# [TSM.ID].[11031972] Arsitektur Gitea & Phantom --- ## Overview ``` DEVELOPER (Local) | git push | v ┌─────────────────────────────────────────────┐ │ GITEA (gitea.ultramodul.xyz) │ │ Port 3050 (Internal) │ │ NGINX Reverse Proxy :443 │ ├─────────────────────────────────────────────┤ │ │ │ ┌──────────────────────────────────────┐ │ │ │ Repositories │ │ │ │ ├── supreme_commander/multiverse │ │ │ │ │ (Induk - Dokumentasi Ekosistem) │ │ │ │ └── supreme_commander/xcom-ultra │ │ │ │ (119 Modul Rust - PXE Engine) │ │ │ └──────────────────────────────────────┘ │ │ │ │ ┌──────────────────────────────────────┐ │ │ │ Forgejo Actions (CI/CD) │ │ │ │ ├── act_runner (ALPHA) │ │ │ │ ├── act_runner (BETA) │ │ │ │ └── act_runner (GAMMA) │ │ │ └──────────┬───────────────────────────┘ │ │ │ │ │ ┌──────────┴───────────────────────────┐ │ │ │ Webhooks │ │ │ │ └── POST /phantom/deploy │ │ │ └──────────┬───────────────────────────┘ │ │ │ │ └─────────────┼───────────────────────────────┘ │ │ webhook trigger v ┌─────────────────────────────────────────────┐ │ PHANTOM DEPLOYMENT ENGINE │ │ (Auto-Deploy Orchestrator) │ ├─────────────────────────────────────────────┤ │ │ │ ┌──────────────────────────────────────┐ │ │ │ Phantom Listener │ │ │ │ ├── Webhook Receiver (HTTP) │ │ │ │ ├── Signature Verifier (HMAC) │ │ │ │ └── Event Parser (push/tag/PR) │ │ │ └──────────┬───────────────────────────┘ │ │ │ │ │ ┌──────────┴───────────────────────────┐ │ │ │ Deploy Pipeline │ │ │ │ ├── 1. git pull (latest code) │ │ │ │ ├── 2. cargo build --release │ │ │ │ ├── 3. cargo test --workspace │ │ │ │ ├── 4. Binary swap (zero downtime) │ │ │ │ ├── 5. Health check │ │ │ │ └── 6. Rollback (if failed) │ │ │ └──────────┬───────────────────────────┘ │ │ │ │ │ ┌──────────┴───────────────────────────┐ │ │ │ Node Distributor │ │ │ │ ├── ALPHA (Primary Build) │ │ │ │ ├── BETA (Canary Deploy) │ │ │ │ └── GAMMA (Full Rollout) │ │ │ └──────────────────────────────────────┘ │ │ │ └─────────────────────────────────────────────┘ ``` --- ## Gitea Server ### Konfigurasi | Parameter | Nilai | |:----------|:------| | Domain | `gitea.ultramodul.xyz` | | Internal Port | 3050 | | External | NGINX → HTTPS :443 | | Database | PostgreSQL | | User | `supreme_commander` | | Runner | Forgejo Actions (act_runner) | ### Repositories ``` supreme_commander/ ├── multiverse # Repo induk - dokumentasi ekosistem │ └── README.md # Peta 119 modul + arsitektur │ └── xcom-ultra # Repo engine - 119 modul Rust ├── Cargo.toml # Workspace 119 members ├── README.md # Dokumentasi teknis ├── .gitignore ├── .forgejo/ │ └── workflows/ │ └── ci.yml # CI/CD pipeline │ ├── xcu-core/ # [01] Foundation engine ├── xcu-sfu/ # [02] Selective Forwarding Unit ├── xcu-quic/ # [03] QUIC transport ├── ... # ... 116 modul lainnya └── xcu-veritas/ # [119] Truth verification ``` ### Forgejo Actions Pipeline ```yaml # .forgejo/workflows/ci.yml name: "[TSM.ID].[11031972] 3Z Pipeline" on: push: branches: [master] pull_request: branches: [master] jobs: check: name: "Zero Error Check" runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: dtolnay/rust-toolchain@stable - run: cargo check --workspace test: name: "Zero Warning Test" runs-on: ubuntu-latest needs: check steps: - uses: actions/checkout@v4 - uses: dtolnay/rust-toolchain@stable - run: cargo test --workspace audit: name: "3Z Audit" runs-on: ubuntu-latest needs: test steps: - uses: actions/checkout@v4 - name: "Watermark Check" run: | count=$(grep -rl "TSM.ID.*11031972" --include="*.rs" | wc -l) echo "Watermarked files: $count" - name: "No unwrap() in production" run: | # Exclude test blocks violations=$(grep -rn "\.unwrap()" --include="*.rs" | grep -v "mod tests" | grep -v "#\[test\]" | grep -v "fn test_" | wc -l) echo "unwrap() violations: $violations" - name: "No panic!() in production" run: | violations=$(grep -rn "panic!(" --include="*.rs" | grep -v "mod tests" | grep -v "#\[test\]" | wc -l) echo "panic!