# 🛠️ Task Manager — Cloud Deployment (SK1)

<p align="center">
  <a href="https://taskmanager-gs699he.swedencentral.cloudapp.azure.com" target="_blank">
    <img src="https://img.shields.io/badge/🌐_Live_Demo-Online-0078D4?style=for-the-badge&logo=microsoftazure&logoColor=white" alt="Live Application" />
  </a>
  <img src="https://img.shields.io/badge/Docker_Compose-5_Containers-2496ED?style=for-the-badge&logo=docker&logoColor=white" alt="Docker Compose" />
  <img src="https://img.shields.io/badge/Security-HTTPS_Enforced-44CC11?style=for-the-badge&logo=letsencrypt&logoColor=white" alt="HTTPS Enforced" />
</p>

---

## 📖 Application Description
The **Task Manager** is a premium, full-stack web application designed for personal productivity. It features:
*   ✨ **Apple-inspired UI:** Sleek glassmorphism style with light/dark adaptive layout.
*   🚀 **High-Speed API:** Powered by Node.js/Express with database connection pooling.
*   ⚡ **Redis Caching:** Transparent query caching (30s TTL) with instant write invalidation.
*   🔒 **Automated Security:** Automatic HTTPS certificate management and VM hardening out of the box.

---

## ☁️ Cloud & Architecture Description
The architecture is deployed to **Microsoft Azure** using an **Azure for Students** subscription and runs entirely inside an isolated container network.

### 🏗️ Visual Topology

<p align="center">
  <img src="docs/architecture.png" alt="Architecture Diagram" width="650px" style="border-radius: 8px; box-shadow: 0 4px 16px rgba(0,0,0,0.15);" />
</p>

### 📦 Container Registry & Services

| Badge | Service | Port | Description / Purpose |
| :--- | :--- | :---: | :--- |
| ![Caddy](https://img.shields.io/badge/Caddy-00A2C9?style=flat-square&logo=caddy&logoColor=white) | **Caddy** | `443`, `80` | Entry point. Handles SSL negotiation via ACME (Let's Encrypt) and reverse proxies traffic to Nginx. |
| ![Nginx](https://img.shields.io/badge/Nginx-009639?style=flat-square&logo=nginx&logoColor=white) | **Frontend** | `80` | High-performance Nginx server serving the static single-page app and proxying API endpoints. |
| ![Node](https://img.shields.io/badge/Node.js-339933?style=flat-square&logo=node.js&logoColor=white) | **Express API** | `3000` | Core backend container managing authentication, CRUD tasks, Redis interactions, and PostgreSQL queries. |
| ![PostgreSQL](https://img.shields.io/badge/PostgreSQL-4169E1?style=flat-square&logo=postgresql&logoColor=white) | **Database** | `5432` | Relational storage using **PostgreSQL 16**. Mounted to a persistent host volume. |
| ![Redis](https://img.shields.io/badge/Redis-DC382D?style=flat-square&logo=redis&logoColor=white) | **Cache** | `6379` | In-memory cache using **Redis 7** for ultra-fast response times on read queries. |

### 🔒 Network Segmentation
*   🌐 **`frontend-net`:** Public-facing network segment including Caddy, Nginx, and Node.js.
*   🙈 **`backend-net`:** Completely isolated private network segment enclosing Node.js, PostgreSQL, and Redis. **No direct internet access** is allowed into PostgreSQL or Redis.

---

## 🚀 Quick Deploy & Usage

> [!IMPORTANT]
> Ensure you have the **Azure CLI** installed and are logged in (`az login`) with a valid subscription before executing deployment scripts.

### 🛠️ One-Command Deployment

```bash
# 1. Clone the repository
git clone git@git.kemt.fei.tuke.sk:gs699he/zkt26.git
cd zkt26/sk1

# 2. Setup your private configurations
cp env.example .env
nano .env   # Input a strong POSTGRES_PASSWORD

# 3. Deploy everything in under 3 minutes
./prepare-app.sh
```

---

## 💾 Maintenance & Administration

### 🗄️ Database Backup
You can easily back up your production database from your local terminal with one command:
```bash
./backup-db.sh
```
*How it works:* The script opens a secure SSH tunnel to the Azure VM, triggers `pg_dump` directly inside the container, pipes the binary stream back over SSH, and saves the `.sql` dump directly inside your local `backups/` folder.

