cloud: Add multi-tenant pgAdmin deployment configuration

Adds cloud/ directory with configuration for running a shared pgAdmin
instance that serves multiple STATBUS tenants. Key features:

- System-level docker-compose for pgAdmin (independent of tenant instances)
- Host-level Caddyfile with per-tenant forward_auth and SNI routing
- PGADMIN_PORT environment variable for configurable port binding
- Comprehensive documentation with architecture diagrams

Author: jhf

cloud/.env.example

@@ -0,0 +1,15 @@
+# Cloud pgAdmin environment configuration
+# Copy to .env and customize
+
+# pgAdmin port - host Caddy proxies to this
+# Must match the port in Caddyfile's pgadmin_route snippet
+PGADMIN_PORT=5050
+
+# pgAdmin master credentials
+# These are for pgAdmin's internal authentication only
+# Actual database access uses the user's STATBUS credentials
+PGADMIN_DEFAULT_EMAIL=admin@statbus.local
+PGADMIN_DEFAULT_PASSWORD=change-this-to-a-secure-password
+
+# Generate a secure password with:
+#   openssl rand -base64 32

cloud/.gitignore

@@ -0,0 +1,4 @@
+# Ignore actual configuration files (contain credentials/tenant-specific data)
+# Only .example files should be committed
+.env
+servers.json

cloud/Caddyfile.example

@@ -0,0 +1,132 @@
+# Example Host-level Caddyfile for STATBUS Cloud Deployment
+#
+# This Caddyfile runs at the HOST level (not inside Docker) and handles:
+# 1. TLS termination for all tenant subdomains
+# 2. Routing to each tenant's Docker Compose services
+# 3. Shared pgAdmin with per-tenant authentication
+# 4. Layer4 SNI routing for PostgreSQL connections
+#
+# Customize this for your deployment by:
+# 1. Adding/removing tenant blocks
+# 2. Updating port numbers to match your DEPLOYMENT_SLOT_PORT_OFFSET values
+# 3. Configuring your domain and TLS settings
+#
+# Port calculation: base_port = 3000 + (slot_offset × 10)
+#   HTTP: base_port + 0, HTTPS: base_port + 1, App: base_port + 2
+#   REST: base_port + 3, DB: base_port + 4, DB-TLS: base_port + 5
+#
+# Environment variables (set these or replace with values):
+#   PGADMIN_PORT - pgAdmin listen port (default: 5050)
+
+# Global options
+{
+	# Use Let's Encrypt for production
+	# For staging/testing, uncomment:
+	# acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
+
+	# Layer4 for PostgreSQL SNI routing
+	layer4 {
+		# PostgreSQL with SNI-based routing (port 5432)
+		:5432 {
+			@ma tls sni ma.statbus.org
+			route @ma {
+				proxy localhost:3025  # ma DB-TLS port
+			}
+
+			@no tls sni no.statbus.org
+			route @no {
+				proxy localhost:3035  # no DB-TLS port
+			}
+
+			@al tls sni al.statbus.org
+			route @al {
+				proxy localhost:3045  # al DB-TLS port
+			}
+		}
+	}
+}
+
+# Reusable snippets
+(pgadmin_route) {
+	# pgAdmin route with tenant-specific authentication
+	# {args[0]} = tenant's REST port for auth_gate
+	handle /pgadmin* {
+		forward_auth localhost:{args[0]} {
+			uri /rpc/auth_gate
+			copy_headers Cookie
+		}
+		reverse_proxy localhost:{$PGADMIN_PORT:5050} {
+			header_up Host {host}
+			header_up X-Forwarded-Proto {scheme}
+			header_up X-Forwarded-Host {host}
+		}
+	}
+}
+
+(tenant_routes) {
+	# Standard tenant routes
+	# {args[0]} = app port, {args[1]} = rest port
+
+	# PostgREST API
+	handle /rest/* {
+		uri strip_prefix /rest
+		reverse_proxy localhost:{args[1]}
+	}
+
+	# Auth gate endpoint (for pgAdmin forward_auth)
+	handle /rest/rpc/auth_gate {
+		reverse_proxy localhost:{args[1]}
+	}
+
+	# Next.js application (catch-all)
+	handle {
+		reverse_proxy localhost:{args[0]}
+	}
+}
+
+(error_handlers) {
+	handle_errors {
+		@unauthorized expression {http.error.status_code} == 401
+		handle @unauthorized {
+			redir /?login=required&redirect={uri} 302
+		}
+	}
+}
+
+# =============================================================================
+# TENANT SITE BLOCKS
+# =============================================================================
+
+# Morocco tenant (slot offset 2: ports 3020-3025)
+ma.statbus.org {
+	import pgadmin_route 3023
+	import tenant_routes 3022 3023
+	import error_handlers
+}
+
+# Norway tenant (slot offset 3: ports 3030-3035)
+no.statbus.org {
+	import pgadmin_route 3033
+	import tenant_routes 3032 3033
+	import error_handlers
+}
+
+# Albania tenant (slot offset 4: ports 3040-3045)
+al.statbus.org {
+	import pgadmin_route 3043
+	import tenant_routes 3042 3043
+	import error_handlers
+}
+
+# =============================================================================
+# OPTIONAL: Root domain redirect
+# =============================================================================
+
+# statbus.org {
+# 	redir https://www.statbus.org{uri} permanent
+# }
+
+# www.statbus.org {
+# 	# Marketing site or redirect to documentation
+# 	reverse_proxy localhost:8080
+# }

