Infrastructure

Traffic flow

graph LR
  User[User Browser] -->|HTTPS| Traefik[Traefik Ingress (IngressClass traefik)]
  Traefik -->|Host: lomavuokraus.fi / staging.lomavuokraus.fi| Service[Service port 80 to 3000]
  Service --> Pod[Next.js Pods (2)]
  Pod --> DB[(PostgreSQL 46.62.203.202)]
  Pod --> SMTP[smtp.sohva.org]
  subgraph Cluster [k3s Cluster hel1 cx22 157.180.66.64]
    Traefik
    Service
    Pod
    CertMgr[cert-manager]
    Secret[Secrets: lomavuokraus-web-secrets]
    CM[ConfigMap: lomavuokraus-web-config]
  end
  CertMgr -->|TLS| Traefik
  Registry[registry.halla-aho.net/thalla/lomavuokraus-web] -->|pull| Pod
  DNS[lomavuokraus.fi / staging.lomavuokraus.fi / api.lomavuokraus.fi] --> Traefik

Mermaid renders directly in the browser; edit the graph in this file to update.

Cluster & Namespaces

Single-node k3s (Hetzner hel1 cx22) at 157.180.66.64.
Namespaces: lomavuokraus-prod, lomavuokraus-staging.
Ingress controller: Traefik (k3s default).
cert-manager v1.15.3 with ClusterIssuers:
- letsencrypt-prod (ACME prod)
- letsencrypt-staging (ACME staging for test certs)
DNS: lomavuokraus.fi, staging.lomavuokraus.fi, api.lomavuokraus.fi -> cluster IP.

Registry

Private registry: registry.halla-aho.net/thalla/lomavuokraus-web.
Credentials stored outside repo (creds/), image pull secret registry-halla in staging/prod namespaces.
Images tagged with git SHA-derived numeric tag and :latest.

App Manifests

k8s/app.yaml templated via envsubst in deploy scripts.
Objects:
- ConfigMap: lomavuokraus-web-config (public env).
- Deployment: 2 replicas, container port 3000, liveness/readiness on /api/health.
- Service: ClusterIP on port 80.
- Ingress: Traefik class, TLS via cert-manager, HTTPS redirect middleware.
- Traefik Middleware: https-redirect to force HTTPS.
Secrets: lomavuokraus-web-secrets in cluster (not in repo).

Runtime Environment

Next.js 14.2.33 (App Router) running via Node.js 20 in Docker.
PostgreSQL DB at 46.62.203.202 (DATABASE_URL in .env, not committed).
SMTP: smtp.sohva.org, DKIM key under creds/dkim/....
Session auth: signed JWT cookie session_token; roles: USER, ADMIN, USER_MODERATOR, LISTING_MODERATOR.