Laufzeit:<\/b> 01.02.2026 – 31.12.2026
Volumen:<\/b> 300 Std. remote / 100 Std. onsite/ 20 Std. travel
Einsatzort:<\/b> Remote / München<\/div><\/div>The consultant
should be based within 100km of Essen and be available to work onsite at the
client on request.<\/span><\/span>
<\/p>Project Description
<\/h3>- Architecture engagement to define and validate a modern frontend/backend architecture<\/b> for an on‑premise data acquisition and control platform.
<\/li>- Scope:<\/b> on‑premise, isolated network deployment using services such as Docker, Nomad, Consul and Ansible<\/b> (without Kubernetes), compatible with future multi‑node clusters.
<\/li>- Design of an end‑to‑end architecture for Modbus<\/b> and non‑Modbus data ingestion, transformation, storage (e.g. InfluxDB v3 and Postgres<\/b> or comparable time‑series and relational databases) and exposure via APIs and web frontend.
<\/li>- Definition of the target backend application architecture and its logical building blocks (e.g. device IO, transformation, configuration, gateway/API), with clear responsibilities and boundaries.
<\/li> - Design of the API layer (REST)<\/b>, including resource model, versioning strategy, error model and contract governance.
<\/li>- Design of the authentication and authorization model<\/b>, integrating LDAP/OpenLDAP and a dedicated identity provider (e.g. Keycloak<\/b>) using OpenID Connect<\/b> for user authentication and OAuth2<\/b> access tokens for API and service -to -service authorization.
<\/li>- Definition of RBAC<\/b> and authorization concepts for operators, admins, partners and technical services, including role/permission matrix and token/claims usage.
<\/li>- Specification of secure credential and secrets management<\/b>: tools such as Ansible Vault<\/b>, certificates/PKI, Modbus credentials, database credentials and API tokens.
<\/li>- Definition of the data model and persistence strategy across time‑series and relational data stores<\/b>.
<\/li>- Development of a target deployment and infrastructure architecture that starts with a single -node dev/lab PoC and can grow to a small on -prem cluster.
<\/li> - Evaluation and introduction of container orchestration tooling<\/b> (e.g. Nomad) as well as service discovery and service -mesh tooling (e.g. Consul/Consul Connect).
<\/li>- Design of an observability concept<\/b>: metrics, logging, tracing, dashboards and alerts using tools such as Prometheus, Grafana, and Alertmanager<\/b>.
<\/li>- Delivery of a refined, consistent set of architecture documents, decision records and an implementation roadmap.
<\/li><\/ul>
Tasks
<\/h3>
The external consultant takes on the following tasks within the project, which are carried out independently:
<\/p>
- Facilitate workshops with stakeholders (engineering, operations, security) to clarify requirements and constraints for the new architecture.
<\/li> - Derive and document the target logical decomposition of the backend<\/b> (device IO, transformation, configuration, gateway/API) and key workflows (read/write cycles, scheduling, backpressure, retries).
<\/li>- Design API contracts<\/b> and the resource model for operators, external systems and internal callers; capture these in OpenAPI<\/b> and architecture diagrams.
<\/li>- Define end‑to‑end authentication and authorization flows<\/b>, including integration with LDAP/OpenLDAP and Keycloak, OpenID Connect login flows, and OAuth2 -based access tokens.
<\/li>- Design secrets and certificate management<\/b> based on tools such as Ansible Vault and existing PKI processes.
<\/li>- Specify the data model<\/b> for devices, registers, measurements, configuration, alarms and historical events, mapping it to appropriate time‑series and relational databases.
<\/li>- Define deployment topology<\/b> and evolution path: from a single‑node dev/lab PoC to a small on‑prem cluster using container orchestration (e.g. Nomad) and service‑mesh capabilities (e.g. Consul).
<\/li>- Define non‑functional requirements<\/b> and architecture tactics for resilience, failover, backup/restore and scaling strategies.
<\/li>- Design an observability baseline<\/b> including metrics, logging, tracing and standard dashboards.
<\/li>- Propose a test and quality strategy<\/b> at architecture level (test pyramid, integration and E2E scenarios, migration validation).
<\/li>- Produce and maintain key architecture artefacts<\/b>: architecture overview, cluster diagrams, architecture decision records (ADRs) and an implementation roadmap.
<\/li>- Provide guidance and guardrails for developers: coding and architecture patterns, module/service boundaries, error handling and API standards.
<\/li> - Identify technical and delivery risks<\/b> (e.g. auth complexity, module boundaries, observability gaps) and document mitigations.
<\/li><\/ul>
Skills & Qualifications
<\/h3>- Strong experience as Solution or Software Architect<\/b> for on‑prem, backend‑heavy systems (data platforms or industrial/OT integrations).
<\/li>- Deep understanding of modular backend architectures<\/b> and API design<\/b>, including versioning, error models and contract management.
<\/li>- Experience designing architectures around containerised workloads using Nomad and Consul<\/b> (or similar orchestrators/service discovery tools).
<\/li>- Solid knowledge of authentication and authorization<\/b>: LDAP/OpenLDAP integration, Keycloak (or similar IdPs) with OpenID Connect and OAuth2, RBAC design and token/claims‑based access control.
<\/li>- Experience designing security and secrets management<\/b> in on‑prem environments, including TLS/mTLS, PKI concepts and tools such as Ansible Vault<\/b>.
<\/li>- Familiarity with time‑series and relational databases<\/b> (e.g. InfluxDB v3 and Postgres), including backup/restore and data modelling.
<\/li>- Understanding of observability practices<\/b> and tooling (e.g. Prometheus, Grafana, Alertmanager, logging stacks, distributed tracing).
<\/li>- Ability to write clear architecture documentation, decision records and diagrams.
<\/li> - Excellent communication and facilitation skills for workshops and stakeholder alignment.
<\/li> - Experience with industrial protocols (Modbus)<\/b> and edge/OT data scenarios is a strong plus.
<\/li>- Experience with on‑premise deployments in isolated networks<\/b>.
<\/li>- Language: English<\/b> (fluent), German is a plus.
<\/li><\/ul><\/div>
<\/div><\/span>