cloud/README.md

@@ -0,0 +1,241 @@
+# STATBUS Cloud Deployment
+
+This directory contains configuration files for running STATBUS in a multi-tenant cloud environment with a shared pgAdmin instance.
+
+## Architecture Overview
+
+```
+                                    ┌─────────────────────────────────────┐
+                                    │           Host Server               │
+                                    │                                     │
+    Internet                        │  ┌─────────────────────────────┐   │
+        │                           │  │     Host-level Caddy        │   │
+        │                           │  │                             │   │
+        ├── HTTPS ──────────────────┼─►│  :443 (HTTPS termination)   │   │
+        │   ma.statbus.org/*        │  │    ├── /pgadmin ───────────────┼─┬─► pgAdmin (:$PGADMIN_PORT)
+        │   no.statbus.org/*        │  │    │   (forward_auth first)│   │ │
+        │   al.statbus.org/*        │  │    ├── /rest/* ────────────┼───┼─┼─► tenant REST
+        │                           │  │    └── /* ─────────────────┼───┼─┼─► tenant app
+        │                           │  │                             │   │ │
+        └── PostgreSQL (TLS+SNI) ───┼─►│  :5432 (Layer4 SNI routing) │   │ │
+            ma.statbus.org          │  │    ├── @ma ────────────────┼───┼─┼─► ma DB (:3025)
+            no.statbus.org          │  │    ├── @no ────────────────┼───┼─┼─► no DB (:3035)
+            al.statbus.org          │  │    └── @al ────────────────┼───┼─┼─► al DB (:3045)
+                                    │  └─────────────────────────────┘   │ │
+                                    │                                     │ │
+                                    │  ┌─────────────────────────────┐   │ │
+                                    │  │ Shared pgAdmin (:$PGADMIN_PORT)│◄──┼─┘
+                                    │  │   (cloud/docker-compose)    │   │
+                                    │  └─────────────────────────────┘   │
+                                    │                                     │
+                                    │  ┌─────────────────────────────┐   │
+                                    │  │   Tenant: ma (offset 2)     │   │
+                                    │  │   ├── app   :3022           │   │
+                                    │  │   ├── rest  :3023           │   │
+                                    │  │   ├── db    :3024 (plain)   │   │
+                                    │  │   └── db    :3025 (TLS)     │   │
+                                    │  └─────────────────────────────┘   │
+                                    │                                     │
+                                    │  ┌─────────────────────────────┐   │
+                                    │  │   Tenant: no (offset 3)     │   │
+                                    │  │   ├── app   :3032           │   │
+                                    │  │   ├── rest  :3033           │   │
+                                    │  │   ├── db    :3034 (plain)   │   │
+                                    │  │   └── db    :3035 (TLS)     │   │
+                                    │  └─────────────────────────────┘   │
+                                    │                                     │
+                                    │  ┌─────────────────────────────┐   │
+                                    │  │   Tenant: al (offset 4)     │   │
+                                    │  │   ...                       │   │
+                                    │  └─────────────────────────────┘   │
+                                    └─────────────────────────────────────┘
+```
+
+## Key Concepts
+
+### Deployment Slots
+Each tenant runs in a separate "slot" with isolated ports:
+- **Slot offset** determines port numbers: `base = 3000 + (offset × 10)`
+- Services per slot: HTTP, HTTPS, app, rest, db (plain), db (TLS)
+
+| Tenant | Offset | App Port | REST Port | DB Plain | DB TLS |
+|--------|--------|----------|-----------|----------|--------|
+| local  | 1      | 3012     | 3013      | 3014     | 3015   |
+| ma     | 2      | 3022     | 3023      | 3024     | 3025   |
+| no     | 3      | 3032     | 3033      | 3034     | 3035   |
+| al     | 4      | 3042     | 3043      | 3044     | 3045   |
+
+### pgAdmin Authentication Flow
+1. User visits `https://ma.statbus.org/pgadmin`
+2. Host Caddy's `forward_auth` calls `localhost:3023/rpc/auth_gate` (ma's PostgREST)
+3. `auth_gate` checks for valid JWT in cookies:
+   - Valid JWT → returns 200 OK → Caddy proxies to pgAdmin
+   - No/invalid JWT → returns 401 → Caddy redirects to login page
+4. In pgAdmin, user connects to database with their STATBUS credentials
