RnD/infra
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2f5e3b41837e9b767bbb76ba4ba6bc7f2dc18b87
infra/stacks/nginx-proxy/README.md
znetsixe 2f5e3b4183 feat: SQL=postgres, nginx+certbot, MQTT split, ML stacks, gitea HTTPS-only, gemaal1 site 
Round-2 changes locking in scaffold-phase decisions and adding ML/notebook stacks.

Locked decisions
- sql: postgres 16-alpine (was TBD); init.d/ mount for per-app DB provisioning
- nginx-proxy: stock nginx + certbot sidecar (was nginx:alpine TODO).
  Chose stock over nginxproxy/nginx-proxy because stream{} is required for
  MQTT-TLS reverse-proxy on tcp/8883 to rabbitmq:1883.
- gitea: HTTPS-only (DISABLE_SSH=true). No SSH port published.

MQTT split
- Remove stacks/mqtt placeholder.
- Add stacks/rabbitmq — general-purpose broker (AMQP + MQTT plugin),
  used at both cloud and edge. External MQTT clients reach cloud broker
  via nginx stream-proxy on 8883.
- Add stacks/mosquitto — reserved for the FROST (SensorThings) stack
  only. Cloud-only. Internal to its own stack; no external ingress.

ML / notebooks (cloud-only)
- stacks/mlflow — experiment tracking + model registry. Postgres backend
  on sql stack; local volume for artifacts (S3/MinIO is a TODO).
- stacks/jupyterhub — multi-user notebook server. DockerSpawner via
  mounted docker.sock; users spawn into cloud-app network so they can
  reach mlflow, influxdb (via grafana), rabbitmq.

Sites
- sites/gemaal1 — first edge deployment scaffold. Site-local override
  template for binding nginx to PLANT_LAN_IP.

Docs
- README + docs/architecture.md updated: stacks table now lists 15 stacks,
  ingress + attachment tables reflect mlflow/jupyterhub, TLS strategy
  section locked, MQTT-split section added, Gitea HTTPS-only noted.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 13:22:46 +02:00

2.0 KiB
Raw Blame History

nginx-proxy

The single web ingress for cloud + edge. Reverse-proxies HTTPS UIs and stream-proxies MQTT-TLS to RabbitMQ. TLS certificates managed by a certbot sidecar (Let's Encrypt, HTTP-01 webroot challenge).

  • Image: stock nginx:1.27-alpine (we don't use nginxproxy/nginx-proxy because we need the stream {} context for MQTT-TLS, which that image doesn't expose cleanly)
  • Sidecar: certbot/certbot:latest — renews every 12h, shared nginx-certs + nginx-acme-challenge volumes
  • Networks: edge (the only port-publisher) + app (talks to upstream services)
  • Host ports: tcp/80, tcp/443, tcp/8883

Config layout

config/
├── nginx.conf            # base config — must include `stream {}` directive
├── conf.d/               # HTTP vhosts (one per upstream UI)
│   ├── grafana.conf
│   ├── node-red.conf
│   ├── gitea.conf
│   └── ...
└── stream.d/
    └── mqtt.conf         # MQTT-TLS stream block, SNI route to rabbitmq:1883

Volumes:

  • nginx-certs — Let's Encrypt cert chains (/etc/letsencrypt), read-only mounted into nginx, writable from certbot
  • nginx-acme-challenge — webroot for HTTP-01 challenges (/var/www/certbot)

Initial cert issuance

  1. Start with HTTP-only nginx config (serving /.well-known/acme-challenge/).
  2. Issue: 
    docker compose run --rm certbot certonly \
  --webroot -w /var/www/certbot \
  --email "$LETSENCRYPT_EMAIL" --agree-tos --no-eff-email \
  -d gitea.example.com -d grafana.example.com -d nodered.example.com
  3. Drop HTTPS vhost configs into config/conf.d/ and reload nginx.

The sidecar then renews automatically.

TODO

  • Write base config/nginx.conf (http + stream contexts)
  • Per-upstream vhost templates with OIDC auth_request to Keycloak
  • Decide internal PKI vs Let's Encrypt for cloud-internal hostnames not reachable from the public internet
  • Edge-side variant: bind to plant-LAN IP only, internal CA for plant.local hostnames
Reference in New Issue View Git Blame Copy Permalink