Infrastructure Overview
Everything runs on DigitalOcean. The backend uses Kubernetes (DOKS), the frontend and docs site use App Platform. GitHub Actions handles CI/CD for all three.
Infrastructure at a Glance
GitHub (Source Code)
|
| GitHub Actions (CI/CD)
|
+------------------+--------------------+
| | |
v v v
Backend Frontend Docs
(Buildah → (DO App Platform) (DO App Platform)
GHCR → Helm)
| | |
v v v
DO Kubernetes DO App Platform DO App Platform
(DOKS) (Node.js service) (static site)
|
v
+-------------------------------------------+
| Digital Ocean K8s Cluster |
| |
| +----------------+ +-----------------+ |
| | NMT Backend | | PostgreSQL 16 | |
| | (1 replica) | | (in-cluster) | |
| +----------------+ +-----------------+ |
| |
| +----------------+ +-----------------+ |
| | NGINX Ingress | | cert-manager | |
| | Controller | | (Let's Encrypt) | |
| +----------------+ +-----------------+ |
+-------------------------------------------+
DigitalOcean Services
| DO Service | Used For | Why |
|---|---|---|
| DOKS (Managed Kubernetes) | Backend | Long-running workers, WebSocket connections, headless Chrome — needs a real runtime |
| App Platform (PaaS) | Frontend | Managed Node.js hosting — auto-builds, auto-scales, zero-config TLS |
| App Platform (Static) | Docs site | Static HonKit build — no runtime needed, just serve HTML |
| DNS | Domain management | newmarkettrading.com zone — all subdomains managed here |
Other Infrastructure Services
| Component | Technology | Purpose |
|---|---|---|
| Container Builder | Buildah | Multi-stage Docker builds for backend |
| Container Registry | GitHub (ghcr.io) | Backend image storage |
| Ingress | NGINX | HTTP routing and load balancing (K8s) |
| TLS (backend) | cert-manager + Let's Encrypt | Automatic HTTPS for K8s ingress |
| TLS (frontend/docs) | DO App Platform | Managed automatically |
| CI/CD | GitHub Actions | Automated build, test, deploy for all repos |
| Security Scanning | Trivy | Container vulnerability detection |
| Package Manager | Helm 3 | Templated K8s deployments |
Domains & Environments
| Service | Domain | Hosting |
|---|---|---|
| Frontend (prod) | app.newmarkettrading.com |
DO App Platform |
| Frontend (preview) | nextjs-pr-N.preview.newmarkettrading.com |
DO App Platform |
| Backend (stage) | backend.stage.newmarkettrading.com |
DO Kubernetes |
| Backend (prod) | backend.newmarkettrading.com |
DO Kubernetes |
| Docs (prod) | docs.newmarkettrading.com |
DO App Platform |
| Docs (preview) | docs-pr-N.preview.newmarkettrading.com |
DO App Platform |
Resource Allocation
| Resource | Request | Limit |
|---|---|---|
| CPU | 1 core | 2 cores |
| Memory | 2 Gi | 4 Gi |
| Chrome data (RAM disk) | — | 2 Gi |
| Temp storage (RAM disk) | — | 1 Gi |
The Chrome data volume is needed because the backend uses headless Chrome for Morpho data scraping.
Frontend Hosting
The frontend runs on DO App Platform as a Node.js service. Builds and TLS are managed automatically by DO. Preview environments are created per-PR via GitHub Actions + doctl.
| Property | Value |
|---|---|
| Platform | DO App Platform (services component) |
| Build | npm ci && npm run build |
| Runtime | Node.js on port 3000 |
| Framework | Next.js |
| Preview deploys | Automatic per PR → nextjs-pr-N.preview.newmarkettrading.com |
Docs Hosting
The docs site runs on DO App Platform as a static site. HonKit builds to _book/ which DO serves directly.
| Property | Value |
|---|---|
| Platform | DO App Platform (static_sites component) |
| Build | npm ci && npm run build |
| Output | _book/ directory |
| Generator | HonKit (GitBook fork) |
| Preview deploys | Automatic per PR → docs-pr-N.preview.newmarkettrading.com |
Known Infrastructure Limitations
Single Backend Replica
The backend currently runs as 1 replica in Kubernetes. There is no horizontal scaling or failover configured. During deployments, the pod is replaced (rolling update), which may cause brief interruptions to background worker processing.
Impact: If the backend pod crashes, indexing and valuation workers stop until Kubernetes restarts it. User-facing features (frontend + blockchain) remain unaffected since funds are on-chain and the frontend reads from the database directly.
Trivy Scan Non-Blocking
The CI/CD pipeline runs Trivy container vulnerability scans but they are configured with exit-code: 0 — vulnerabilities are reported but do not block deployment. This is a known TODO that should be addressed by switching to exit-code: 1 for CRITICAL vulnerabilities.