035ac757ae
stacks/gitea/compose.yml — full production-grade env:
- Server posture: PROTOCOL=http (nginx terminates TLS), DOMAIN=git.wbd-rd.nl,
DISABLE_SSH=true, INSTALL_LOCK=true (skip web wizard).
- Postgres backend (DB+role auto-provisioned by sql/config/init.d/).
- Local registration disabled; users provisioned via Keycloak OIDC with
ENABLE_AUTO_REGISTRATION=true so first OIDC login auto-creates the
matching local account (USERNAME=nickname, ACCOUNT_LINKING=auto).
- Mail stub via postfix on app network (ENABLED=false until postfix is up).
- Repos default to private.
- GITEA_OAUTH_* env vars are pass-through values consumed only by the
post-deploy CLI step; gitea itself doesn't read them.
stacks/gitea/.env.example — DB connection, OAuth client ID/secret/discovery
URL, mail-from. Empty placeholders for secrets.
stacks/gitea/README.md — full Stage 5 deploy script:
1. Fill GITEA_DB_PASSWORD + GITEA_OAUTH_CLIENT_SECRET in cloud/.env
2. docker compose up -d gitea
3. gitea admin user create --admin --random-password
4. gitea admin auth add-oauth --provider openidConnect
--auto-discover-url https://auth.wbd-rd.nl/realms/wbd/.well-known/openid-configuration
5. Browse https://git.wbd-rd.nl/ → "Sign in with keycloak"
cloud/compose.yml — uncomment gitea include.
cloud/.env.example — add GITEA_DOMAIN, GITEA_OAUTH_*, GITEA_MAIL_FROM.
.gitignore line 2 (`.env`) already catches .env files at any depth
(verified with `git check-ignore`). Secrets won't be committed.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
infra
R&D infrastructure stacks for Waterschap Brabantse Delta. Hub-and-spoke deployment: one cloud central hub + per-plant edge sites.
Layout
infra/
├── stacks/ # reusable, runnable stack defs (kebab-case)
├── cloud/ # the single central hub
├── sites/ # per-plant edge deployments
└── docs/ # architecture + conventions
Stacks are pulled into the cloud and site composes via the Compose Spec include: directive. Each stack is also runnable standalone for testing.
Quick start
# Cloud hub (run on the central server)
cd cloud
cp .env.example .env # fill in real secrets
docker compose up -d
# A plant edge (run on the edge gateway at the plant)
cd sites/<plant>
cp .env.example .env
docker compose up -d
Stacks
| Stack | Purpose | Cloud | Edge |
|---|---|---|---|
| node-red | Flow-based automation | ✓ | ✓ |
| influxdb | Time-series database | ✓ | ✓ |
| grafana | Dashboards / SCADA | ✓ | ✓ |
| keycloak | Identity / SSO | ✓ | ✓ |
| portainer | Container management UI | ✓ | ✓ |
| nginx-proxy | Stock nginx + certbot sidecar | ✓ | ✓ |
| rabbitmq | General-purpose broker (AMQP + MQTT plugin) | ✓ | ✓ |
| postfix | Outbound mail relay | ✓ | ✓ |
| wireguard-server | VPN server | ✓ | — |
| wireguard-client | VPN client | — | ✓ |
| gitea | Git server (HTTPS-only) | ✓ | — |
| jenkins | CI/CD | ✓ | — |
| sql | Config DB (postgres 16) | ✓ | — |
| mlflow | ML experiment tracking + registry | ✓ | — |
| jupyterhub | Multi-user notebook server | ✓ | — |
| mosquitto | MQTT broker for FROST stack only | ✓ | — |
Sites
| Site | Status |
|---|---|
| gemaal1 | Scaffolded — awaiting hardware provisioning |
Design
See docs/architecture.md for the hub-and-spoke topology, 4-network model, ingress table, and the reasoning behind each choice.
Conventions
- kebab-case folder names
compose.yml(Compose Spec), notdocker-compose.yml- Stack composes pulled into cloud/site via
include: - Secrets in
.envfiles (gitignored);.env.examplecommitted with placeholders - OT layer (OPCUA, PLCs) is out of scope for this repo