System
Infrastructure & deployment
How Privex runs in production, what’s exposed to the internet, and what an operator hardens so a seizure or a compromise yields as little as possible.
Only two things face the public: the app itself, and one guarded front door to the server. The databases sit deep inside, unreachable from outside. Logs are switched off at every layer, the sensitive drawers empty on a crash, and the only durable backup is a locked box kept off-site.
The same code ships two topologies (single-host Docker + nginx + PM2, or Kubernetes 3→10 pods).
Datastores are loopback-bound or ClusterIP-internal — never public. The only public surfaces are the static
PWA (Cloudflare Pages) and one HTTPS/WSS API entry behind a reverse proxy that discards access logs and blocks
/metrics.
Hardening by layer
| Layer | What it does | Setting |
|---|---|---|
| Browser | No inline JS; only the app’s own code runs; page can’t be framed. | strict CSP · HSTS · COOP/COEP |
| Edge proxy | Terminates TLS, adds headers, throws away access logs, hides /metrics. | access_log off · 404 /metrics |
| App (K8s) | Runs unprivileged with a read-only filesystem; only writable path is RAM. | nonroot 65532 · readonly rootfs · emptyDir Memory |
| Postgres | Minimal crash journal; sensitive tables leave no WAL trace. | wal_level=minimal · UNLOGGED |
| Redis | Never writes to disk. | save "" · appendonly no |
| Backups | Only durable off-host copy; encrypted; ciphertext + px_ ids only. | pg_dump | gpg AES-256 |
redeploy.sh snapshots first, keeps a rollback binary, and auto-reverts if
/health/ready fails. Redis is intentionally not backed up.