faicel/server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Page: 00-Architecture-Overview
Pages
00-Architecture-Overview 01-System-Hardware 02-Operating-System 03-SSH-Hardening 04-Docker-Installation 05-Docker-Swarm 06-Network-Architecture 07-Stacks-Deployment 08-Reverse-Proxy 09-Certbot-Lets-Encrypt 10-TURN-server 11-PostgreSQL-Configuration 12-MinIO-Configuration 13-Forgejo-Configuration 14-Mattermost-Configuration 15-Backup-and-Recovery 16-Security-Checklist Home
1 00-Architecture-Overview
faycel edited this page 2026-02-26 22:38:15 +00:00
Unescape Escape
Table of Contents
This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Snapshot date: 2026-02
Deployment model: Single-node Docker Swarm
Host OS: Ubuntu Server

This document describes the logical and network architecture of the production infrastructure.

1. Infrastructure Goal

The server hosts the following production services:

  • Mattermost (team communication)
  • Forgejo (Git service)
  • MinIO (object storage for Mattermost)
  • PostgreSQL (database)
  • Nginx (reverse proxy & TLS termination)
  • Coturn (TURN server, system-level service)

All services are deployed using:

  • Docker Engine
  • Docker Swarm
  • Overlay networks
  • Docker secrets
  • Lets Encrypt (Certbot)
  • UFW firewall
  • Fail2ban

Security and reproducibility are mandatory.

No internal service is directly exposed to the internet.

2. Network-Level Architecture (Docker Swarm)

The infrastructure uses isolated overlay networks.

Networks:

  • web → Reverse proxy + public-facing services
  • internal → Application-to-service communication
  • data → Restricted data layer (PostgreSQL)

Logical Network Diagram

                             Internet
                                 │
                                 ▼
                          ┌─────────────┐
                          │    UFW      │
                          │  Firewall   │
                          └─────────────┘
                                 │
                                 ▼
                          ┌─────────────┐
                          │    Nginx    │
                          │  (web net)  │
                          └─────────────┘
                                 │
                    ┌────────────────────────────────────────────────────────────────────┐
                    ▼                                                                    ▼
             Mattermost                                                               Forgejo
            (web + internal)                                                         (web + internal)
                         │                                                    
                   ┌──────────────────────────────────────────────────────────────────┐  │
                   │                                                                  │  │
                   ▼                                                                  ▼  ▼
                MinIO                                                              PostgreSQL
          (internal only)                                                        (data only)
                   
                    
              

TURN (coturn) runs directly on host (UDP).

Network Membership Matrix

Service web internal
Nginx
Mattermost
Forgejo
MinIO
PostgreSQL

Isolation Principles

  • PostgreSQL is never attached to web.
  • MinIO is never attached to web.
  • Applications cannot access services outside required networks.
  • Reverse proxy is the only HTTP entry point.
  • TURN bypasses Docker (system-level UDP service).

3. Traffic Flow Diagram (Protocols & Ports)

This diagram documents actual network flows between components, including protocol and port information.

External Traffic

Internet
   │
   │ TCP 22
   ▼
SSH (host)

Internet
   │
   │ TCP 80
   │ TCP 443
   ▼
Nginx (Reverse Proxy)

Internet
   │
   │ UDP 3478
   │ UDP 4916049200
   ▼
TURN (coturn - host)

Internal HTTP Flow

Client
   │
   │ HTTP (TCP 80)
   ▼
Nginx
   │
   │ 301 / 308 Redirect
   ▼
Client
   │
   │ HTTPS (TCP 443)
   ▼
Nginx
   │
   │ HTTP (TCP 8065)
   ▼
Mattermost

Client
   │
   │ HTTP (TCP 80)
   ▼
Nginx
   │
   │ 301 / 308 Redirect
   ▼
Client
   │
   │ HTTPS (TCP 443)
   ▼
Nginx
   │
   │ HTTP (TCP 3000)
   ▼
Forgejo

Application containers are never directly exposed publicly.

Database Flow

Mattermost
   │
   │ TCP 5432
   ▼
PostgreSQL

Forgejo
   │
   │ TCP 5432
   ▼
PostgreSQL

PostgreSQL is bound only to the Docker data network.
Port 5432 is never exposed externally.

Object Storage Flow (S3 API)

Mattermost
   │
   │ HTTP (TCP 9000)
   ▼
MinIO

MinIO is internal-only and not exposed publicly.

WebRTC Media Flow

Client Browser
   │
   │ UDP 3478 (TURN control)
   │ UDP 4916049200 (Media relay)
   ▼
coturn (host)

TURN runs directly on the host and is not containerized.

4. Port Summary

Component Protocol Port Exposure
SSH TCP 22 Public
HTTP TCP 80 Public
HTTPS TCP 443 Public
TURN Control UDP 3478 Public
TURN Relay UDP 4916049200 Public
Mattermost TCP 8065 Internal only
Forgejo TCP 3000 Internal only
PostgreSQL TCP 5432 Internal only
MinIO (S3) TCP 9000 Internal only

5. Security Boundaries

Boundary 1 — Host Level

  • SSH hardened
  • UFW active
  • Fail2ban active
  • No password authentication

Boundary 2 — Reverse Proxy

  • TLS termination
  • Domain-based routing
  • No direct container exposure

Boundary 3 — Internal Network

  • Databases isolated
  • Object storage isolated
  • Secrets injected via Docker
  • No plaintext credentials in stack files

6. Resilience Model

Single-node Swarm.

Resilience mechanisms:

  • Service auto-restart
  • Volume persistence
  • Daily database backup
  • Manual VPS snapshots
  • Restore procedure documented

This is a hardened single-node production system, not a high-availability cluster.

7. Design Principles

  • Minimal public attack surface
  • Strict network segmentation
  • Secret management via Docker
  • Immutable stack deployments
  • Backup-first strategy
  • Security before convenience
  1. Architecture Overview
  2. System Hardware
  3. Operating System
  4. SSH Hardening
  5. Docker Installation
  6. Docker Swarm Configuration
  7. Network Architecture
  8. Stacks Deployment
  9. Reverse Proxy
  10. Certbot & Let's Encrypt
  11. TURN Server (Coturn)
  12. PostgreSQL Configuration
  13. MinIO Configuration
  14. Forgejo Configuration
  15. Mattermost Configuration
  16. Backup and Recovery
  17. Security Checklist