() violations: $violations" deploy: name: "Phantom Deploy" runs-on: ubuntu-latest needs: [check, test, audit] if: github.ref == 'refs/heads/master' steps: - name: "Trigger Phantom" run: | curl -X POST https://phantom.ultramodul.xyz/deploy \ -H "X-Signature: ${{ secrets.PHANTOM_SECRET }}" \ -d '{"repo":"xcom-ultra","branch":"master"}' ``` --- ## Phantom Deployment Engine ### Arsitektur Internal ``` ┌─────────────────────────────────────────────────────────┐ │ PHANTOM ENGINE │ ├─────────────────────────────────────────────────────────┤ │ │ │ ┌─────────────┐ ┌──────────────┐ ┌────────────┐ │ │ │ RECEIVER │───>│ VALIDATOR │───>│ BUILDER │ │ │ │ (Webhook) │ │ (HMAC+Auth) │ │ (Cargo) │ │ │ └─────────────┘ └──────────────┘ └─────┬──────┘ │ │ │ │ │ v │ │ ┌─────────────┐ ┌──────────────┐ ┌────────────┐ │ │ │ MONITOR │<───│ HEALTH │<───│ DEPLOYER │ │ │ │ (Telemetry) │ │ CHECK │ │ (Swap) │ │ │ └─────────────┘ └──────────────┘ └────────────┘ │ │ │ │ ┌──────────────────────────────────────────────────┐ │ │ │ ROLLBACK ENGINE │ │ │ │ ├── Binary versioning (keep last 3) │ │ │ │ ├── Auto-rollback on health check fail │ │ │ │ └── Manual rollback via API │ │ │ └──────────────────────────────────────────────────┘ │ │ │ └─────────────────────────────────────────────────────────┘ ``` ### Deploy Flow (Zero Downtime) ``` Step 1: RECEIVE Webhook POST dari Gitea ├── Verify HMAC signature ├── Parse event (push/tag) └── Queue deploy job Step 2: BUILD ├── git pull --ff-only ├── cargo check --workspace ├── cargo build --workspace --release └── cargo test --workspace Step 3: SWAP (Zero Downtime) ├── Copy new binary → /opt/xcu/bin/xcu-core.new ├── Signal graceful shutdown (SIGTERM) ├── Wait for connections to drain (max 30s) ├── mv xcu-core.new → xcu-core └── Start new process Step 4: VERIFY ├── Health check (HTTP 200) ├── Memory usage check ├── CPU usage check └── Response time < 100ms Step 5: ROLLBACK (if Step 4 fails) ├── mv xcu-core.backup → xcu-core ├── Restart old binary ├── Alert via webhook └── Log failure reason ``` ### Node Distribution ``` ┌──────────────────────────────────────────────────────────┐ │ DEPLOY STRATEGY │ ├──────────────────────────────────────────────────────────┤ │ │ │ Phase 1: ALPHA (160.187.143.253) │ │ ├── Primary build node │ │ ├── First deploy target │ │ ├── Run full test suite │ │ └── If OK → proceed to Phase 2 │ │ │ │ Phase 2: BETA (160.187.143.133) │ │ ├── Canary deploy (10% traffic) │ │ ├── Monitor for 5 minutes │ │ ├── Compare metrics vs ALPHA │ │ └── If OK → proceed to Phase 3 │ │ │ │ Phase 3: GAMMA (160.187.143.172) │ │ ├── Full rollout (100% traffic) │ │ ├── Final health verification │ │ └── Deploy complete │ │ │ └──────────────────────────────────────────────────────────┘ ``` ### Systemd Service ```ini # /etc/systemd/system/phantom.service [Unit] Description=[TSM.ID].[11031972] Phantom Deploy Engine After=network.target gitea.service [Service] Type=simple User=root WorkingDirectory=/var/www/phantom_workspace ExecStart=/usr/bin/node phantom_listener.js Restart=always RestartSec=5 Environment=PHANTOM_PORT=9090 Environment=GITEA_URL=https://gitea.ultramodul.xyz Environment=DEPLOY_PATH=/opt/xcu [Install] WantedBy=multi-user.target ``` --- ## Network Topology ``` INTERNET │ │ HTTPS :443 v ┌───────────────┐ │ NGINX │ │ (SSL Termn) │ └───────┬───────┘ │ ┌───────────┼───────────┐ │ │ │ v v v ┌─────────┐ ┌─────────┐ ┌─────────┐ │ GITEA │ │ PHANTOM │ │ XCU │ │ :3050 │ │ :9090 │ │ SERVICES│ └─────────┘ └─────────┘ └─────────┘ │ │ │ v v v ┌─────────────────────────────────┐ │ PostgreSQL :5432 │ │ Redis :6379 │ └─────────────────────────────────┘ ``` --- ## Security | Layer | Mekanisme | |:------|:----------| | Transport | TLS 1.3 (Let's Encrypt) | | Auth | Basic Auth + API Token | | Webhook | HMAC-SHA256 signature | | Deploy | Binary checksum verification | | Access | UFW firewall + fail2ban | | Secrets | Environment variables (not in repo) | --- ## Watermark ``` [TSM.ID].[11031972] ``` **All Rights Reserved. Proprietary & Confidential.**