# gemaal1

Edge deployment for pumping station **Gemaal1** — first production site.

## Hardware (fill in when provisioned)

- Edge gateway model: ?
- Plant LAN subnet: ?.?.?.0/24
- WAN: ?
- OT VLAN (PLC + OPCUA): ?.?.?.0/24
- OPCUA endpoint: opc.tcp://?

## What runs here

nginx-proxy (plant-LAN-facing, certbot for TLS), wireguard-client (outbound tunnel to cloud), keycloak (local realm), portainer, influxdb (local DB), grafana (local SCADA), node-red, rabbitmq (general broker, internal only), postfix.

## Run

```bash
cp .env.example .env     # fill in real secrets + PLANT_LAN_IP
docker compose up -d
docker compose ps
```

## Ingress

| Port | Bound to |
|---|---|
| tcp/80, 443 | `${PLANT_LAN_IP}` only |

Remote ops reach the same nginx via the WireGuard tunnel from cloud (no extra port published).

## OT uplink

Node-RED + EVOLV nodes talk to the OPCUA server on the OT VLAN. The edge gateway must have a NIC on that VLAN. OPCUA + PLC are **managed outside this repo**.

See [`../../docs/architecture.md`](../../docs/architecture.md) for the full topology.