4117ec6063
Stage 5 — make the cloud composition spin up in one command and add
the SensorThings (FROST) stack as a fully segregated tenant.
cloud/deploy.sh — idempotent, 7-step bring-up:
preflight → validate → up + wait → cert state → issue/renew →
service status → endpoint smoke test. Reissues LE cert only when
current issuer no longer matches ACME_CA_URI. Move-aside-then-
restore-on-failure so the bootstrap cert survives a failed certbot.
stacks/frost — new stack, segregated from shared sql/rabbitmq:
- dedicated postgis container (frost-db)
- dedicated internal mosquitto bus (frost-mosquitto)
- frost-http + frost-mqtt on a private frost-internal network,
joined to cloud-app only for nginx ingress at frost.wbd-rd.nl
- shared mosquitto stack deleted; rabbitmq remains the only public
MQTT broker (mqtt.wbd-rd.nl:8883 via stream proxy)
stacks/sql — pg_isready healthcheck so keycloak/gitea/mlflow can gate
on service_healthy via cloud-level depends_on overrides.
stacks/nginx-proxy:
- nginx-init service generates a self-signed bootstrap cert on
fresh deploy so nginx starts before certbot has issued a real one
- frost.wbd-rd.nl vhost (/FROST-Server → frost-http:8080,
/mqtt → frost-mqtt:9876 WebSocket)
stacks/mlflow — custom Dockerfile (upstream + psycopg2-binary) so the
official image can speak to the shared sql backend.
stacks/jupyterhub — DummyAuthenticator stub gated by
JUPYTERHUB_ADMIN_PASSWORD; TODO comments point at OIDC + DockerSpawner.
stacks/rabbitmq — config/{enabled_plugins,rabbitmq.conf} stubs
(management + mqtt plugins, MQTT auth required).
stacks/portainer — ports unpublished; nginx now the only ingress.
stacks/node-red — pin to 4.1 (the floating "4" tag does not exist).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
74 lines
2.3 KiB
YAML
74 lines
2.3 KiB
YAML
# nginx-proxy — TLS reverse proxy (HTTPS + MQTT-TLS stream proxy)
|
|
# Stock nginx + certbot sidecar for Let's Encrypt automation.
|
|
# Networks: edge (port publisher) + app (proxy targets)
|
|
# Publishes: 80, 443, 8883 on the host
|
|
|
|
services:
|
|
# One-shot init: generate a self-signed dummy cert if /etc/letsencrypt/live/infra/
|
|
# doesn't already have one. Lets nginx start on a fresh deploy before certbot has
|
|
# issued the real cert via HTTP-01. Subsequent runs are no-ops.
|
|
nginx-init:
|
|
image: alpine/openssl:latest
|
|
restart: "no"
|
|
volumes:
|
|
- nginx-certs:/etc/letsencrypt
|
|
entrypoint: ["/bin/sh", "-c"]
|
|
command:
|
|
- |
|
|
set -eu
|
|
d=/etc/letsencrypt/live/infra
|
|
if [ ! -s "$$d/fullchain.pem" ] || [ ! -s "$$d/privkey.pem" ]; then
|
|
echo "nginx-init: generating self-signed bootstrap cert at $$d"
|
|
mkdir -p "$$d"
|
|
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout "$$d/privkey.pem" -out "$$d/fullchain.pem" -subj '/CN=bootstrap-infra'
|
|
else
|
|
echo "nginx-init: cert already present at $$d, skipping"
|
|
fi
|
|
|
|
nginx:
|
|
image: nginx:1.27-alpine
|
|
restart: unless-stopped
|
|
networks: [edge, app]
|
|
ports:
|
|
- "80:80"
|
|
- "443:443"
|
|
- "8883:8883" # MQTT-TLS via stream{} block, SNI route to rabbitmq
|
|
volumes:
|
|
- ./config/nginx.conf:/etc/nginx/nginx.conf:ro
|
|
- ./config/conf.d:/etc/nginx/conf.d:ro
|
|
- ./config/stream.d:/etc/nginx/stream.d:ro
|
|
- nginx-certs:/etc/letsencrypt:ro
|
|
- nginx-acme-challenge:/var/www/certbot:ro
|
|
depends_on:
|
|
nginx-init:
|
|
condition: service_completed_successfully
|
|
certbot:
|
|
condition: service_started
|
|
|
|
certbot:
|
|
image: certbot/certbot:latest
|
|
restart: unless-stopped
|
|
volumes:
|
|
- nginx-certs:/etc/letsencrypt
|
|
- nginx-acme-challenge:/var/www/certbot
|
|
entrypoint: /bin/sh -c
|
|
command: >
|
|
"trap exit TERM;
|
|
while :; do
|
|
certbot renew --webroot -w /var/www/certbot --quiet;
|
|
sleep 12h & wait $${!};
|
|
done"
|
|
# Initial issuance is manual:
|
|
# docker compose run --rm certbot certonly \
|
|
# --webroot -w /var/www/certbot \
|
|
# --email "$LETSENCRYPT_EMAIL" --agree-tos --no-eff-email \
|
|
# -d <host1> -d <host2> ...
|
|
|
|
networks:
|
|
edge:
|
|
app:
|
|
|
|
volumes:
|
|
nginx-certs:
|
|
nginx-acme-challenge:
|