infrastructure

FaceKom Infrastructure

vuer_docker — Container Orchestration

Docker Compose Files (15+)

File	Services
dev.yml	Core infra: RabbitMQ, PostgreSQL, nginx_proxy, syslog-ng
services.yml	pdfservice, nyilvantarto
vuer-oss.yml	vuer_oss
vuer-css.yml	vuer_css
esign-oss.yml	esign (backend)
esign-css.yml	esign (frontend)
vuer-cv.yml	vuer_cv (ML service)
vuer-cv-gpu.yml	vuer_cv with GPU
vuer-cv-dev.yml	vuer_cv development
janus-dev.yml	Janus WebRTC gateway (dev)
portal-css.yml	Portal frontend
facekom-library.yml	FaceKom library service
testenv.yml	All-in-one test environment
otel.yml	OpenTelemetry (Grafana, Loki, Prometheus, Tempo)
minio.yml	MinIO object storage
mssql.yml	Microsoft SQL Server
mysql.yml	MySQL
oracledb19.yml	Oracle DB 19
clamav.yml	ClamAV antivirus
sftp.yaml	SFTP server
toxiproxy.yaml	Network fault injection
macos-vuer-dev.yml	macOS development setup

Environment Variables (.env)

Variable	Value
Project	facekom-devel
VUER	2026.1.UBI9
ESIGN	2024.4
VUERCV	4.6.2
RabbitMQ	4.1.4
PostgreSQL	16.6
Dev UID/GID	1000/1000

Container Registry

Images pushed to: harbor.techteamer.com/${PROJECT_NAME}/

Network Architecture

Host Networking

All containers use network_mode: "host" — they share the host’s network namespace. Services communicate via localhost ports. This simplifies setup but reduces isolation.

Port Map

graph TB
    subgraph "External Access (:443)"
        NginxProxy[Nginx Proxy]
    end

    subgraph "vuer_oss"
        OSS_nginx[:20080 Nginx]
        OSS_socket[:10080 Socket.IO]
        OSS_http[:10081 Express]
    end

    subgraph "vuer_css"
        CSS_nginx[:30080 Nginx]
        CSS_socket[:10082 Socket.IO]
        CSS_http[:10083 Express]
    end

    subgraph "esign_oss"
        EOSS_nginx[:20180 Nginx]
        EOSS_socket[:10180 Socket.IO]
        EOSS_web[:10181 Admin UI]
        EOSS_ext[:10182 External API]
    end

    subgraph "esign_css"
        ECSS_nginx[:30180 Nginx]
        ECSS_web[:10183 Express]
        ECSS_socket[:10184 Socket.IO]
    end

    subgraph "Other"
        CV[:40080 vuer_cv]
        Portal[:30380 portal_css]
        Library[:50080 facekom_library]
        RabbitMQ[:5671 AMQPS / :15672 Mgmt]
        PG[:5432 PostgreSQL]
    end

    NginxProxy --> OSS_nginx
    NginxProxy --> CSS_nginx
    NginxProxy --> EOSS_nginx
    NginxProxy --> ECSS_nginx
    NginxProxy --> CV
    NginxProxy --> Portal
    NginxProxy --> Library

Full Port Reference

Service	Ports
vuer_oss (nginx)	20080 (HTTP), 10080 (Socket.IO), 10081 (Express)
vuer_css (nginx)	30080 (HTTP), 10082 (Socket.IO), 10083 (Express)
esign_oss (nginx)	20180 (socket), 10180 (socket), 10181 (web), 10182 (ext API)
esign_css (nginx)	30180 (proxy), 10183 (web), 10184 (socket)
vuer_cv (nginx)	40080
portal_css	30380
facekom_library	50080
RabbitMQ	5671 (AMQPS), 15672 (management)
PostgreSQL	5432
Nginx Proxy	443 (HTTPS), 80 (redirect)

Nginx Proxy Configuration

The main nginx_proxy routes HTTPS traffic by subdomain:

Pattern	Target
oss-*.facekomdev.net	vuer_oss (:20080)
esign-oss-*.facekomdev.net	esign_oss (:20180)
esign-api-*.facekomdev.net	esign_oss external (:10182 via nginx)
esign-css-*.facekomdev.net	esign_css (:30180)
*portal-*.facekomdev.net	portal_css (:30380)
*css-*.facekomdev.net	vuer_css (:30080)
*cv-*.facekomdev.net	vuer_cv (:40080)
library-*.facekomdev.net	facekom_library (:50080)

All HTTPS with self-signed certs from /workspace/cert/.

Supervisor

All containers use supervisord as process manager, running:

• The main application process(es)
• Nginx (reverse proxy per container)
• Redis (where needed, e.g., vuer_oss)

Per-Container Redis

vuer_oss runs its own Redis instance inside the container instead of using a shared service. This simplifies deployment but duplicates infrastructure.

