feat(cloud): harden nginx-proxy + sql foundation; HTTP-01 interim cert plan

Wire up the three foundation stacks (nginx-proxy, sql, portainer) in cloud/compose.yml and add real configs for the first two. nginx-proxy - Base nginx.conf with http + stream contexts, modern TLS profile, client_max_body_size baseline for gitea LFS / mlflow artifacts. - Vhosts under conf.d/: grafana, gitea, keycloak, nodered, mlflow, jupyter, portainer (HTTPS upstream), rabbitmq, jenkins. WebSocket upgrade headers where needed (grafana live, node-red editor, jupyterhub kernels, jenkins agents). - conf.d/00-default.conf serves /.well-known/acme-challenge/ on :80 and 301-redirects everything else. - stream.d/mqtt.conf terminates MQTT-TLS at 8883, proxies to rabbitmq:1883 internally. - All vhosts reference /etc/letsencrypt/live/infra/* — a stable path via certbot --cert-name infra, so the wildcard migration changes nothing in the vhost files. - README documents: HTTP-01 SAN interim during Versio period → DNS-01 wildcard via certbot-dns-transip after migration; bootstrap procedure (self-signed fallback → real cert issuance → reload). sql - config/init.d/01-databases.sh provisions gitea/keycloak/mlflow databases + roles on first start. Idempotent only via fresh data volume — change the script after first run requires manual psql or a volume wipe. - compose env extended with GITEA_DB_PASSWORD, KEYCLOAK_DB_PASSWORD, MLFLOW_DB_PASSWORD. cloud - include: now wires nginx-proxy + sql + portainer. Other stacks stay commented for future rounds. - .env.example adds KEYCLOAK_DB_PASSWORD and sensible defaults (LETSENCRYPT_EMAIL, GRAFANA_ROOT_URL, KEYCLOAK_HOSTNAME, GITEA_ROOT_URL, POSTFIX_FROM_DOMAIN all pointing at wbd-rd.nl). - Operator note inline: bring portainer's standalone instance down before deploying via cloud compose; comment its ports: block. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 13:43:35 +02:00
parent 67b37b9b2a
commit 5d95f8bfcc
19 changed files with 426 additions and 41 deletions
--- a/stacks/nginx-proxy/config/conf.d/00-default.conf
+++ b/stacks/nginx-proxy/config/conf.d/00-default.conf
@@ -0,0 +1,15 @@
+# Port 80 — ACME HTTP-01 challenges + force HTTPS redirect for everything else.
+
+server {
+    listen 80 default_server;
+    server_name _;
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+        default_type "text/plain";
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
--- a/stacks/nginx-proxy/config/conf.d/gitea.conf
+++ b/stacks/nginx-proxy/config/conf.d/gitea.conf
@@ -0,0 +1,19 @@
+server {
+    listen 443 ssl;
+    http2 on;
+    server_name gitea.wbd-rd.nl;
+
+    ssl_certificate     /etc/letsencrypt/live/infra/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/infra/privkey.pem;
+
+    # Allow large LFS uploads + raw blob downloads
+    client_max_body_size 1G;
+
+    location / {
+        proxy_pass http://gitea:3000;
+        proxy_set_header Host              $host;
+        proxy_set_header X-Real-IP         $remote_addr;
+        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
--- a/stacks/nginx-proxy/config/conf.d/grafana.conf
+++ b/stacks/nginx-proxy/config/conf.d/grafana.conf
@@ -0,0 +1,21 @@
+server {
+    listen 443 ssl;
+    http2 on;
+    server_name grafana.wbd-rd.nl;
+
+    ssl_certificate     /etc/letsencrypt/live/infra/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/infra/privkey.pem;
+
+    location / {
+        proxy_pass http://grafana:3000;
+        proxy_set_header Host              $host;
+        proxy_set_header X-Real-IP         $remote_addr;
+        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        # Grafana Live + alerting use WebSockets
+        proxy_http_version 1.1;
+        proxy_set_header   Upgrade    $http_upgrade;
+        proxy_set_header   Connection "upgrade";
+    }
+}
--- a/stacks/nginx-proxy/config/conf.d/jenkins.conf
+++ b/stacks/nginx-proxy/config/conf.d/jenkins.conf
@@ -0,0 +1,23 @@
+server {
+    listen 443 ssl;
+    http2 on;
+    server_name jenkins.wbd-rd.nl;
+
+    ssl_certificate     /etc/letsencrypt/live/infra/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/infra/privkey.pem;
+
+    location / {
+        proxy_pass http://jenkins:8080;
+        proxy_set_header Host              $host;
+        proxy_set_header X-Real-IP         $remote_addr;
+        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        proxy_redirect http:// https://;
+
+        # Jenkins agent + plugin upgrades use WebSockets
