gitadmin/INSIGHT-MVP
1
0
Fork 0
mirror of http://172.20.10.11:3000/gitadmin/INSIGHT-MVP.git synced 2026-06-24 23:56:40 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
INSIGHT-MVP/docs/INFRASTRUCTURE.md
Thomas Reitz 5412ae137a feat: adapt codebase for IP-based HTTP deployment on 172.20.10.59 
Switch from hostname+HTTPS (insight-dev.xinion.lan) to IP+HTTP
(172.20.10.59) for alpha/dev deployment without DNS.

Key changes:
- Cookie secure/sameSite flags environment-conditional (fixes HTTP auth)
- docker-compose.yml: remove HTTPS, update host rules, reduce PG memory
- Traefik: disable TLS, update CORS/CSP for HTTP
- Add Prisma init migration (7 tables) and admin seed script
- Generate package-lock.json for npm ci in Docker builds
- Update all documentation for IP-based access

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-08 16:21:45 +01:00

269 lines
10 KiB
Markdown
Raw Blame History

# INSIGHT MVP - Infrastruktur-Definition
## 1. Uebersicht
Die gesamte INSIGHT-Plattform laeuft auf einer ProxmoxVE-VM im internen Netzwerk.
Alle Services werden als Docker-Container betrieben.
---
## 2. VM-Konfiguration (ProxmoxVE)
| Komponente | Spezifikation |
|-----------------|----------------------------------------|
| **Hostname** | `insight-dev-01` |
| **OS** | Ubuntu 24.04 LTS (Server) |
| **CPU** | 4 vCPUs |
| **RAM** | 8 GB (16 GB empfohlen) |
| **Storage** | 60 GB SSD |
| **Netzwerk** | Feste interne IP (wird bei Setup vergeben) |
| **SSH-Zugang** | Key-basiert (Ed25519), kein Passwort-Login |
| **User** | `deploy` (non-root, Mitglied der `docker`-Gruppe) |
### Betriebssystem-Hardening
- SSH: nur Key-basiert (`PasswordAuthentication no`)
- Firewall (ufw):
- Port 22 (SSH) - nur internes Netzwerk
- Port 80 (HTTP) - Webzugang (kein HTTPS in Alpha/Dev)
- Alle anderen Ports: DENY
- Automatische Sicherheitsupdates: `unattended-upgrades` aktiviert
- Fail2ban fuer SSH-Brute-Force-Schutz
> **Hinweis:** In der Alpha/Dev-Phase wird kein HTTPS verwendet.
> Zugriff erfolgt ueber `http://172.20.10.59` (IP-basiert, kein DNS).
---
## 3. Software auf der VM
| Software | Version | Installationsmethode |
|---------------------|-------------|--------------------------------|
| Docker Engine | >= 27.x | Official Docker APT Repository |
| Docker Compose | Plugin | Mitgeliefert mit Docker Engine |
| Git | >= 2.x | APT |
| ufw | Aktuell | APT (vorinstalliert) |
| fail2ban | Aktuell | APT |
| unattended-upgrades | Aktuell | APT (vorinstalliert) |
**Kein** Docker Desktop, kein Node.js, kein npm auf der VM.
Alles laeuft in Containern.
---
## 4. Docker-Netzwerk-Architektur
```
Internet / Internes Netz
|
[ Port 80 ]
|
+-------v--------+
| Traefik | API Gateway, Reverse Proxy,
| (Gateway) | Rate Limiting
+---+-------+----+
| |
+---------+ +---------+
| |
+-------v--------+ +-------v--------+
| Core-Service | | Frontend |
| (NestJS) | | (React/Vite) |
| Port: 3000 | | Port: 8080 |
+---+--------+----+ +----------------+
| |
+-----v--+ +--v------+
| Redis | | PgBouncer|
| :6379 | | :6432 |
+----+----+ +----+-----+
| |
| +----v------+
| | PostgreSQL |
| | :5432 |
+-------+------------+
```
### Docker-Netzwerke
| Netzwerk | Zweck |
|---------------|-------------------------------------------------|
| `insight-web` | Traefik <-> Core-Service, Frontend (extern erreichbar) |
| `insight-db` | Core-Service <-> PgBouncer <-> PostgreSQL (intern) |
| `insight-cache`| Core-Service <-> Redis (intern) |
### mTLS (step-ca) - geplant fuer Produktion
> **Status:** mTLS ist in der Alpha/Dev-Phase deaktiviert.
> step-ca wird spaeter fuer interne Container-Kommunikation eingesetzt.
| Komponente | Zertifikat (geplant) |
|---------------|-------------------------------|
| Traefik | Wildcard fuer externe Domain |
| Core-Service | `core-service.insight.local` |
| Frontend | `frontend.insight.local` |
| PostgreSQL | `postgres.insight.local` |
| Redis | `redis.insight.local` |
| PgBouncer | `pgbouncer.insight.local` |
---
## 5. Container-Services (docker-compose.yml)
| Service | Image | Port (intern) | Port (extern) | Beschreibung |
|---------------|--------------------------------|---------------|---------------|-------------------------------|
| `traefik` | traefik:3 | 80, 8080 | 80 | API Gateway, Reverse Proxy |
| `core` | insight-core:latest | 3000 | - | NestJS Backend |
| `frontend` | insight-frontend:latest | 8080 | - | React App (Nginx served) |
| `postgres` | postgres:16-alpine | 5432 | - | Datenbank |