### 📊 Real-time Monitoring & Logs
Retrieve access sheets, web logs, and application logs securely:
```bash
./view-logs.sh --caddy   # Read HTTPS entry/access logs
./view-logs.sh --api     # Monitor Backend API requests in real-time
```

### 🗑️ Complete Decommissioning
Tear down the deployment and completely avoid any ongoing Azure subscription costs:
```bash
./remove-app.sh
```
*Action:* Automatically deletes the entire Azure Resource Group, eliminating the VM, Disks, Public IPs, and Firewalls instantly.

---

## 📁 Repository Directory Structure

```text
sk1/
├── api/                  # Express Backend API & DB connection pool
├── frontend/             # Single-Page Web Frontend (Nginx, HTML/CSS/JS)
├── caddy/                # Caddy configuration (Let's Encrypt TLS setup)
├── db/                   # Database schema seeding files
├── docs/                 # TeX documentation and static assets
│   ├── architecture.png  # Visual architecture diagram
│   └── documentation.tex # Main exam document source
├── prepare-app.sh        # Deployment orchestration shell script
├── remove-app.sh         # Resource cleanup script
├── backup-db.sh          # Secure DB snapshot utility
└── view-logs.sh          # Remote secure logging client
```

---

## ⚙️ Configuration Variables (`.env`)

The system uses standard environment parameters injected dynamically at launch. Secrets are kept entirely outside of Git.

| Variable Name | Default Value | Purpose |
| :--- | :---: | :--- |
| `POSTGRES_PASSWORD` | *[None]* | Database superuser credential (Secret). |
| `AZURE_RESOURCE_GROUP` | `taskmanager-rg` | Resource container inside Azure. |
| `AZURE_LOCATION` | `swedencentral` | Selected regional datacenter. |
| `AZURE_VM_SIZE` | `Standard_B2ts_v2` | Sizing of deployment node. |
| `AZURE_DNS_LABEL` | `taskmanager-gs699he` | Customized FQDN subdomain. |

---

## 💰 1-Year Cost Analysis
Projected cloud billing estimation modeled around **1,000 active daily users** storing up to **50 GB** of relational information.

| Azure Resource | Size / Metric Specification | Total Annual Cost |
| :--- | :--- | :---: |
| 🎛️ **Compute (VM)** | Standard_B2ts_v2 (2 vCPUs, 1 GB RAM, Burst capable) | **$169.92** |
| 💾 **Storage (SSD)** | 64 GB Premium SSD P6 (Supports high IOPS) | **$115.20** |
| 🌐 **Networking** | Dedicated Public Static IPv4 Address | **$36.00** |
| 📉 **Bandwidth** | ~30 GB/Month Outbound Transfer (Within free tiers) | **$0.00** |
| 🔑 **Security** | Let's Encrypt ACME SSL/TLS Provision | **$0.00** |
| 🏆 **Projected Total** | **Ready for Staging & Production Scaling** | **~$321.12 / Year** |

---

## 🔒 Implemented Security Protocols
1.  **Transport Encryption:** TLS 1.3 enforced globally with HTTP-to-HTTPS redirects.
2.  **Firewall Rigidity:** Closed database ports (5432, 6379) to external traffic. Only `80`, `443`, and SSH (`22`) are open.
3.  **Credential Hygiene:** Secrets loaded at runtime from a secure `.env` which is locked inside `.gitignore`.
4.  **Auto-Healing Infrastructure:** `restart: always` set on all Docker services to prevent container crashes from creating downtime.

---

## 🤖 AI Usage Declaration
*   **Google Antigravity (Gemini 2.5 Pro):** Employed in planning container network routing, creating optimal bash scripts, writing clean Caddyfile configs, and compiling the TeX project.
*   **Audit process:** All files, configs, and shell script variables were thoroughly reviewed, locally validated, and successfully tested against actual cloud executions.

---

*Technical University of Košice — KEMT FEI — Cloud Technologies — 2026*