+5. pgAdmin connects via external hostname (e.g., `ma.statbus.org:5432`)
+6. Host Caddy Layer4 routes by SNI to tenant's TLS port
+
+### Why Shared pgAdmin?
+- **Resource efficiency**: One pgAdmin instance serves all tenants
+- **Simplified management**: Single place for updates and configuration
+- **Tenant isolation maintained**: Each connection goes through proper auth
+
+## Setup Instructions
+
+### 1. Configure Tenant Instances
+Each tenant needs its own STATBUS deployment. In each tenant directory:
+
+```bash
+# Edit .env.config for each tenant
+DEPLOYMENT_SLOT_CODE=ma
+DEPLOYMENT_SLOT_PORT_OFFSET=2
+CADDY_DEPLOYMENT_MODE=private  # Important: private mode for cloud
+ENABLE_PGADMIN=false           # Disable per-instance pgAdmin
+
+# Generate configuration
+./devops/manage-statbus.sh generate-config
+
+# Start tenant services
+./devops/manage-statbus.sh start all
+```
+
+### 2. Configure Shared pgAdmin
+
+```bash
+cd cloud
+
+# Create configuration from examples
+cp .env.example .env
+cp servers.json.example servers.json
+
+# Edit .env - set secure password
+nano .env
+
+# Edit servers.json - add your tenant entries
+nano servers.json
+
+# Start shared pgAdmin
+docker compose -f docker-compose.pgadmin.yml up -d
+```
+
+### 3. Configure Host-level Caddy
+
+Install Caddy with Layer4 plugin on the host (not in Docker):
+
+```bash
+# Install xcaddy
+go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest
+
+# Build Caddy with layer4
+xcaddy build --with github.com/mholt/caddy-l4
+
+# Copy example Caddyfile and customize
+cp Caddyfile.example /etc/caddy/Caddyfile
+nano /etc/caddy/Caddyfile
+
+# Start Caddy
+sudo systemctl start caddy
+```
+
+### 4. Set Environment Variables for Caddy
+
+Caddy needs to know the pgAdmin port. Either:
+
+```bash
+# Option A: Export before starting Caddy
+export PGADMIN_PORT=5050
+sudo -E systemctl start caddy
+
+# Option B: Add to systemd environment file
+echo "PGADMIN_PORT=5050" | sudo tee -a /etc/caddy/environment
+sudo systemctl restart caddy
+```
+
+### 5. Verify Setup
+
+```bash
+# Check pgAdmin is running (use port from .env)
+curl -I http://localhost:5050/pgadmin
+
+# Check tenant REST is accessible
+curl http://localhost:3023/
+
+# Test full flow (should redirect to login if not authenticated)
+curl -I https://ma.statbus.org/pgadmin
+```
+
+## Files in This Directory
+
+| File | Purpose |
+|------|---------|
+| `docker-compose.pgadmin.yml` | Shared pgAdmin Docker Compose |
+| `Caddyfile.example` | Full host-level Caddy configuration example |
+| `caddy-pgadmin.snippet` | Reusable Caddy snippet for pgAdmin routing |
+| `servers.json.example` | pgAdmin server definitions template |
+| `.env.example` | Environment variables template |
+| `README.md` | This documentation |
+
+## Customization
+
+### Adding a New Tenant
+
+1. **Deploy tenant STATBUS instance** with unique slot offset
+2. **Add to servers.json**:
+   ```json
+   "4": {
+     "Name": "New Country STATBUS",
+     "Group": "STATBUS Tenants",
+     "Host": "xx.statbus.org",
+     "Port": 5432,
+     "SSLMode": "require",
+     "SSLNegotiation": "direct",
+     "SSLSNI": true
+   }
+   ```
+3. **Add to host Caddyfile**:
+   ```caddyfile
+   # Layer4 SNI routing
+   @xx tls sni xx.statbus.org
+   route @xx {
+     proxy localhost:30X5  # tenant's DB-TLS port
+   }
+
+   # Site block
+   xx.statbus.org {
+     import pgadmin_route 30X3  # tenant's REST port
+     import tenant_routes 30X2 30X3
+     import error_handlers
+   }
+   ```
+4. **Reload services**:
+   ```bash
+   docker compose -f docker-compose.pgadmin.yml restart
+   sudo systemctl reload caddy
+   ```
+
+### Removing pgAdmin Access for a Tenant
+
+Simply remove the `import pgadmin_route` line from that tenant's site block in the host Caddyfile.
+
+## Troubleshooting
+
+### pgAdmin shows 401 Unauthorized
+- Verify tenant's PostgREST is running: `curl localhost:30X3/`
+- Check JWT cookie is set: browser DevTools → Application → Cookies
+- Ensure `auth_gate` function exists in tenant database
+
+### Cannot connect to database in pgAdmin
+- Verify Layer4 SNI routing: `curl -v --resolve xx.statbus.org:5432:127.0.0.1 postgres://xx.statbus.org:5432/`
+- Check tenant's DB-TLS port is exposed
+- Ensure SSLSNI patch is applied (custom pgAdmin image)
+
+### pgAdmin not loading static assets
+- Verify `SCRIPT_NAME=/pgadmin` is set
+- Check Caddy is preserving the path correctly
+
+## Security Considerations
+
+1. **JWT-gated access**: Users must authenticate with STATBUS before accessing pgAdmin
+2. **Per-tenant isolation**: Each pgAdmin database connection uses the user's credentials, enforcing RLS
+3. **TLS everywhere**: All database connections use TLS via SNI routing
+4. **No shared credentials**: pgAdmin master password is only for its internal UI, not database access