Volume Mounts (Common Pattern)

- /workspace/<service>:/workspace/<service>          # Source code
- ./workspace/cert/vuer_mq_cert:/workspace/vuer_mq_cert  # RabbitMQ TLS certs
- ./workspace/log/<service>:/var/log                 # Logs
- /workspace/cert:/workspace/cert                    # SSL certs

Base Images

Service	Base Image
vuer_oss	UBI9 minimal + Node.js 24 + Java 11 + Redis + Nginx + Chromium + Oracle Instant Client + Janus
esign_oss/css	Custom build with Node.js
pdfservice	UBI8 minimal + Java 11
nyilvantarto	Custom with Node.js
RabbitMQ	Custom build with TLS support

DNS Resolution Chain (Development)

Browser -> macOS Resolver -> dnsmasq -> Tailscale IP -> Remote Server

1. macOS Resolver (/etc/resolver/):

   • /etc/resolver/facekomdev.net → nameserver 127.0.0.1
   • /etc/resolver/test → nameserver 127.0.0.1

2. dnsmasq (Homebrew v2.92 or containerized):

   • facekomdev.net → 100.103.48.49
   • lederera.test → 100.103.48.49
   • Local config: /opt/homebrew/etc/dnsmasq.conf

3. Tailscale: IP 100.103.48.49 routes to remote development server

Per-Developer DNS

Each developer gets subdomains: {username}.facekomdev.net

• css-{user}.facekomdev.net — vuer_css
• oss-{user}.facekomdev.net — vuer_oss
• cv-{user}.facekomdev.net — vuer_cv
• api-{user}.facekomdev.net — API

Containerized dnsmasq

Located at /Users/levander/levandor/infra/dnsmasq/:

Setting	Local	Container
Listen address	127.0.0.1	0.0.0.0
Upstream DNS	System resolv.conf	Cloudflare 1.1.1.1, Google 8.8.8.8
Daemon mode	Background	Foreground (--no-daemon)
DNS hygiene	Default	domain-needed, bogus-priv enabled
Cache	Default	1000 entries

Observability Stack (otel.yml)

graph LR
    Services[All Services] -->|logs| Promtail
    Services -->|metrics| Prometheus
    Services -->|traces| OTelCollector[OpenTelemetry Collector]

    Promtail --> Loki
    OTelCollector --> Tempo
    OTelCollector --> Prometheus

    Loki --> Grafana
    Prometheus --> Grafana
    Tempo --> Grafana

Component	Purpose
Grafana	Dashboards and visualization
Loki	Log aggregation
Prometheus	Metrics collection
Tempo	Distributed tracing
Promtail	Log shipping agent
OpenTelemetry Collector	Telemetry pipeline

Janus WebRTC Gateway

• Built from source (commit b02e09ed)
• Used for real-time video/audio in identity verification
• Bundled inside the vuer_oss container image
• Recording conversion via janus-pp-rec utility

CoTURN (TURN Server)

• WebRTC NAT traversal
• Ports: 80, 443, 3478
• Required for customers behind restrictive firewalls

TLS Certificates

Development Certs (/workspace/cert/)

• dev.crt / dev.key / dev.csr — TLS certificates
• dhparam.pem — Diffie-Hellman parameters
• Managed in its own git repo

RabbitMQ TLS Certs

Generated via scripts in vuer_docker/workspace/cert/vuer_mq_cert/:

• generate_ca.sh — CA certificate generation
• generate_server.sh — Server certificate
• generate_client.sh — Client certificate

TSA Certificates (e-Szigno)

Hungarian e-Szigno test TSA certificates mounted into containers:

• Test Root CA 2017
• Test TSA CA 2017
• Microsec Test Root CA 2008

Container Runtime

• Podman 5.7.1 (not Docker)
• VM: libkrun hypervisor (macOS optimized)
• Resources: 8 CPUs, 8.7 GiB RAM, 93 GiB disk
• Machine: podman-machine-default

Remote Server

Property	Value
OS	Ubuntu 22.04.5 LTS
Workspace	/workspace/ contains all vuer projects
Access	SSH + Tailscale mesh network
Process management	Supervisor (auto-restarts on crash)

Local Development Paths (levander)

Purpose	Path
FaceKom source (SSHFS mount)	/Users/levander/coding/mnt/Facekom/
FaceKom source (local mount)	/Users/levander/coding/facekom/
Infrastructure code	/Users/levander/levandor/infra/
dnsmasq container	/Users/levander/levandor/infra/dnsmasq/
Obsidian docs	/Users/levander/levandor_obsidian/projects/facekom/

Related

• FaceKom — Platform overview
• vuer_oss — Backend server
• vuer_css — Frontend server
• vuer_cv — CV service
• esign — eSign services
• pdfservice — PDF service
• nyilvantarto-scraper — Gov registry scraper
• rabbitmq-communication — Messaging infrastructure
• security-audit — Security findings