af354a4b9e
Subdomain rename (Versio side keeps original tool-named hostnames)
- nginx vhosts updated:
grafana -> dash.wbd-rd.nl
gitea -> git.wbd-rd.nl
keycloak -> auth.wbd-rd.nl
node-red -> flow.wbd-rd.nl
mlflow -> ml.wbd-rd.nl
jupyter -> hub.wbd-rd.nl
portainer -> ops.wbd-rd.nl
rabbitmq -> mq.wbd-rd.nl
jenkins -> ci.wbd-rd.nl
mqtt -> mqtt.wbd-rd.nl (no Versio conflict assumed)
- nginx-proxy README: bootstrap cert -d list + DNS A-record prereqs updated
- cloud/.env.example: GITEA_ROOT_URL, GRAFANA_ROOT_URL, KEYCLOAK_HOSTNAME
Function-based names are tool-agnostic (a Grafana -> Kibana swap leaves
dash.wbd-rd.nl meaningful) and avoid one-off "*2" suffixes.
Keycloak hardening
- Switch backend from bundled file storage to postgres (keycloak DB
already provisioned by sql/config/init.d/01-databases.sh).
- KC_HOSTNAME=auth.wbd-rd.nl, KC_PROXY_HEADERS=xforwarded for nginx
reverse-proxy posture; KC_HTTP_ENABLED=true since nginx terminates TLS.
- Added KC_HOSTNAME_STRICT, KC_HEALTH_ENABLED, KC_METRICS_ENABLED.
- Service joins app + mgmt + data networks (data needed for postgres).
- Mounted config/realms/ for realm-as-code (kc.sh import) — TODO to
populate once realm + clients are designed.
- README documents the recommended realm structure (wbd realm, one
client per app with redirect URIs) and the oauth2-proxy approach
for apps without native OIDC (mlflow, portainer-CE).
cloud
- Uncomment keycloak include in cloud/compose.yml.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
53 lines
1.6 KiB
YAML
53 lines
1.6 KiB
YAML
# Cloud / Central layer composition.
|
|
# Includes all cloud-relevant stacks and defines the 4-network topology.
|
|
# Run: cp .env.example .env && docker compose up -d
|
|
|
|
name: cloud
|
|
|
|
# Uncomment includes as each stack is hardened beyond stub.
|
|
include:
|
|
# Foundation (round 3) — ingress, auth backing store, ops console
|
|
- ../stacks/nginx-proxy/compose.yml
|
|
- ../stacks/sql/compose.yml
|
|
- ../stacks/portainer/compose.yml
|
|
# Core identity + VPN
|
|
# - ../stacks/wireguard-server/compose.yml
|
|
- ../stacks/keycloak/compose.yml
|
|
# Data
|
|
# - ../stacks/influxdb/compose.yml
|
|
# Apps
|
|
# - ../stacks/node-red/compose.yml
|
|
# - ../stacks/grafana/compose.yml
|
|
# - ../stacks/gitea/compose.yml
|
|
# - ../stacks/jenkins/compose.yml
|
|
# Messaging + mail
|
|
# - ../stacks/rabbitmq/compose.yml
|
|
# - ../stacks/postfix/compose.yml
|
|
# ML / notebooks
|
|
# - ../stacks/mlflow/compose.yml
|
|
# - ../stacks/jupyterhub/compose.yml
|
|
# FROST (when deployed)
|
|
# - ../stacks/mosquitto/compose.yml
|
|
|
|
# NOTE on portainer transition:
|
|
# The portainer stack publishes 9443+8000 for standalone first-run use.
|
|
# When bringing it up through this cloud compose, take the standalone
|
|
# instance down first (`cd stacks/portainer && docker compose down`) and
|
|
# comment out the `ports:` block in stacks/portainer/compose.yml so
|
|
# nginx-proxy is the only ingress. Access then via https://portainer.wbd-rd.nl/.
|
|
|
|
networks:
|
|
edge:
|
|
name: cloud-edge
|
|
driver: bridge
|
|
app:
|
|
name: cloud-app
|
|
driver: bridge
|
|
data:
|
|
name: cloud-data
|
|
driver: bridge
|
|
internal: true # databases — no internet egress
|
|
mgmt:
|
|
name: cloud-mgmt
|
|
driver: bridge
|