diff --git a/docs/04-deployments/single-site.md b/docs/04-deployments/single-site.md new file mode 100644 index 0000000..b72d043 --- /dev/null +++ b/docs/04-deployments/single-site.md @@ -0,0 +1,99 @@ +# Single-site deployment + +The default deployment pattern. Most customers start here. + +## Topology + +`R+1`: 1 router + 1 Cell + N cameras + optional operator workstation. + +``` + Internet (WAN) + │ + ▼ + ┌──────────┐ + │ Blocao │ + │ Router │ + └────┬─────┘ + ┌────────┴────────────┐ + │ │ + VLAN-10 VLAN-20 + Cameras (N) Cell + 192.168.10/24 192.168.20.10 + │ + ├── cam-01 (PoE) + ├── cam-02 (PoE) + ├── cam-03 (WiFi 5GHz) + └── cam-04 (...) +``` + +## Hardware shopping list (4-cam example) + +| Item | Model | Notes | +|---|---|---| +| Router | GL.iNet GL-MT6000 | 4×2.5GbE LAN + 1×2.5GbE WAN, WiFi 6E | +| Cell | Banana Pi BPI-W3 + 1TB NVMe + 4TB HDD | RK3588 with 6 TOPS NPU | +| Cameras | 4× Reolink RLC-820A or equivalent | 4K, ONVIF, PoE | +| PoE switch | Mikrotik CSS610-8P-2S+IN | 8 PoE+ ports + 2 SFP+ | +| UPS | Any 600W+ | Cell + router for 30min | + +Approximate hardware cost: €1,500-2,500 depending on cameras chosen. + +## Install procedure + +1. **Prep at office**: + - Flash router with Blocao firmware (image from CI artifacts). + - Verify Balena fleet has the Cell stack ready. + - Pre-configure site ID and network parameters in the wizard if known. + +2. **On site**: + - Mount cameras, run cabling. + - Connect: cameras → PoE switch → router LAN port (trunked VLAN), Cell → router LAN port, WAN cable to upstream router/modem. + - Power on router first, then Cell, then cameras. + +3. **First boot**: + - From a laptop on VLAN-30 (or via Tailscale if pre-provisioned), open `http://blocao-router.local/`. + - Wizard runs. Installer goes through 6 steps (~15 minutes). + - Provisioning completes; redirects to SYNOPSIS. + +4. **Camera onboarding**: + - From CAMS panel, click ADD CAMERA. + - Auto-discovery finds cameras in VLAN-10. + - For each: authenticate, force password rotation, test stream, name, save. + - Verify event flow in SYNOPSIS. + +5. **Verification**: + - HEALTH panel shows all green. + - MQTT panel shows events flowing. + - Walk in front of a camera, confirm event in MQTT live tail. + +6. **Handover**: + - Customer-side admin gets operator credentials. + - Walk through FORENSICS panel with sample data. + - Document case management workflow if applicable. + +Estimated time on site: half a day for an experienced installer with prepped hardware. + +## What customer sees + +Day 1 after install: cameras recording, events being detected, console accessible from mgmt VLAN or via Tailscale. + +Day 30: 30 days of footage retained, queries work across that range, evidence packs exportable for any case. + +Day 90: typical first review meeting. Customer feedback informs config tweaks (zone definitions, retention overrides, model thresholds). + +## Common gotchas + +- **Camera vendor portal phone-home blocked**: cameras may show "cloud disconnected" in their own UI. This is intentional. Show the customer the DNS sinkhole stat for reassurance. +- **WiFi cameras drop**: 2.4GHz is congested, 5GHz has range issues. Use cabled cameras when possible; HaLow as the future option for distance. +- **WAN flaky**: hub bridge will queue events and reconnect. Customer doesn't need to do anything. +- **Wrong NTP**: chrony with NTS is the default. If a customer has a strict internal NTP server, configure it in the wizard step. +- **Operator forgets password**: recovery via console port on the router (physical access) or hub-side Keycloak admin reset. + +## Limits of single-site + +- One Cell ≈ 8-12 cameras at 1080p H.265 with full Frigate. Beyond that, scale to `R+2` (two Cells). +- Local storage limit: see [`../01-architecture/storage-retention.md`](../01-architecture/storage-retention.md). +- No cross-site queries (need hub). +- No central operator audit (need hub). + +For single-site only, the customer doesn't need a hub subscription. Standalone mode (configured in wizard step 5) skips hub registration entirely.