feat(cloud): harden nginx-proxy + sql foundation; HTTP-01 interim cert plan

Wire up the three foundation stacks (nginx-proxy, sql, portainer) in cloud/compose.yml and add real configs for the first two. nginx-proxy - Base nginx.conf with http + stream contexts, modern TLS profile, client_max_body_size baseline for gitea LFS / mlflow artifacts. - Vhosts under conf.d/: grafana, gitea, keycloak, nodered, mlflow, jupyter, portainer (HTTPS upstream), rabbitmq, jenkins. WebSocket upgrade headers where needed (grafana live, node-red editor, jupyterhub kernels, jenkins agents). - conf.d/00-default.conf serves /.well-known/acme-challenge/ on :80 and 301-redirects everything else. - stream.d/mqtt.conf terminates MQTT-TLS at 8883, proxies to rabbitmq:1883 internally. - All vhosts reference /etc/letsencrypt/live/infra/* — a stable path via certbot --cert-name infra, so the wildcard migration changes nothing in the vhost files. - README documents: HTTP-01 SAN interim during Versio period → DNS-01 wildcard via certbot-dns-transip after migration; bootstrap procedure (self-signed fallback → real cert issuance → reload). sql - config/init.d/01-databases.sh provisions gitea/keycloak/mlflow databases + roles on first start. Idempotent only via fresh data volume — change the script after first run requires manual psql or a volume wipe. - compose env extended with GITEA_DB_PASSWORD, KEYCLOAK_DB_PASSWORD, MLFLOW_DB_PASSWORD. cloud - include: now wires nginx-proxy + sql + portainer. Other stacks stay commented for future rounds. - .env.example adds KEYCLOAK_DB_PASSWORD and sensible defaults (LETSENCRYPT_EMAIL, GRAFANA_ROOT_URL, KEYCLOAK_HOSTNAME, GITEA_ROOT_URL, POSTFIX_FROM_DOMAIN all pointing at wbd-rd.nl). - Operator note inline: bring portainer's standalone instance down before deploying via cloud compose; comment its ports: block. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 13:43:35 +02:00
parent 67b37b9b2a
commit 5d95f8bfcc
19 changed files with 426 additions and 41 deletions
--- a/stacks/sql/.env.example
+++ b/stacks/sql/.env.example
@@ -1,3 +1,9 @@
+# sql — postgres superuser
 SQL_DB=config
 SQL_USER=config
 SQL_PASSWORD=
+
+# Per-app passwords (consumed by config/init.d/01-databases.sh)
+GITEA_DB_PASSWORD=
+KEYCLOAK_DB_PASSWORD=
+MLFLOW_DB_PASSWORD=
--- a/stacks/sql/README.md
+++ b/stacks/sql/README.md
@@ -5,5 +5,32 @@ Central configuration database — the "single point of config" backing Keycloak
 - **Engine**: postgres 16-alpine
 - **Network**: `data` only (no internet egress)
 - **Volume**: `sql-data` (PGDATA)
- **Init scripts**: `config/init.d/*.sql` runs on first start — provisions per-app databases/roles (gitea, keycloak, mlflow, …)
- **TODO**: backup strategy (pg_dump cron sidecar vs streaming replica)
+- **Init scripts**: `config/init.d/*.sh` runs once on first container start
+
+## Per-app databases
+
+On first start, `config/init.d/01-databases.sh` provisions:
+
+| Database | Owner role | Used by |
+|---|---|---|
+| `gitea` | `gitea` | gitea stack |
+| `keycloak` | `keycloak` | keycloak stack |
+| `mlflow` | `mlflow` | mlflow stack |
+
+Passwords come from env vars (`GITEA_DB_PASSWORD`, `KEYCLOAK_DB_PASSWORD`, `MLFLOW_DB_PASSWORD`) which must be set in the cloud `.env` *before* first start.
+
+**Important**: init scripts only run when `sql-data` is empty. Changing the script after first start has no effect until the volume is wiped. To add a new app DB later, connect with `psql` and create it manually, then update this script for fresh deploys.
+
+## Reset / re-init
+
+```bash
+docker compose down
+docker volume rm cloud_sql-data       # ⚠ destroys all data
+docker compose up -d
+```
+
+## TODO
+
+- Backup strategy (pg_dump cron sidecar vs streaming replica vs WAL archiving to MinIO)
+- Per-app least-privilege grants (currently each role owns its DB only — fine for now)
+- Monitoring (postgres_exporter for Prometheus when observability stack lands)
--- a/stacks/sql/compose.yml
+++ b/stacks/sql/compose.yml
@@ -10,6 +10,10 @@ services:
      POSTGRES_DB: ${SQL_DB}
      POSTGRES_USER: ${SQL_USER}
      POSTGRES_PASSWORD: ${SQL_PASSWORD}
+      # Per-app passwords (read by config/init.d/01-databases.sh on first start)
+      GITEA_DB_PASSWORD: ${GITEA_DB_PASSWORD}
+      KEYCLOAK_DB_PASSWORD: ${KEYCLOAK_DB_PASSWORD}
+      MLFLOW_DB_PASSWORD: ${MLFLOW_DB_PASSWORD}
      TZ: ${TZ:-Europe/Amsterdam}
    volumes:
      - sql-data:/var/lib/postgresql/data
--- a/stacks/sql/config/init.d/01-databases.sh
+++ b/stacks/sql/config/init.d/01-databases.sh
@@ -0,0 +1,24 @@
+#!/bin/sh
+# 01-databases.sh — provision per-app databases and roles on first start.
+#
+# Runs ONLY when the data directory is empty (first container start).
+# Modifying this file later has no effect unless you wipe sql-data first.
+#
+# Env vars used here come from the sql service's `environment:` block;
+# values are sourced from cloud/.env (or the standalone stack's .env).
+
+set -eu
+
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
+    -- gitea
+    CREATE ROLE gitea LOGIN PASSWORD '${GITEA_DB_PASSWORD}';
+    CREATE DATABASE gitea OWNER gitea;
+
+    -- keycloak
+    CREATE ROLE keycloak LOGIN PASSWORD '${KEYCLOAK_DB_PASSWORD}';
+    CREATE DATABASE keycloak OWNER keycloak;
+
+    -- mlflow
+    CREATE ROLE mlflow LOGIN PASSWORD '${MLFLOW_DB_PASSWORD}';
+    CREATE DATABASE mlflow OWNER mlflow;
+EOSQL