+        proxy_http_version 1.1;
+        proxy_set_header   Upgrade    $http_upgrade;
+        proxy_set_header   Connection "upgrade";
+    }
+}
--- a/stacks/nginx-proxy/config/conf.d/jupyter.conf
+++ b/stacks/nginx-proxy/config/conf.d/jupyter.conf
@@ -0,0 +1,24 @@
+server {
+    listen 443 ssl;
+    http2 on;
+    server_name jupyter.wbd-rd.nl;
+
+    ssl_certificate     /etc/letsencrypt/live/infra/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/infra/privkey.pem;
+
+    location / {
+        proxy_pass http://jupyterhub:8000;
+        proxy_set_header Host              $host;
+        proxy_set_header X-Real-IP         $remote_addr;
+        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        # JupyterHub uses WebSockets for terminals + notebook kernels
+        proxy_http_version 1.1;
+        proxy_set_header   Upgrade    $http_upgrade;
+        proxy_set_header   Connection "upgrade";
+
+        # Long-running notebooks
+        proxy_read_timeout 24h;
+    }
+}
--- a/stacks/nginx-proxy/config/conf.d/keycloak.conf
+++ b/stacks/nginx-proxy/config/conf.d/keycloak.conf
@@ -0,0 +1,17 @@
+server {
+    listen 443 ssl;
+    http2 on;
+    server_name keycloak.wbd-rd.nl;
+
+    ssl_certificate     /etc/letsencrypt/live/infra/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/infra/privkey.pem;
+
+    location / {
+        proxy_pass http://keycloak:8080;
+        proxy_set_header Host              $host;
+        proxy_set_header X-Real-IP         $remote_addr;
+        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host  $host;
+    }
+}
--- a/stacks/nginx-proxy/config/conf.d/mlflow.conf
+++ b/stacks/nginx-proxy/config/conf.d/mlflow.conf
@@ -0,0 +1,22 @@
+server {
+    listen 443 ssl;
+    http2 on;
+    server_name mlflow.wbd-rd.nl;
+
+    ssl_certificate     /etc/letsencrypt/live/infra/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/infra/privkey.pem;
+
+    # Large model artifact uploads
+    client_max_body_size 5G;
+
+    location / {
+        proxy_pass http://mlflow:5000;
+        proxy_set_header Host              $host;
+        proxy_set_header X-Real-IP         $remote_addr;
+        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        proxy_read_timeout 10m;
+        proxy_send_timeout 10m;
+    }
+}
--- a/stacks/nginx-proxy/config/conf.d/nodered.conf
+++ b/stacks/nginx-proxy/config/conf.d/nodered.conf
@@ -0,0 +1,23 @@
+server {
+    listen 443 ssl;
+    http2 on;
+    server_name nodered.wbd-rd.nl;
+
+    ssl_certificate     /etc/letsencrypt/live/infra/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/infra/privkey.pem;
+
+    location / {
+        proxy_pass http://node-red:1880;
+        proxy_set_header Host              $host;
+        proxy_set_header X-Real-IP         $remote_addr;
+        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        # Node-RED editor + deploy API use WebSockets
+        proxy_http_version 1.1;
+        proxy_set_header   Upgrade    $http_upgrade;
+        proxy_set_header   Connection "upgrade";
+
+        proxy_read_timeout 1h;
+    }
+}
--- a/stacks/nginx-proxy/config/conf.d/portainer.conf
+++ b/stacks/nginx-proxy/config/conf.d/portainer.conf
@@ -0,0 +1,23 @@
+server {
+    listen 443 ssl;
+    http2 on;
+    server_name portainer.wbd-rd.nl;
+
+    ssl_certificate     /etc/letsencrypt/live/infra/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/infra/privkey.pem;
+
+    location / {
+        # Portainer CE 2.x exposes HTTPS only (self-signed cert inside the container)
+        proxy_pass https://portainer:9443;
+        proxy_ssl_verify off;
+
+        proxy_set_header Host              $host;
+        proxy_set_header X-Real-IP         $remote_addr;
+        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        proxy_http_version 1.1;
+        proxy_set_header   Upgrade    $http_upgrade;
+        proxy_set_header   Connection "upgrade";
+    }
+}
--- a/stacks/nginx-proxy/config/conf.d/rabbitmq.conf
+++ b/stacks/nginx-proxy/config/conf.d/rabbitmq.conf
@@ -0,0 +1,16 @@
+server {
+    listen 443 ssl;
+    http2 on;
+    server_name rabbitmq.wbd-rd.nl;
+
+    ssl_certificate     /etc/letsencrypt/live/infra/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/infra/privkey.pem;
+
+    location / {
+        proxy_pass http://rabbitmq:15672;
+        proxy_set_header Host              $host;
+        proxy_set_header X-Real-IP         $remote_addr;
+        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}