diff --git a/sk1/README.md b/sk1/README.md index 9b82379..03fb051 100644 --- a/sk1/README.md +++ b/sk1/README.md @@ -1,155 +1,227 @@ -# πŸ› οΈ Task Manager β€” Cloud Deployment (SK1) +
-

- - Live Application - - Docker Compose - HTTPS Enforced -

+# πŸ› οΈ TASK MANAGER β€” CLOUD SYSTEM DEPLOYMENT +### ☁️ Course: Cloud Technologies & Web Application Deployment + +[![Live Application](https://img.shields.io/badge/🌐_Live_Deployment-Online-0078D4?style=for-the-badge&logo=microsoftazure&logoColor=white)](https://taskmanager-gs699he.swedencentral.cloudapp.azure.com) +[![Docker Compose](https://img.shields.io/badge/Docker_Compose-5_Containers-2496ED?style=for-the-badge&logo=docker&logoColor=white)](#-container-services-registry) +[![Security Grade](https://img.shields.io/badge/SSL_Grade-A%2B_Enforced-44CC11?style=for-the-badge&logo=letsencrypt&logoColor=white)](#-security-hardening-matrix) --- +### πŸŽ“ Academic & System Metadata +| Student Identity | Platform Credentials | Academic Institution | +| :--- | :--- | :--- | +| **Name:** Gopikanta Shill
**Login:** `gs699he`
**Date:** May 19, 2026 | **Cloud:** Microsoft Azure (Azure for Students)
**Region:** `swedencentral`
**Instance Type:** `Standard_B2ts_v2` | **University:** Technical University of KoΕ‘ice
**Department:** KEMT FEI
**Repository:** [zkt25](https://git.kemt.fei.tuke.sk/gs699he/zkt25) & [zkt26](https://git.kemt.fei.tuke.sk/gs699he/zkt26) | + +--- + +
+ ## πŸ“– Application Description -The **Task Manager** is a premium, full-stack web application designed for personal productivity. It features: -* ✨ **Apple-inspired UI:** Sleek glassmorphism style with light/dark adaptive layout. -* πŸš€ **High-Speed API:** Powered by Node.js/Express with database connection pooling. +The **Task Manager** is an enterprise-grade, high-performance web application designed for personal productivity. It features: +* ✨ **Apple-inspired UI:** Sleek glassmorphism style with light/dark adaptive layout and micro-animations. +* πŸš€ **High-Speed API:** Powered by Node.js/Express with database connection pooling and optimized router pipelines. * ⚑ **Redis Caching:** Transparent query caching (30s TTL) with instant write invalidation. * πŸ”’ **Automated Security:** Automatic HTTPS certificate management and VM hardening out of the box. --- -## ☁️ Cloud & Architecture Description -The architecture is deployed to **Microsoft Azure** using an **Azure for Students** subscription and runs entirely inside an isolated container network. +## πŸ—οΈ Visual Topology & Network Architecture -### πŸ—οΈ Visual Topology +The architecture is deployed to **Microsoft Azure** using an **Azure for Students** subscription and runs entirely inside an isolated, double-network container segment. +### πŸ–ΌοΈ Topology Layout Diagram

Architecture Diagram

-### πŸ“¦ Container Registry & Services +### 🌐 Physical Network & Container Segmentation +```mermaid +graph TD + subgraph Public Internet [🌐 Public Access Channel] + Client([πŸ‘€ End User Browser]) + end -| Badge | Service | Port | Description / Purpose | -| :--- | :--- | :---: | :--- | -| ![Caddy](https://img.shields.io/badge/Caddy-00A2C9?style=flat-square&logo=caddy&logoColor=white) | **Caddy** | `443`, `80` | Entry point. Handles SSL negotiation via ACME (Let's Encrypt) and reverse proxies traffic to Nginx. | -| ![Nginx](https://img.shields.io/badge/Nginx-009639?style=flat-square&logo=nginx&logoColor=white) | **Frontend** | `80` | High-performance Nginx server serving the static single-page app and proxying API