| `pgbouncer` | edoburu/pgbouncer:latest | 6432 | - | Connection Pooler |
| `redis` | redis:7-alpine | 6379 | - | Cache, Sessions, Event Bus |
| `step-ca` | smallstep/step-ca:latest | 9000 | - | Interne Certificate Authority |
---
## 6. Observability-Stack (docker-compose.observability.yml)
| Service | Image | Port (intern) | Beschreibung |
|------------------|---------------------------------|---------------|-----------------------------|
| `prometheus` | prom/prometheus:latest | 9090 | Metrics-Storage |
| `grafana` | grafana/grafana:latest | 3001 | Dashboards & Alerting |
| `loki` | grafana/loki:latest | 3100 | Log-Storage |
| `tempo` | grafana/tempo:latest | 3200, 4317 | Tracing-Backend |
| `promtail` | grafana/promtail:latest | - | Log-Collector |
| `cadvisor` | gcr.io/cadvisor/cadvisor:latest | 8081 | Container-Metrics |
| `postgres-exp` | prometheuscommunity/postgres-exporter | 9187 | DB-Metrics |
**Grafana ist NICHT oeffentlich erreichbar** - nur ueber SSH-Tunnel oder internes Netz.
---
## 7. Datenbank-Struktur
```
PostgreSQL-Server
platform_core <- Einmalig: Tenants, Users, Roles, Modules, Help
tenant_{slug} <- Pro Mandant (z.B. tenant_acme_corp)
```
| Datenbank | Zweck |
|-----------------|-----------------------------------------------------|
| `platform_core` | Plattform-Verwaltung (Users, Tenants, Roles, Modules) |
| `tenant_{slug}` | Mandant-Daten (Profile, Stammdaten, Moduldaten) |
---
## 8. Netzwerk / Zugriff
> **Alpha/Dev-Phase:** Kein DNS, Zugriff ueber IP-Adresse.
> HTTPS wird spaeter mit DNS-Eintrag aktiviert.
| Zugriff | URL | Zweck |
|----------------------------|--------------------------------|-------------------------------|
| Frontend + API | `http://172.20.10.59` | Entwicklungs-Plattform |
| API-Endpunkte | `http://172.20.10.59/api/v1/*` | REST API |
| Git-Server | `git.xinion.lan` | Git Repository & CI/CD |
### Spaeter (mit DNS):
| Eintrag | Ziel | Zweck |
|----------------------------|--------------------|-------------------------------|
| `insight-dev.xinion.lan` | VM-IP | Entwicklungs-Frontend (HTTPS) |
| `git.xinion.lan` | Forgejo-Server | Git Repository & CI/CD |
---
## 9. Backup (Alpha/Dev)
| Was | Wohin | Frequenz |
|----------------------|----------------------------------------|-----------|
| PostgreSQL (alle DBs)| Separates ProxmoxVE Volume | Taeglich |
| Media-Dateien | Separates ProxmoxVE Volume | Taeglich |
| Konfiguration | Git Repository (ohne .env) | Per Commit|
---
## 10. VM-Setup Anleitung (Schritt fuer Schritt)
### 10.1 VM in ProxmoxVE erstellen
```bash
# ProxmoxVE Web-UI oder CLI:
# - Template: Ubuntu 24.04 LTS Cloud-Init
# - CPU: 4 Cores
# - RAM: 8192 MB
# - Disk: 60 GB (SCSI, SSD-backed)
# - Network: vmbr0, DHCP oder feste IP
```
### 10.2 Basis-Setup nach Erstinstallation
```bash
# System aktualisieren
sudo apt update && sudo apt upgrade -y
# Deploy-User anlegen
sudo adduser --disabled-password deploy
sudo usermod -aG sudo deploy
# SSH-Key fuer Deploy-User hinterlegen
sudo mkdir -p /home/deploy/.ssh
sudo cp /path/to/deploy_ed25519.pub /home/deploy/.ssh/authorized_keys
sudo chown -R deploy:deploy /home/deploy/.ssh
sudo chmod 700 /home/deploy/.ssh
sudo chmod 600 /home/deploy/.ssh/authorized_keys
# SSH haerten
sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
sudo systemctl restart sshd
```
### 10.3 Firewall
```bash
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp # SSH
sudo ufw allow 80/tcp # HTTP
sudo ufw allow 443/tcp # HTTPS
sudo ufw enable
```
### 10.4 Docker installieren
```bash
# Docker Official GPG Key
sudo apt install -y ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg \
-o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc
# Docker Repo hinzufuegen
echo "deb [arch=$(dpkg --print-architecture) \
signed-by=/etc/apt/keyrings/docker.asc] \
https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
# Docker installieren
sudo apt update
sudo apt install -y docker-ce docker-ce-cli containerd.io \
docker-buildx-plugin docker-compose-plugin
# Deploy-User zur docker-Gruppe
sudo usermod -aG docker deploy
```
### 10.5 Fail2ban
```bash
sudo apt install -y fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
```
### 10.6 Projekt deployen
```bash
# Als deploy-User:
su - deploy
git clone git@git.xinion.lan:gitadmin/INSIGHT-MVP.git ~/insight
cd ~/insight
cp .env.example .env
# .env befuellen mit echten Werten
docker compose up -d
```
Reference in a new issue View git blame Copy permalink