Files
wdmUI/docs/04-deployments/single-site.md
T

100 lines
4.1 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Single-site deployment
The default deployment pattern. Most customers start here.
## Topology
`R+1`: 1 router + 1 Cell + N cameras + optional operator workstation.
```
Internet (WAN)
┌──────────┐
│ Blocao │
│ Router │
└────┬─────┘
┌────────┴────────────┐
│ │
VLAN-10 VLAN-20
Cameras (N) Cell
192.168.10/24 192.168.20.10
├── cam-01 (PoE)
├── cam-02 (PoE)
├── cam-03 (WiFi 5GHz)
└── cam-04 (...)
```
## Hardware shopping list (4-cam example)
| Item | Model | Notes |
|---|---|---|
| Router | GL.iNet GL-MT6000 | 4×2.5GbE LAN + 1×2.5GbE WAN, WiFi 6E |
| Cell | Banana Pi BPI-W3 + 1TB NVMe + 4TB HDD | RK3588 with 6 TOPS NPU |
| Cameras | 4× Reolink RLC-820A or equivalent | 4K, ONVIF, PoE |
| PoE switch | Mikrotik CSS610-8P-2S+IN | 8 PoE+ ports + 2 SFP+ |
| UPS | Any 600W+ | Cell + router for 30min |
Approximate hardware cost: €1,500-2,500 depending on cameras chosen.
## Install procedure
1. **Prep at office**:
- Flash router with Blocao firmware (image from CI artifacts).
- Verify Balena fleet has the Cell stack ready.
- Pre-configure site ID and network parameters in the wizard if known.
2. **On site**:
- Mount cameras, run cabling.
- Connect: cameras → PoE switch → router LAN port (trunked VLAN), Cell → router LAN port, WAN cable to upstream router/modem.
- Power on router first, then Cell, then cameras.
3. **First boot**:
- From a laptop on VLAN-30 (or via Tailscale if pre-provisioned), open `http://blocao-router.local/`.
- Wizard runs. Installer goes through 6 steps (~15 minutes).
- Provisioning completes; redirects to SYNOPSIS.
4. **Camera onboarding**:
- From CAMS panel, click ADD CAMERA.
- Auto-discovery finds cameras in VLAN-10.
- For each: authenticate, force password rotation, test stream, name, save.
- Verify event flow in SYNOPSIS.
5. **Verification**:
- HEALTH panel shows all green.
- MQTT panel shows events flowing.
- Walk in front of a camera, confirm event in MQTT live tail.
6. **Handover**:
- Customer-side admin gets operator credentials.
- Walk through FORENSICS panel with sample data.
- Document case management workflow if applicable.
Estimated time on site: half a day for an experienced installer with prepped hardware.
## What customer sees
Day 1 after install: cameras recording, events being detected, console accessible from mgmt VLAN or via Tailscale.
Day 30: 30 days of footage retained, queries work across that range, evidence packs exportable for any case.
Day 90: typical first review meeting. Customer feedback informs config tweaks (zone definitions, retention overrides, model thresholds).
## Common gotchas
- **Camera vendor portal phone-home blocked**: cameras may show "cloud disconnected" in their own UI. This is intentional. Show the customer the DNS sinkhole stat for reassurance.
- **WiFi cameras drop**: 2.4GHz is congested, 5GHz has range issues. Use cabled cameras when possible; HaLow as the future option for distance.
- **WAN flaky**: hub bridge will queue events and reconnect. Customer doesn't need to do anything.
- **Wrong NTP**: chrony with NTS is the default. If a customer has a strict internal NTP server, configure it in the wizard step.
- **Operator forgets password**: recovery via console port on the router (physical access) or hub-side Keycloak admin reset.
## Limits of single-site
- One Cell ≈ 8-12 cameras at 1080p H.265 with full Frigate. Beyond that, scale to `R+2` (two Cells).
- Local storage limit: see [`../01-architecture/storage-retention.md`](../01-architecture/storage-retention.md).
- No cross-site queries (need hub).
- No central operator audit (need hub).
For single-site only, the customer doesn't need a hub subscription. Standalone mode (configured in wizard step 5) skips hub registration entirely.