Infrastructure & Deployment

Architecture Overview

Our application uses a modern Hybrid Architecture combining the best of Serverless/Edge computing for the frontend and traditional containerized hosting for the backend.

High-Level Diagram

graph TD
    User([User Device])

    subgraph Cloudflare_Edge [Cloudflare Edge Network]
        Pages_App[Pages: Web App]
        Pages_Docs[Pages: Documentation]
        DNS[Cloudflare DNS]
        Traffic[Traffic Routing]
    end

    subgraph Self_Hosted [Self Hosted Server (Dokploy)]
        Tunnel[Cloudflared Tunnel]
        API[Node.js API Server]
        DB[(PostgreSQL Database)]
        Redis[(Redis Cache)]
    end

    User --> DNS
    DNS --> Pages_App
    DNS --> Pages_Docs
    DNS --> Traffic

    Traffic -- "Secure Tunnel (CNAME)" --> Tunnel
    Tunnel -- "Internal Net" --> API
    API --> DB
    API --> Redis

1. Frontend: Cloudflare Pages

We host both the main application (apps/native exportado a web) and this documentation (apps/docs) on Cloudflare Pages.

Why Cloudflare Pages?

Global CDN: Assets are served from the edge location closest to the user, ensuring milliseconds latency.
Cost: Free unlimited bandwidth for static assets. No need to pay for a VPS CPU just to send HTML/JS files.
Security: DDoS protection built-in.
Developer Experience: Automatic previews on Pull Requests (Preview Deployments).

Automated Deployment (CI/CD)

We use a GitHub Actions workflow that triggers on pushes to the main or specific development branches.

Trigger: Code push detected.
Build: GitHub Actions installs dependencies and builds the static assets.
Deploy: Uses wrangler (Cloudflare CLI) to upload assets directly to Pages.
Live: New version is live in seconds.

2. Backend API: Dokploy & Docker

The backend (apps/server) is a Node.js/NestJS application running in a Docker container, managed by Dokploy on our VPS.

Why Dokploy?

Container Management: Docker makes the API environment consistent and reproducible.
Database Hosting: We host our PostgreSQL and Redis instances in the same Docker network for ultra-low latency access from the API.
Open Source PAAS: Gives us a “Vercel-like” experience for backend management without the high costs.

Network & Security (Cloudflare Tunnel)

Crucially, we do not expose any ports (like 80 or 443) on our VPS firewall. Instead, we use Cloudflare Tunnel (cloudflared).

How it works:

A lightweight daemon (cloudflared) runs on the VPS.
It creates an encrypted outbound tunnel to the Cloudflare network.
When a user requests api.fincashflow.com, Cloudflare routes the traffic through this established tunnel.

Benefits:

Zero Trust: No public IP exposure. The server is invisible to port scanners.
No Firewall Headaches: No need to configure inbound rules or manage SSL certificates on the server (Cloudflare handles SSL termination).

3. Database

Our PostgreSQL database lives alongside the API in the Dokploy environment.

Internal Access: Only the API container can talk to the Database container via the internal Docker network.
External Access: No direct external access allowed for security.

Summary of URLs

Service	Technology	Domain	Hosting
Web App	React Native Web (Expo)	`app.fincashflow.com`	Cloudflare Pages
Docs	Astro Starlight	`docs.fincashflow.com`	Cloudflare Pages
API	NestJS	`api.fincashflow.com`	Dokploy (VPS) + Tunnel

Deployment Checklist

When modifying the infrastructure:

Frontend Changes: Simply push to GitHub. The CI/CD pipeline handles the wrangler deployment.
Backend Changes: Push to GitHub. Dokploy can be configured to auto-deploy, or trigger a rebuild in the Dokploy dashboard.
Infrastructure Secrets:
- Frontend secrets live in GitHub Actions Secrets (CLOUDFLARE_API_TOKEN).
- Backend env vars are managed in Dokploy Environment Variables UI.