Infrastructure

Server access — All credentials, secrets, and SSH keys for the april server are stored in PSONO. Access to the production server is strictly restricted to SSH key authentication — password login is disabled.

Overview

All projects in the April Hub ecosystem run on a single virtual server named april. The server uses Apache2 as the public-facing entry point — handling SSL termination and reverse proxying — backed by a k3s Kubernetes cluster that orchestrates all containerized workloads.

Projects not hosted in k3s (e.g., novators.kz, ai-ym.kz) run as direct host processes and are proxied by Apache independently.

Hosted projects

Domain(s)	Project	Notes
`robots.aprilhub.kz`, `api.robots.aprilhub.kz`	April Robots Online	k3s — namespace `april-robots-online`
`aprilhub.kz`, `api.aprilhub.kz`	April Hub	k3s
`login.aprilhub.kz`	Keycloak	k3s — shared SSO for the ecosystem
`ai-ym.kz`	AI-YM	Direct host processes (ports 3000, 3001)
`novators.kz`	Novators website	Direct host processes (ports 5173, 8000)

Network routing

Apache2 listens on ports 80 and 443. All HTTP traffic is permanently redirected to HTTPS via RewriteRule. For k3s-hosted projects, Apache proxies decrypted traffic to the k3s nginx ingress controller at 127.0.0.1:8080. The nginx ingress controller routes to the correct k8s service based on the Host header.

Apache sets X-Forwarded-Proto: https and X-Forwarded-Port: 443 on all proxied requests so that the nginx ingress does not issue an additional redirect loop for TLS-enforcing ingresses.

Each virtual host in Apache holds its own Let’s Encrypt TLS certificate, managed via Certbot on the host.

    ---
config:
  flowchart:
    nodeSpacing: 30
    rankSpacing: 50
  layout: elk
title: Server — Network Routing Overview
---
flowchart TB

User["Internet"]

subgraph Server["Virtual Server (april)"]
  subgraph Apache["Apache2"]
    A80[":80 — HTTP redirect"]
    A443[":443 — SSL termination\n(Let's Encrypt via Certbot)"]
  end

  subgraph k3s["k3s Cluster"]
    Nginx["nginx ingress controller :8080\n(routes by Host header)"]

    subgraph ARO["Namespace: april-robots-online"]
      ARFront["Frontend\n(SvelteKit NodeJS)"]
      ARBack["Backend\n(FastAPI)"]
      ARMDB[("MongoDB")]
    end

    subgraph AH["Namespace: april-hub"]
      AHApp["April Hub services"]
    end

    subgraph KC["Namespace: keycloak"]
      KCSvc["Keycloak"]
    end
  end

  Direct["Direct host processes\n(ai-ym.kz, novators.kz)"]
end

User -->|"HTTP"| A80
User -->|"HTTPS"| A443
A80 -->|"301 redirect"| A443
A443 -->|"proxy :8080\nrobotsaprilhub.kz\naprilhub.kz\nlogin.aprilhub.kz"| Nginx
A443 -->|"proxy direct ports"| Direct

Nginx -->|"robots.aprilhub.kz"| ARFront
Nginx -->|"api.robots.aprilhub.kz"| ARBack
Nginx -->|"aprilhub.kz"| AHApp
Nginx -->|"login.aprilhub.kz"| KCSvc

ARFront <-->|"API"| ARBack
ARBack --> ARMDB

Keycloak

Keycloak at login.aprilhub.kz is the centralized identity provider (IdP) for the ecosystem. Both April Hub and April Robots Online delegate user authentication and authorization to Keycloak via OIDC. Keycloak runs in the k3s cluster in its own namespace.

See Keycloak docs for integration details with April Robots Online.

Further read

April Robots Online Infrastructure — k8s namespace, deployments, ingress, backups, monitoring, and CI/CD.
April Hub Infrastructure — TODO

April Robots Online Infrastructure