Files

93 lines
4.5 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Tiers
Detailed roles per tier of the platform. See [ADR-0002](../../decisions/0002-jerarquia-tiers.md) for the rationale.
## Blocao Router
**Hardware default**: GL.iNet GL-MT6000 (Filogic 880, 4×2.5GbE, WiFi 6E).
**Alternative**: Banana Pi BPi-R4 (when more LAN ports needed).
**OS**: OpenWrt 23.05+.
**Roles**:
- **Network gateway**: WAN, LAN, VLAN segmentation, firewall, NAT.
- **DHCP server**: per-VLAN, with static reservations for cameras.
- **DNS resolver + sinkhole**: dnsmasq with custom block lists.
- **MQTT broker**: Mosquitto, local broker for site.
- **MQTT bridge**: TLS-bridge to hub when configured.
- **GitOps reconciler**: cron-driven, fetches both site-config and fleet-config repos.
- **Service registry**: tracks which Cells are alive and reachable.
- **Console host**: serves the SPA at `http://blocao-router.local/`.
- **Reverse proxy**: routes API calls to Cell or local ubus.
- **Time source**: chrony with NTS, distributes time to LAN.
- **Tailscale exit**: handles VPN for remote operators.
- **Failover orchestrator**: WAN failover via mwan3 (cellular, dual-WAN).
**Why a router?** Co-locating these functions on a single appliance simplifies the install (one box, one cable to internet, one cable to switch) and concentrates the sovereignty layer in one place. The router is the "bouncer at the door" of the site network.
## Blocao Cell
**Hardware default**: Banana Pi BPI-W3 (RK3588, 8GB RAM, 2TB NVMe slot, 6 TOPS NPU).
**Alternative**: Radxa Rock 5B+, FriendlyElec NanoPi R6S.
**OS**: Balena OS (managed via balenaCloud).
**Roles**:
- **Frigate host**: runs Frigate with RKNN backend, processes RTSP streams.
- **Enricher**: consumes events, generates CLIP embeddings, re-ID vectors, content hashes.
- **Forensic engine**: API endpoint for natural-language queries, fuses results from Frigate + (future) audio + access events.
- **Re-ID service**: tracks identities across cameras using x-vector or similar.
- **Healthd**: 5-min selftest publisher.
- **Storage**: NVMe for hot (last 7 days), HDD for cold (rest of retention). LUKS-encrypted.
- **Local API**: exposes `/api/cell/*` consumed by the router's reverse proxy.
**Why separate from the router?** The router is a small, low-power appliance optimized for network. AI inference needs a fundamentally different chip (NPU/GPU). Decoupling lets each evolve independently.
## Blocao Core (optional)
**Hardware**: Jetson Orin NX 16GB.
**OS**: Ubuntu 22.04 LTS (or Balena, depending on customer preference).
**When**: deployments with >3 Cells, or Cells running heavier models that exceed RK3588 capacity (e.g., a custom YOLOv8x for a specific use case).
**Roles**:
- Federates inference across multiple Cells (e.g., re-ID across all cameras of a 30-cam site).
- Runs heavier models that don't fit on a Cell's NPU (e.g., custom embedding models, fine-tuned LLMs for legal queries).
- Acts as a local hub-equivalent for sites that won't connect to the central hub at all (large air-gapped deployments).
**Why Jetson and not bigger RK3588?** Jetson has CUDA, much wider model ecosystem, and pricing has come down. For sites that need it, the difference is qualitative.
## Blocao Hub
**Hardware**: Hetzner dedicated bare-metal (default), with optional OVH replica.
**OS**: Debian 12.
**Roles**:
- **Multi-site control plane**: aggregates state from all sites' bridges.
- **Cross-site forensic search**: query that spans sites via distributed embeddings.
- **Operator auth**: Keycloak OIDC.
- **Embeddings index**: long-term retention of embeddings (with appropriate compression). Qdrant.
- **Time-series store**: telemetry, health history. TimescaleDB.
- **Object store**: backups, evidence pack archive. MinIO with MinIO encryption.
- **Site enrollment**: issues fleet tokens, exchanges for mTLS certs.
- **Sites Overview UI**: separate from the router console; shows the fleet at a glance.
**Sovereignty notes**: hub data centers are EU-jurisdiction (Falkenstein DE, Helsinki FI). No US presence. SCC + supplementary measures for transfers if customer requires. Optional self-hosting by enterprise customers.
## Topology notation
In docs and configurations, deployments are written as:
| Notation | Meaning |
|---|---|
| `R+0` | Router only, no edge AI yet (e.g., site preparing to install Cell) |
| `R+1` | Router + 1 Cell (most common small deployment) |
| `R+3` | Router + 3 Cells (medium site, ~24-32 cameras) |
| `R+3+C` | Router + 3 Cells + 1 Core (large site or air-gapped) |
| `H[+5]` | Hub managing 5 sites |
| `H[+50]` | Hub managing 50 sites |
A full descriptor: `H[+12] / R+2 (BL-WAREHOUSE-1) / R+1 (BL-WAREHOUSE-2) / ...`.