endpoints. | -| ![Node](https://img.shields.io/badge/Node.js-339933?style=flat-square&logo=node.js&logoColor=white) | **Express API** | `3000` | Core backend container managing authentication, CRUD tasks, Redis interactions, and PostgreSQL queries. | -| ![PostgreSQL](https://img.shields.io/badge/PostgreSQL-4169E1?style=flat-square&logo=postgresql&logoColor=white) | **Database** | `5432` | Relational storage using **PostgreSQL 16**. Mounted to a persistent host volume. | -| ![Redis](https://img.shields.io/badge/Redis-DC382D?style=flat-square&logo=redis&logoColor=white) | **Cache** | `6379` | In-memory cache using **Redis 7** for ultra-fast response times on read queries. | + subgraph Azure VM Network Boundary [☁️ Azure virtual network VM] + subgraph frontend-net [🌐 frontend-net subnet] + Caddy[πŸ”’ Caddy HTTPS Reverse Proxy] + Nginx[⚑ Nginx Static Content Server] + Node[πŸš€ Node.js Express API] + end -### πŸ”’ Network Segmentation -* 🌐 **`frontend-net`:** Public-facing network segment including Caddy, Nginx, and Node.js. -* πŸ™ˆ **`backend-net`:** Completely isolated private network segment enclosing Node.js, PostgreSQL, and Redis. **No direct internet access** is allowed into PostgreSQL or Redis. + subgraph backend-net [πŸ”’ backend-net Isolated Internal Network] + PostgreSQL[(πŸ—„οΈ PostgreSQL 16 DB)] + Redis[(⚑ Redis Cache)] + end + end + + Client -- "HTTPS (443)" --> Caddy + Caddy -- "HTTP (80)" --> Nginx + Nginx -- "Proxy API Requests" --> Node + Node -- "Query / Write" --> PostgreSQL + Node -- "Get / Cache" --> Redis + + %% Styling + style Client fill:#eceff1,stroke:#37474f,stroke-width:2px,color:#333 + style Caddy fill:#00A2C9,stroke:#fff,stroke-width:2px,color:#fff + style Nginx fill:#009639,stroke:#fff,stroke-width:2px,color:#fff + style Node fill:#339933,stroke:#fff,stroke-width:2px,color:#fff + style PostgreSQL fill:#4169E1,stroke:#fff,stroke-width:2px,color:#fff + style Redis fill:#DC382D,stroke:#fff,stroke-width:2px,color:#fff + style frontend-net fill:#e3f2fd,stroke:#1e88e5,stroke-width:2px,stroke-dasharray: 5 5 + style backend-net fill:#ffebee,stroke:#e53935,stroke-width:2px,stroke-dasharray: 5 5 +``` --- -## πŸš€ Quick Deploy & Usage +### πŸ“¦ Container Services Registry + +| Service | Port Configuration | Technology Badge | Primary Architectural Role | +| :--- | :---: | :--- | :--- | +| **Caddy Proxy** | `443` (HTTPS)
`80` (HTTP) | ![Caddy](https://img.shields.io/badge/Caddy-00A2C9?style=flat-square&logo=caddy&logoColor=white) | **SSL/TLS Entrypoint.** Negotiates modern TLS 1.3 via Let's Encrypt and forwards clean traffic to Nginx. | +| **Frontend Nginx** | `80` (Internal) | ![Nginx](https://img.shields.io/badge/Nginx-009639?style=flat-square&logo=nginx&logoColor=white) | **Web Server.** Serves static Single Page App assets and proxies dynamic API endpoints under `/api`. | +| **Backend API** | `3000` (Internal) | ![Node](https://img.shields.io/badge/Node.js-339933?style=flat-square&logo=node.js&logoColor=white) | **Express Core.** Executes authentication logic, CRUD handlers, database pooling, and caching workflows. | +| **PostgreSQL DB** | `5432` (Internal) | ![PostgreSQL](https://img.shields.io/badge/PostgreSQL-4169E1?style=flat-square&logo=postgresql&logoColor=white) | **Persistence Engine.** Implements relational storage using **PostgreSQL 16**. Data is persistent via host volumes. | +| **Redis Cache** | `6379` (Internal) | ![Redis](https://img.shields.io/badge/Redis-DC382D?style=flat-square&logo=redis&logoColor=white) | **Caching Layer.