Infrastructure
The RedactedWorld platform runs on an RKE2 Kubernetes cluster hosted on Hetzner Cloud in the Nuremberg (nbg1) datacenter.
RKE2 Cluster
| Property | Value |
|---|---|
| Distribution | RKE2 (Rancher Kubernetes Engine 2) |
| Cloud Provider | Hetzner Cloud |
| Datacenter | Nuremberg (nbg1), Germany |
| Control Plane Node | 46.225.229.62 |
| Worker Node | 46.225.237.45 |
| Floating IP (Ingress) | 49.13.36.159 |
| Container Runtime | containerd |
| CNI | Cilium |
Platform Components
All platform services are exposed through subdomains of redactedworld.com. DNS records point to the floating IP, and Traefik handles TLS termination via cert-manager with Let's Encrypt certificates.
| Component | Subdomain | Description |
|---|---|---|
| Traefik | -- (ingress controller) | Reverse proxy and ingress controller. Routes traffic based on Host headers. Handles TLS termination, rate limiting, and middleware chains (CORS, compression, security headers). |
| Keycloak | keycloak.redactedworld.com | OpenID Connect identity provider. Manages user registration, login, MFA, social login (GitHub, Google), and token issuance. Backs the auth-service. |
| cert-manager | -- (cluster internal) | Automates TLS certificate provisioning from Let's Encrypt. Watches Ingress resources and creates/renews Certificate objects. |
| Alloy + Loki | -- (cluster internal) | Grafana Alloy collects logs from all pods and ships them to Loki for centralized log aggregation and querying via LogQL. |
| Prometheus | -- (cluster internal) | Scrapes metrics from all services (NestJS exposes /metrics via prom-client), Kubernetes components, and node exporters. Stores time-series metrics for alerting and dashboards. |
| Grafana | grafana.redactedworld.com | Visualization platform connected to Prometheus (metrics), Loki (logs), and ClickHouse (scan analytics). Provides pre-built dashboards for cluster health, service latency, and scan statistics. |
| Wazuh | wazuh.redactedworld.com | Security Information and Event Management (SIEM). Monitors host intrusion detection, file integrity, and compliance. Agents run on each node. |
| GitLab | gitlab.redactedworld.com | Self-hosted GitLab CE for source code management, CI/CD pipelines, and container registry. All service images are built and pushed here. |
| Documentation | doc.redactedworld.com | This documentation site, built with Docusaurus and deployed as a static site. |
| Frontend | app.redactedworld.com | Angular single-page application served via Nginx. Communicates with the API Gateway over HTTPS and WebSocket. |
| API | api.redactedworld.com | API Gateway (NestJS). The only service exposed externally for programmatic access. |
Network Topology
CI/CD Pipeline
The deployment pipeline runs on GitLab CI:
- Build --
docker buildproduces a container image for each service. - Test -- Unit and integration tests run inside the CI container.
- Push -- Images are pushed to the GitLab Container Registry.
- Deploy -- Kubernetes manifests are applied via
kubectl applyor Helm upgrade, pulling the new image from the registry. - Verify -- A post-deploy smoke test hits the health endpoints of each service.