refactor(dns): rename frost.wbd-rd.nl → sta.wbd-rd.nl; drop redundant portainer.wbd-rd.nl

Match the short-functional naming convention used by the other vhosts
(git, auth, dash, flow, ml, hub, ops, mq, ci, mqtt). FROST implements
OGC SensorThings API, so `sta` is the natural fit.

portainer.wbd-rd.nl is dropped from deploy.sh HOSTS — there is no
nginx vhost for it; portainer is already served via ops.wbd-rd.nl.

DNS prereq for first deploy is now: create one new A record for
sta.wbd-rd.nl → cloud public IP. All other short subdomains already
point correctly.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

cloud/.env.example

@@ -74,6 +74,6 @@ JUPYTER_NOTEBOOK_IMAGE=jupyter/datascience-notebook:latest
 JUPYTERHUB_ADMIN_USERS=
 JUPYTERHUB_ADMIN_PASSWORD=
 
-# FROST (SensorThings — dedicated postgis + internal mosquitto bus, ingressed at frost.wbd-rd.nl)
+# FROST (SensorThings — dedicated postgis + internal mosquitto bus, ingressed at sta.wbd-rd.nl)
 FROST_DB_PASSWORD=
-FROST_SERVICE_ROOT_URL=https://frost.wbd-rd.nl/FROST-Server
+FROST_SERVICE_ROOT_URL=https://sta.wbd-rd.nl/FROST-Server

cloud/deploy.sh

@@ -33,8 +33,8 @@ trap 'rc=$?; [ "$rc" -ne 0 ] && printf "\n${R}DEPLOY FAILED${N} (exit $rc) at st
 HOSTS=(
   git.wbd-rd.nl   auth.wbd-rd.nl  dash.wbd-rd.nl  flow.wbd-rd.nl
   ml.wbd-rd.nl    hub.wbd-rd.nl   ops.wbd-rd.nl   mq.wbd-rd.nl
-  ci.wbd-rd.nl    mqtt.wbd-rd.nl  portainer.wbd-rd.nl
+  ci.wbd-rd.nl    mqtt.wbd-rd.nl
-  frost.wbd-rd.nl
+  sta.wbd-rd.nl
 )
 
 # ---------- 1. Preflight ----------

docs/architecture.md

@@ -122,7 +122,7 @@ Postfix is **outbound-only**. It initiates SMTP to internet MX servers but accep
 
 - **RabbitMQ** is the **only public MQTT broker**. SCADA / IoT / edge clients connect to `mqtt.wbd-rd.nl:8883` (TLS, via nginx `stream {}` block proxying to `rabbitmq:1883`). Authentication uses the standard RABBITMQ_USER/PASS.
 - **frost-mosquitto** lives **inside the frost stack** on the private `frost-internal` docker network — it is purely the message bus between `frost-http` and `frost-mqtt`. It is not reachable from anywhere outside the frost stack.
-- SensorThings-protocol MQTT (the FROST native MQTT API) is exposed to clients via `frost-mqtt`'s WebSocket port, proxied as `https://frost.wbd-rd.nl/mqtt`.
+- SensorThings-protocol MQTT (the FROST native MQTT API) is exposed to clients via `frost-mqtt`'s WebSocket port, proxied as `https://sta.wbd-rd.nl/mqtt`.
 
 If FROST consumers also need to see SCADA traffic on RabbitMQ, add a RabbitMQ `shovel` plugin pointing into the frost stack. Not wired up by default.
 

stacks/frost/README.md

@@ -2,7 +2,7 @@
 
 [FROST-Server](https://github.com/FraunhoferIOSB/FROST-Server) — an OGC SensorThings API server. Stores sensors, observations, datastreams in postgis; exposes REST + MQTT.
 
-- **Public hostname**: `frost.wbd-rd.nl`
+- **Public hostname**: `sta.wbd-rd.nl`
   - `/FROST-Server` → REST + admin UI (frost-http:8080)
   - `/mqtt`         → WebSocket MQTT for SensorThings clients (frost-mqtt:9876)
 - **Networks**: `frost-internal` (private bus) + `app` (nginx ingress)

stacks/frost/compose.yml

@@ -1,5 +1,5 @@
 # frost — FROST-Server (OGC SensorThings API) (cloud only)
-# Public hostname: frost.wbd-rd.nl (reverse-proxied via nginx-proxy)
+# Public hostname: sta.wbd-rd.nl (reverse-proxied via nginx-proxy)
 #   /FROST-Server   → frost-http:8080  (REST + UI)
 #   /mqtt           → frost-mqtt:9876  (WebSocket MQTT for STA clients)
 #
@@ -52,7 +52,7 @@ services:
       frost-mosquitto:
         condition: service_started
     environment:
-      serviceRootUrl: ${FROST_SERVICE_ROOT_URL:-https://frost.wbd-rd.nl/FROST-Server}
+      serviceRootUrl: ${FROST_SERVICE_ROOT_URL:-https://sta.wbd-rd.nl/FROST-Server}
       queueLoggingInterval: "1000"
       plugins_multiDatastream_enable: "false"
       http_cors_enable: "true"
@@ -91,7 +91,7 @@ services:
       frost-mosquitto:
         condition: service_started
     environment:
-      serviceRootUrl: ${FROST_SERVICE_ROOT_URL:-https://frost.wbd-rd.nl/FROST-Server}
+      serviceRootUrl: ${FROST_SERVICE_ROOT_URL:-https://sta.wbd-rd.nl/FROST-Server}
       queueLoggingInterval: "1000"
       plugins_multiDatastream_enable: "false"
 