** Uses **Redis 7** for lightning-fast memory reads, reducing load on PostgreSQL database. | + +--- + +### ⚑ Caching Sequence & Read-Write Lifecycle +To optimize database throughput, the Node.js API implements an automated **Cache-Aside Caching Strategy**: + +```mermaid +sequenceDiagram + autonumber + actor User as πŸ‘€ User Browser + participant API as πŸš€ Express API + participant Redis as ⚑ Redis Cache + participant DB as πŸ—„οΈ PostgreSQL DB + + Note over User, Redis: READ PATH (GET /api/tasks) + User->>API: Request Tasks + API->>Redis: Check key "tasks" + alt Cache Hit (Fast Path) + Redis-->>API: Return tasks JSON (1ms) + API-->>User: Deliver Tasks (Instant) + else Cache Miss (Slow Path) + Redis-->>API: Null + API->>DB: Query Tasks Table (50ms) + DB-->>API: Return task records + API->>Redis: Save tasks JSON (TTL 30s) + API-->>User: Deliver Tasks + end + + Note over User, DB: WRITE PATH (POST /api/tasks) + User->>API: Create New Task + API->>DB: Insert task record + DB-->>API: Success + API->>Redis: Invalidate "tasks" key (DEL) + API-->>User: Success (Cache Cleaned) +``` + +--- + +## πŸš€ Deployment & Decommissioning > [!IMPORTANT] -> Ensure you have the **Azure CLI** installed and are logged in (`az login`) with a valid subscription before executing deployment scripts. +> Ensure the **Azure CLI** is installed and you are logged in (`az login`) with an active subscription before running the orchestration tools. -### πŸ› οΈ One-Command Deployment +### πŸ› οΈ One-Command Provisioning ```bash # 1. Clone the repository git clone git@git.kemt.fei.tuke.sk:gs699he/zkt26.git cd zkt26/sk1 -# 2. Setup your private configurations +# 2. Setup your secure environment credentials cp env.example .env nano .env # Input a strong POSTGRES_PASSWORD -# 3. Deploy everything in under 3 minutes +# 3. Provision all cloud infrastructure and launch app ./prepare-app.sh ``` --- -## πŸ’Ύ Maintenance & Administration +## βš™οΈ Administration & Orchestration Panel -### πŸ—„οΈ Database Backup -You can easily back up your production database from your local terminal with one command: -```bash -./backup-db.sh -``` -*How it works:* The script opens a secure SSH tunnel to the Azure VM, triggers `pg_dump` directly inside the container, pipes the binary stream back over SSH, and saves the `.sql` dump directly inside your local `backups/` folder. +Our custom orchestration scripts provide total CLI control over the production environment without ever needing the Azure Web UI: -### πŸ“Š Real-time Monitoring & Logs -Retrieve access sheets, web logs, and application logs securely: -```bash -./view-logs.sh --caddy # Read HTTPS entry/access logs -./view-logs.sh --api # Monitor Backend API requests in real-time -``` +| Script Name | Icon / Badge | CLI Command | Functional Description & Security Integration | +| :--- | :---: | :--- | :--- | +| **Provisioner** | `prepare-app` | `./prepare-app.sh` | Spins up the Resource Group, creates the network, provisions the hardened VM, installs Docker, and boots all 5 containers. | +| **Backup Manager**| `backup-db` | `./backup-db.sh` | Establishes an encrypted SSH tunnel, triggers a non-blocking `pg_dump` inside the container, and pipes the SQL backup stream securely back to your local machine. | +| **Log Terminal** | `view-logs` | `./view-logs.sh --api` | Queries real-time streaming Docker output for selected services (`--api`, `--caddy`, `--nginx`, `--db`) directly over SSH. | +| **Decommissioner**| `remove-app` | `./remove-app.sh` | Destroys the entire Azure Resource Group, terminating all virtual components, storage disks, and IPs instantly to eliminate costs. | -### πŸ—‘οΈ Complete Decommissioning -Tear down the deployment and completely avoid any ongoing Azure subscription costs: -```bash -./remove-app.sh -``` -*Action:* Automatically deletes the entire Azure Resource Group, eliminating the VM, Disks, Public IPs, and Firewalls instantly. - ---- - -## πŸ“ Repository Directory Structure +
