System

Infrastructure & deployment

How Privex runs in production, what’s exposed to the internet, and what an operator hardens so a seizure or a compromise yields as little as possible.

Only two things face the public: the app itself, and one guarded front door to the server. The databases sit deep inside, unreachable from outside. Logs are switched off at every layer, the sensitive drawers empty on a crash, and the only durable backup is a locked box kept off-site.

The same code ships two topologies (single-host Docker + nginx + PM2, or Kubernetes 3→10 pods). Datastores are loopback-bound or ClusterIP-internal — never public. The only public surfaces are the static PWA (Cloudflare Pages) and one HTTPS/WSS API entry behind a reverse proxy that discards access logs and blocks /metrics.

Production topology
public edge → blind API → internal-only datastores
public edge app data (internal) ops
Figure. The trust boundary is the reverse proxy. Everything behind it — including all data — is unreachable from the public internet.

Hardening by layer

LayerWhat it doesSetting
BrowserNo inline JS; only the app’s own code runs; page can’t be framed.strict CSP · HSTS · COOP/COEP
Edge proxyTerminates TLS, adds headers, throws away access logs, hides /metrics.access_log off · 404 /metrics
App (K8s)Runs unprivileged with a read-only filesystem; only writable path is RAM.nonroot 65532 · readonly rootfs · emptyDir Memory
PostgresMinimal crash journal; sensitive tables leave no WAL trace.wal_level=minimal · UNLOGGED
RedisNever writes to disk.save "" · appendonly no
BackupsOnly durable off-host copy; encrypted; ciphertext + px_ ids only.pg_dump | gpg AES-256
Resilience Kubernetes runs 3→10 replicas (HPA at CPU 70%, PDB minAvailable 2); the readiness probe sheds a pod when a dependency is down. redeploy.sh snapshots first, keeps a rollback binary, and auto-reverts if /health/ready fails. Redis is intentionally not backed up.