Boring, proven building blocks โ arranged for resilience.
Browser (Turbo Drive ยท nonce-based CSP ยท per-tab product header) โ HTTPS nginx edge โ TLS ยท gzip ยท static cache โ Gunicorn (4 workers ร 8 threads) โโโ Flask app factory โ โ โ PostgreSQL Redis Scheduler sidecar (systemd) source of truth rate-limit + cron catalog: syncs, backups, + device cache shared cache cert scans, upgrade runbooks โ Streaming replica (TLS, mutual-CA) โโโถ standby node
Two-node active/standby clustering is built into the installer โ not bolted on.
PostgreSQL streaming replication with enforced TLS and mutual certificate authentication; application data rsynced to the standby every 5 minutes with role guards, so a promoted standby never overwrites the primary.
The primary generates a single join key at install time; paste it on the secondary and replication, shared secrets and node certificates configure themselves. Each node mints its own leaf certificate locally.
Live database, portable backup bundles, git-versioned device configs and an external SFTP backup server โ four independent copies across failure domains, summarized in a live coverage matrix.
Every internal channel is encrypted, and the app proves it with live probes โ not assumptions.
The primary node operates a built-in certificate authority. Node certificates are issued, renewed nightly, and rolled back automatically if an import breaks the web front.
Replication and application connections run over TLS with mutual certificate verification โ plain or cert-less connections are refused, and the policy (minimum protocol, ciphers) is tunable from the UI.
Node-to-node health checks ride HTTPS and carry a shared identity key, so each node can trust โ and render โ the other's state without SSH access.
A monitoring page shows one card per channel โ appโapp, appโDB, replication, git โ with protocol, cipher, enforcement and authentication, each badge backed by a real probe.
Every write path lands in the audit log; risky operations go through Change Requests with maintenance-window approval gates.
Appliance credentials and integration secrets are Fernet-encrypted in the database; API tokens are scoped, owner-capped and product-bound.