2f5e3b4183
Round-2 changes locking in scaffold-phase decisions and adding ML/notebook stacks.
Locked decisions
- sql: postgres 16-alpine (was TBD); init.d/ mount for per-app DB provisioning
- nginx-proxy: stock nginx + certbot sidecar (was nginx:alpine TODO).
Chose stock over nginxproxy/nginx-proxy because stream{} is required for
MQTT-TLS reverse-proxy on tcp/8883 to rabbitmq:1883.
- gitea: HTTPS-only (DISABLE_SSH=true). No SSH port published.
MQTT split
- Remove stacks/mqtt placeholder.
- Add stacks/rabbitmq — general-purpose broker (AMQP + MQTT plugin),
used at both cloud and edge. External MQTT clients reach cloud broker
via nginx stream-proxy on 8883.
- Add stacks/mosquitto — reserved for the FROST (SensorThings) stack
only. Cloud-only. Internal to its own stack; no external ingress.
ML / notebooks (cloud-only)
- stacks/mlflow — experiment tracking + model registry. Postgres backend
on sql stack; local volume for artifacts (S3/MinIO is a TODO).
- stacks/jupyterhub — multi-user notebook server. DockerSpawner via
mounted docker.sock; users spawn into cloud-app network so they can
reach mlflow, influxdb (via grafana), rabbitmq.
Sites
- sites/gemaal1 — first edge deployment scaffold. Site-local override
template for binding nginx to PLANT_LAN_IP.
Docs
- README + docs/architecture.md updated: stacks table now lists 15 stacks,
ingress + attachment tables reflect mlflow/jupyterhub, TLS strategy
section locked, MQTT-split section added, Gitea HTTPS-only noted.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
nginx-proxy
The single web ingress for cloud + edge. Reverse-proxies HTTPS UIs and stream-proxies MQTT-TLS to RabbitMQ. TLS certificates managed by a certbot sidecar (Let's Encrypt, HTTP-01 webroot challenge).
- Image: stock
nginx:1.27-alpine(we don't usenginxproxy/nginx-proxybecause we need thestream {}context for MQTT-TLS, which that image doesn't expose cleanly) - Sidecar:
certbot/certbot:latest— renews every 12h, sharednginx-certs+nginx-acme-challengevolumes - Networks:
edge(the only port-publisher) +app(talks to upstream services) - Host ports:
tcp/80,tcp/443,tcp/8883
Config layout
config/
├── nginx.conf # base config — must include `stream {}` directive
├── conf.d/ # HTTP vhosts (one per upstream UI)
│ ├── grafana.conf
│ ├── node-red.conf
│ ├── gitea.conf
│ └── ...
└── stream.d/
└── mqtt.conf # MQTT-TLS stream block, SNI route to rabbitmq:1883
Volumes:
nginx-certs— Let's Encrypt cert chains (/etc/letsencrypt), read-only mounted into nginx, writable from certbotnginx-acme-challenge— webroot for HTTP-01 challenges (/var/www/certbot)
Initial cert issuance
- Start with HTTP-only nginx config (serving
/.well-known/acme-challenge/). - Issue:
docker compose run --rm certbot certonly \ --webroot -w /var/www/certbot \ --email "$LETSENCRYPT_EMAIL" --agree-tos --no-eff-email \ -d gitea.example.com -d grafana.example.com -d nodered.example.com - Drop HTTPS vhost configs into
config/conf.d/and reload nginx.
The sidecar then renews automatically.
TODO
- Write base
config/nginx.conf(http+streamcontexts) - Per-upstream vhost templates with OIDC
auth_requestto Keycloak - Decide internal PKI vs Let's Encrypt for cloud-internal hostnames not reachable from the public internet
- Edge-side variant: bind to plant-LAN IP only, internal CA for plant.local hostnames