Architecture at a glance

Boring, proven building blocks โ€” arranged for resilience.

Browser (Turbo Drive ยท nonce-based CSP ยท per-tab product header)
   โ”‚ HTTPS
nginx edge โ€” TLS ยท gzip ยท static cache
   โ”‚
Gunicorn (4 workers ร— 8 threads) โ”€โ”€โ”€ Flask app factory
   โ”‚              โ”‚                        โ”‚
PostgreSQL     Redis              Scheduler sidecar (systemd)
source of truth  rate-limit +        cron catalog: syncs, backups,
+ device cache   shared cache        cert scans, upgrade runbooks
   โ”‚
Streaming replica (TLS, mutual-CA) โ”€โ”€โ–ถ standby node

High availability & layered backups

Two-node active/standby clustering is built into the installer โ€” not bolted on.

๐Ÿ”

Primary / standby pair

PostgreSQL streaming replication with enforced TLS and mutual certificate authentication; application data rsynced to the standby every 5 minutes with role guards, so a promoted standby never overwrites the primary.

๐Ÿ”‘

One-paste cluster join

The primary generates a single join key at install time; paste it on the secondary and replication, shared secrets and node certificates configure themselves. Each node mints its own leaf certificate locally.

๐Ÿงฏ

Defense-in-depth backups

Live database, portable backup bundles, git-versioned device configs and an external SFTP backup server โ€” four independent copies across failure domains, summarized in a live coverage matrix.

Trust & encryption in transit

Every internal channel is encrypted, and the app proves it with live probes โ€” not assumptions.

๐Ÿ”

Internal CA

The primary node operates a built-in certificate authority. Node certificates are issued, renewed nightly, and rolled back automatically if an import breaks the web front.

๐Ÿ”’

Enforced database TLS

Replication and application connections run over TLS with mutual certificate verification โ€” plain or cert-less connections are refused, and the policy (minimum protocol, ciphers) is tunable from the UI.

๐Ÿ›ฐ๏ธ

Authenticated peer probes

Node-to-node health checks ride HTTPS and carry a shared identity key, so each node can trust โ€” and render โ€” the other's state without SSH access.

๐Ÿ“ก

Live encryption monitoring

A monitoring page shows one card per channel โ€” appโ†”app, appโ†”DB, replication, git โ€” with protocol, cipher, enforcement and authentication, each badge backed by a real probe.

๐Ÿงพ

Audited writes everywhere

Every write path lands in the audit log; risky operations go through Change Requests with maintenance-window approval gates.

๐Ÿ—๏ธ

Secrets encrypted at rest

Appliance credentials and integration secrets are Fernet-encrypted in the database; API tokens are scoped, owner-capped and product-bound.