RnD/infra
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
af354a4b9ef64e0a231e48bb62fd5ccd64eeb4b3
infra/cloud
History
znetsixe af354a4b9e feat(cloud): short function-based subdomains + harden keycloak with postgres 
Subdomain rename (Versio side keeps original tool-named hostnames)
- nginx vhosts updated:
    grafana   -> dash.wbd-rd.nl
    gitea     -> git.wbd-rd.nl
    keycloak  -> auth.wbd-rd.nl
    node-red  -> flow.wbd-rd.nl
    mlflow    -> ml.wbd-rd.nl
    jupyter   -> hub.wbd-rd.nl
    portainer -> ops.wbd-rd.nl
    rabbitmq  -> mq.wbd-rd.nl
    jenkins   -> ci.wbd-rd.nl
    mqtt      -> mqtt.wbd-rd.nl   (no Versio conflict assumed)
- nginx-proxy README: bootstrap cert -d list + DNS A-record prereqs updated
- cloud/.env.example: GITEA_ROOT_URL, GRAFANA_ROOT_URL, KEYCLOAK_HOSTNAME

Function-based names are tool-agnostic (a Grafana -> Kibana swap leaves
dash.wbd-rd.nl meaningful) and avoid one-off "*2" suffixes.

Keycloak hardening
- Switch backend from bundled file storage to postgres (keycloak DB
  already provisioned by sql/config/init.d/01-databases.sh).
- KC_HOSTNAME=auth.wbd-rd.nl, KC_PROXY_HEADERS=xforwarded for nginx
  reverse-proxy posture; KC_HTTP_ENABLED=true since nginx terminates TLS.
- Added KC_HOSTNAME_STRICT, KC_HEALTH_ENABLED, KC_METRICS_ENABLED.
- Service joins app + mgmt + data networks (data needed for postgres).
- Mounted config/realms/ for realm-as-code (kc.sh import) — TODO to
  populate once realm + clients are designed.
- README documents the recommended realm structure (wbd realm, one
  client per app with redirect URIs) and the oauth2-proxy approach
  for apps without native OIDC (mlflow, portainer-CE).

cloud
- Uncomment keycloak include in cloud/compose.yml.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 13:54:57 +02:00
..
.env.example
feat(cloud): short function-based subdomains + harden keycloak with postgres
2026-05-21 13:54:57 +02:00
compose.yml
feat(cloud): short function-based subdomains + harden keycloak with postgres
2026-05-21 13:54:57 +02:00
README.md
scaffold: hub-and-spoke layout, 4-network topology, 13 stack stubs
2026-05-21 12:37:59 +02:00

README.md

cloud

The single central hub. One deployment, internet-facing.

What runs here

nginx-proxy, wireguard-server, keycloak, portainer, influxdb, grafana, node-red, mqtt, postfix, gitea, jenkins, sql.

See ../docs/architecture.md for the full network topology and ingress table.

Run

cp .env.example .env     # fill in real secrets first
docker compose up -d
docker compose ps

Ingress (host port bindings)

Port Container
tcp/80, 443 nginx-proxy
tcp/8883 nginx-proxy (MQTT-TLS via stream block)
udp/51820 wireguard-server

Everything else stays on the internal app / data / mgmt networks.

Adding a new stack

  1. Create stacks/<name>/ with compose.yml, .env.example, README.md.
  2. Uncomment (or add) the include: entry in compose.yml.
  3. Add the stack's env vars to .env.example.
  4. docker compose pull && docker compose up -d.
Reference in New Issue View Git Blame Copy Permalink