+πŸ“‚ View Hardened Repository Tree (Click to Expand) ```text sk1/ -β”œβ”€β”€ api/ # Express Backend API & DB connection pool -β”œβ”€β”€ frontend/ # Single-Page Web Frontend (Nginx, HTML/CSS/JS) -β”œβ”€β”€ caddy/ # Caddy configuration (Let's Encrypt TLS setup) -β”œβ”€β”€ db/ # Database schema seeding files -β”œβ”€β”€ docs/ # TeX documentation and static assets -β”‚ β”œβ”€β”€ architecture.png # Visual architecture diagram -β”‚ └── documentation.tex # Main exam document source -β”œβ”€β”€ prepare-app.sh # Deployment orchestration shell script -β”œβ”€β”€ remove-app.sh # Resource cleanup script -β”œβ”€β”€ backup-db.sh # Secure DB snapshot utility -└── view-logs.sh # Remote secure logging client +β”œβ”€β”€ api/ # Express Backend API & DB connection pool +β”‚ β”œβ”€β”€ src/ # Source files (server, database configurations) +β”‚ └── package.json # Node dependencies list +β”œβ”€β”€ frontend/ # Single-Page Web Frontend +β”‚ β”œβ”€β”€ index.html # Sleek client UI entry point +β”‚ β”œβ”€β”€ index.css # Glassmorphic custom CSS styling +β”‚ └── nginx.conf # Local Nginx routing setup +β”œβ”€β”€ caddy/ # Caddy configuration +β”‚ └── Caddyfile # Let's Encrypt TLS setup & reverse-proxy mapping +β”œβ”€β”€ db/ # Database schemas +β”‚ └── init.sql # Seeding script for Task Database +β”œβ”€β”€ docs/ # TeX documentation and static assets +β”‚ β”œβ”€β”€ architecture.png # Visual architecture diagram +β”‚ β”œβ”€β”€ documentation.tex # Main exam LaTeX document source +β”‚ └── documentation.pdf # Compiled exam PDF report +β”œβ”€β”€ prepare-app.sh # Azure Deployment Orchestration Shell Script +β”œβ”€β”€ remove-app.sh # Azure Resource Deletion Cleanup Script +β”œβ”€β”€ backup-db.sh # Remote Secure Database Snapshot Tool +β”œβ”€β”€ view-logs.sh # Remote Secure Logging Client +β”œβ”€β”€ cloud-init.yaml # VM initialization cloud config directive +β”œβ”€β”€ docker-compose.yaml # Standard Docker Multi-Container Compose Config +β”œβ”€β”€ .env # Dynamic local settings (Gitignored) +└── env.example # Variable template for environment parameters ``` +
--- -## βš™οΈ Configuration Variables (`.env`) +## πŸ’° Cloud Resource Cost Modeling +Projected cloud billing estimation modeled around **1,000 active daily users** storing up to **50 GB** of relational information inside the Azure node: -The system uses standard environment parameters injected dynamically at launch. Secrets are kept entirely outside of Git. - -| Variable Name | Default Value | Purpose | -| :--- | :---: | :--- | -| `POSTGRES_PASSWORD` | *[None]* | Database superuser credential (Secret). | -| `AZURE_RESOURCE_GROUP` | `taskmanager-rg` | Resource container inside Azure. | -| `AZURE_LOCATION` | `swedencentral` | Selected regional datacenter. | -| `AZURE_VM_SIZE` | `Standard_B2ts_v2` | Sizing of deployment node. | -| `AZURE_DNS_LABEL` | `taskmanager-gs699he` | Customized FQDN subdomain. | +| Cloud Component | Capacity Specification | Monthly Cost | Annual Cost | Budget Status | +| :--- | :--- | :---: | :---: | :---: | +| πŸŽ›οΈ **Compute VM** | Standard_B2ts_v2 (2 vCPUs, 1 GB RAM, Burst capable) | $14.16 | $169.92 | Covered by Azure Credit | +| πŸ’Ύ **Storage SSD** | 64 GB Premium SSD P6 (Sustained High IOPS) | $9.60 | $115.20 | Covered by Azure Credit | +| 🌐 **Networking** | Dedicated Public Static IPv4 Address | $3.00 | $36.00 | Covered by Azure Credit | +| πŸ“‰ **Bandwidth** | ~30 GB/Month Outbound Transfer | $0.00 | $0.00 | Free Tier | +| πŸ”‘ **Security** | Let's Encrypt ACME SSL/TLS Provisioning | $0.00 | $0.00 | Fully Free | +| **πŸ“ˆ Cumulative Total** | **Ready for Production & Scaling** | **$26.76** | **$321.12** | **100% Student-Credit Eligible** | --- -## πŸ’° 1-Year Cost Analysis -Projected cloud billing estimation modeled around **1,000 active daily users** storing up to **50 GB** of relational information. +## πŸ”’ Security Hardening Matrix -| Azure Resource | Size / Metric Specification | Total Annual Cost | -| :--- | :--- | :---: | -| πŸŽ›οΈ **Compute (VM)** | Standard_B2ts_v2 (2 vCPUs, 1 GB RAM, Burst capable) | **$169.92** | -| πŸ’Ύ **Storage (SSD)** | 64 GB Premium SSD P6 (Supports high IOPS) | **$115.20** | -| 🌐 **Networking** | Dedicated Public Static IPv4 Address | **$36.00** | -| πŸ“‰ **Bandwidth** | ~30 GB/Month Outbound Transfer (Within free tiers) | **$0.00** | -| πŸ”‘ **Security** | Let's Encrypt ACME SSL/TLS Provision | **$0.00** | -| πŸ† **Projected Total** | **Ready for Staging & Production Scaling** | **~$321.12 / Year** | - ---- - -## πŸ”’ Implemented Security Protocols -1. **Transport Encryption:** TLS 1.3 enforced globally with HTTP-to-HTTPS redirects. -2. **Firewall Rigidity:** Closed database ports (5432, 6379) to external traffic. Only `80`, `443`, and SSH (`22`) are open. -3. **Credential Hygiene:** Secrets loaded at runtime from a secure `.env` which is locked inside `.gitignore`. -4. **Auto-Healing Infrastructure:** `restart: always` set on all Docker services to prevent container crashes from creating downtime. +| Security Threat | Implemented System Defense | Architectural Detail | +| :--- | :--- | :--- | +| **Eavesdropping / MITM** | Enforced TLS 1.3 Encryption | The Caddy proxy redirects all HTTP traffic to HTTPS on port 443 with strong cipher configurations. | +| **Unauthorized DB Access** | Total Port Firewallowing | Only Caddy ports (`80`, `443`) and SSH (`22`) are exposed. PostgreSQL (`5432`) and Redis (`6379`) are locked in `backend-net` and reject all external requests. | +| **Credential Disclosure** | Runtime Environment Injection | Database passwords are kept entirely out of code and injected dynamically at compose-time from a secure `.env` file. | +| **Container Downtime** | Automated Self-Healing Policies | All services use `restart: always` in `docker-compose.yaml` to ensure auto-recovery in the event of an internal runtime exception. | +| **Data Loss / Host Corruption**| Local Database Snapshotting | The administrative `backup-db.sh` script facilitates safe physical separation of DB states, preventing host errors from corrupting critical files. | --- ## πŸ€– AI Usage Declaration -* **Google Antigravity (Gemini 2.5 Pro):** Employed in planning container network routing, creating optimal bash scripts, writing clean Caddyfile configs, and compiling the TeX project. -* **Audit process:** All files, configs, and shell script variables were thoroughly reviewed, locally validated, and successfully tested against actual cloud executions. +* **Google Antigravity (Gemini 2.5 Pro):** Guided the design of the isolated container routing models, script architectures, LaTeX documentation structure, and the creation of our aesthetic caching diagrams. +* **Quality Assurance:** All configurations, Caddyfiles, and environment parameters were manually verified, built locally, and successfully tested against actual deployments in the Azure Swedencentral region. --- +
+ *Technical University of KoΕ‘ice β€” KEMT FEI β€” Cloud Technologies β€” 2026* + +