! -s "$$d/fullchain.pem" ] || [ ! -s "$$d/privkey.pem" ]; then
+          echo "nginx-init: generating self-signed bootstrap cert at $$d"
+          mkdir -p "$$d"
+          openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout "$$d/privkey.pem" -out "$$d/fullchain.pem" -subj '/CN=bootstrap-infra'
+        else
+          echo "nginx-init: cert already present at $$d, skipping"
+        fi
+
  nginx:
    image: nginx:1.27-alpine
    restart: unless-stopped
@@ -19,7 +40,10 @@ services:
      - nginx-certs:/etc/letsencrypt:ro
      - nginx-acme-challenge:/var/www/certbot:ro
    depends_on:
-      - certbot
+      nginx-init:
+        condition: service_completed_successfully
+      certbot:
+        condition: service_started

  certbot:
    image: certbot/certbot:latest
--- a/stacks/nginx-proxy/config/conf.d/frost.conf
+++ b/stacks/nginx-proxy/config/conf.d/frost.conf
@@ -0,0 +1,37 @@
+server {
+    listen 443 ssl;
+    http2 on;
+    server_name frost.wbd-rd.nl;
+
+    ssl_certificate     /etc/letsencrypt/live/infra/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/infra/privkey.pem;
+
+    # FROST REST + admin UI
+    location /FROST-Server {
+        proxy_pass http://frost-http:8080;
+        proxy_set_header Host              $host;
+        proxy_set_header X-Real-IP         $remote_addr;
+        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 60s;
+    }
+
+    # SensorThings MQTT-over-WebSocket
+    location /mqtt {
+        proxy_pass http://frost-mqtt:9876;
+        proxy_http_version 1.1;
+        proxy_set_header Host              $host;
+        proxy_set_header X-Real-IP         $remote_addr;
+        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Upgrade           $http_upgrade;
+        proxy_set_header Connection        "upgrade";
+        proxy_read_timeout 3600s;          # long-lived MQTT WS sessions
+        proxy_send_timeout 3600s;
+    }
+
+    # Root redirects to the REST UI for convenience
+    location = / {
+        return 302 /FROST-Server/;
+    }
+}