stacks/nginx-proxy/README.md

@@ -22,15 +22,16 @@ config/
 ├── nginx.conf                    # base — http + stream contexts
 ├── conf.d/
 │   ├── 00-default.conf           # port 80: ACME challenge + HTTPS redirect
-│   ├── grafana.conf              # grafana.wbd-rd.nl
+│   ├── grafana.conf              # dash.wbd-rd.nl
-│   ├── gitea.conf                # gitea.wbd-rd.nl
+│   ├── gitea.conf                # git.wbd-rd.nl
-│   ├── keycloak.conf             # keycloak.wbd-rd.nl
+│   ├── keycloak.conf             # auth.wbd-rd.nl
-│   ├── nodered.conf              # nodered.wbd-rd.nl
+│   ├── nodered.conf              # flow.wbd-rd.nl
-│   ├── mlflow.conf               # mlflow.wbd-rd.nl
+│   ├── mlflow.conf               # ml.wbd-rd.nl
-│   ├── jupyter.conf              # jupyter.wbd-rd.nl
+│   ├── jupyter.conf              # hub.wbd-rd.nl
-│   ├── portainer.conf            # portainer.wbd-rd.nl (HTTPS upstream)
+│   ├── portainer.conf            # ops.wbd-rd.nl
-│   ├── rabbitmq.conf             # rabbitmq.wbd-rd.nl (mgmt UI)
+│   ├── rabbitmq.conf             # mq.wbd-rd.nl (mgmt UI)
-│   └── jenkins.conf              # jenkins.wbd-rd.nl
+│   ├── jenkins.conf              # ci.wbd-rd.nl
+│   └── frost.conf                # sta.wbd-rd.nl (FROST / SensorThings)
 └── stream.d/
     └── mqtt.conf                 # mqtt.wbd-rd.nl:8883 → rabbitmq:1883
 ```
@@ -67,7 +68,9 @@ docker compose run --rm certbot certonly \
   -d git.wbd-rd.nl   -d auth.wbd-rd.nl  -d dash.wbd-rd.nl \
   -d flow.wbd-rd.nl  -d ml.wbd-rd.nl    -d hub.wbd-rd.nl \
   -d ops.wbd-rd.nl   -d mq.wbd-rd.nl    -d ci.wbd-rd.nl \
-  -d mqtt.wbd-rd.nl
+  -d mqtt.wbd-rd.nl  -d sta.wbd-rd.nl
+
+# Easier: from the cloud directory just run ./deploy.sh — it handles steps 1-4.
 
 # 4. Reload nginx to pick up the real cert
 docker compose exec nginx nginx -s reload
@@ -77,7 +80,7 @@ The certbot sidecar then renews every 12h automatically.
 
 ## DNS prereqs (HTTP-01)
 
-Before bootstrap, ensure A records exist in Versio for the 10 new short subdomains (the canonical tool-named ones — `gitea.wbd-rd.nl`, `grafana.wbd-rd.nl`, etc. — stay pointed at the existing Versio stack during the transition):
+Before bootstrap, ensure A records exist in Versio for the 11 short functional subdomains (the canonical tool-named ones — `gitea.wbd-rd.nl`, `grafana.wbd-rd.nl`, etc. — stay pointed at the existing Versio stack during the transition):
 
 ```
 git.wbd-rd.nl    A  <cloud-public-ip>      # gitea (new)
@@ -90,6 +93,7 @@ ops.wbd-rd.nl    A  <cloud-public-ip>      # portainer
 mq.wbd-rd.nl     A  <cloud-public-ip>      # rabbitmq mgmt UI
 ci.wbd-rd.nl     A  <cloud-public-ip>      # jenkins
 mqtt.wbd-rd.nl   A  <cloud-public-ip>      # MQTT-TLS broker
+sta.wbd-rd.nl    A  <cloud-public-ip>      # FROST / SensorThings API
 ```
 
 ## TODO

stacks/nginx-proxy/config/conf.d/frost.conf

@@ -1,7 +1,7 @@
 server {
     listen 443 ssl;
     http2 on;
-    server_name frost.wbd-rd.nl;
+    server_name sta.wbd-rd.nl;
 
     ssl_certificate     /etc/letsencrypt/live/infra/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/infra/privkey.pem;