RnD/infra
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(cloud): single-shot deploy.sh + FROST stack + healthchecks

Browse Source 
Stage 5 — make the cloud composition spin up in one command and add
the SensorThings (FROST) stack as a fully segregated tenant.

cloud/deploy.sh — idempotent, 7-step bring-up:
  preflight → validate → up + wait → cert state → issue/renew →
  service status → endpoint smoke test. Reissues LE cert only when
  current issuer no longer matches ACME_CA_URI. Move-aside-then-
  restore-on-failure so the bootstrap cert survives a failed certbot.

stacks/frost — new stack, segregated from shared sql/rabbitmq:
  - dedicated postgis container (frost-db)
  - dedicated internal mosquitto bus (frost-mosquitto)
  - frost-http + frost-mqtt on a private frost-internal network,
    joined to cloud-app only for nginx ingress at frost.wbd-rd.nl
  - shared mosquitto stack deleted; rabbitmq remains the only public
    MQTT broker (mqtt.wbd-rd.nl:8883 via stream proxy)

stacks/sql — pg_isready healthcheck so keycloak/gitea/mlflow can gate
on service_healthy via cloud-level depends_on overrides.

stacks/nginx-proxy:
  - nginx-init service generates a self-signed bootstrap cert on
    fresh deploy so nginx starts before certbot has issued a real one
  - frost.wbd-rd.nl vhost (/FROST-Server → frost-http:8080,
    /mqtt → frost-mqtt:9876 WebSocket)

stacks/mlflow — custom Dockerfile (upstream + psycopg2-binary) so the
official image can speak to the shared sql backend.

stacks/jupyterhub — DummyAuthenticator stub gated by
JUPYTERHUB_ADMIN_PASSWORD; TODO comments point at OIDC + DockerSpawner.

stacks/rabbitmq — config/{enabled_plugins,rabbitmq.conf} stubs
(management + mqtt plugins, MQTT auth required).

stacks/portainer — ports unpublished; nginx now the only ingress.

stacks/node-red — pin to 4.1 (the floating "4" tag does not exist).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
znetsixe
2026-05-21 16:37:58 +02:00
parent 035ac757ae
commit 4117ec6063
25 changed files with 660 additions and 95 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
stacks/portainer/README.md
View File

@@ -2,26 +2,15 @@
Docker container management UI — the "operator console" for cloud and edge.
## Standalone first-run (cloud)
## Access
Bring this up **first**, before nginx-proxy, so you have a GUI from day 1 to inspect containers, logs, networks, and volumes as the rest of the cloud stack comes online.
Portainer ingresses through nginx-proxy: `https://portainer.wbd-rd.nl/`. No host port is published by default.
```bash
cd stacks/portainer
docker compose up -d
```
For emergency ops (nginx down, etc.), uncomment the `ports:` block in `compose.yml` and `docker compose up -d portainer` to expose `:9443` and `:8000` directly.
Browse `https://<cloud-host>:9443` (self-signed cert — accept once). Create the admin user on first visit.
## First-run admin
## After nginx-proxy is up
Once nginx-proxy + the wildcard cert are working:
1. Comment the `ports:` block in `compose.yml`.
2. `docker compose down && docker compose up -d` (or recreate via cloud/compose.yml include).
3. Browse `https://portainer.wbd-rd.nl/` (real cert, behind nginx).
The direct `:9443` access is intentionally retained as commented-out config for emergency ops if nginx goes down.
On first visit, Portainer prompts for an admin username and password. Use a long random password; this account is break-glass — your daily login should come via Keycloak OIDC once that gate is wired (see TODO).
## Edge-agent topology