.cursor/rules/applications.mdc

---
description: Fediverse applications deployment patterns and configurations
globs: ["manifests/applications/**/*", "build/**/*"]
alwaysApply: false
---

# Fediverse Applications ✅ OPERATIONAL

## Application Overview
All applications use **Zero Trust architecture** via Cloudflare tunnels with dedicated S3 buckets for media storage:

### Currently Deployed Applications
- **Mastodon**: `https://mastodon.keyboardvagabond.com` - Microblogging platform ✅ OPERATIONAL
- **Pixelfed**: `https://pixelfed.keyboardvagabond.com` - Photo sharing platform ✅ OPERATIONAL  
- **PieFed**: `https://piefed.keyboardvagabond.com` - Forum/Reddit-like platform ✅ OPERATIONAL
- **BookWyrm**: `https://bookwyrm.keyboardvagabond.com` - Social reading platform ✅ OPERATIONAL
- **Picsur**: `https://picsur.keyboardvagabond.com` - Image storage ✅ OPERATIONAL

## Application Architecture Patterns

### Multi-Container Design
Most fediverse applications use **multi-container architecture**:
- **Web Container**: HTTP requests, API, web UI (Nginx + app server)
- **Worker Container**: Background jobs, federation, media processing
- **Beat Container**: (Django apps only) Celery Beat scheduler for periodic tasks

### Storage Strategy ✅ OPERATIONAL
**Per-Application CDN Strategy**: Each application uses dedicated Backblaze B2 bucket with Cloudflare CDN:
- **Pixelfed CDN**: `pm.keyboardvagabond.com` → `pixelfed-bucket`
- **PieFed CDN**: `pfm.keyboardvagabond.com` → `piefed-bucket`  
- **Mastodon CDN**: `mm.keyboardvagabond.com` → `mastodon-bucket`
- **BookWyrm CDN**: `bm.keyboardvagabond.com` → `bookwyrm-bucket`

### Database Integration
All applications use the shared **PostgreSQL HA cluster**:
- **Connection**: `postgresql-shared-rw.postgresql-system.svc.cluster.local:5432`
- **Dedicated Databases**: Each app has its own database (e.g., `mastodon`, `pixelfed`, `piefed`, `bookwyrm`)
- **High Availability**: 3-instance cluster with automatic failover

## Framework-Specific Patterns

### Laravel Applications (Pixelfed)
```yaml
# Critical Laravel S3 Configuration
FILESYSTEM_DRIVER=s3
PF_ENABLE_CLOUD=true
FILESYSTEM_CLOUD=s3
AWS_BUCKET=pixelfed-bucket  # Dedicated bucket approach
AWS_URL=https://pm.keyboardvagabond.com/  # CDN URL
```

### Flask Applications (PieFed)  
```yaml
# Flask Configuration with Redis and S3
FLASK_APP=pyfedi.py
DATABASE_URL=
CACHE_REDIS_URL=
S3_BUCKET=
S3_PUBLIC_URL=https://pfm.keyboardvagabond.com
```

### Django Applications (BookWyrm)
```yaml
# Django S3 Configuration  
USE_S3=true
AWS_STORAGE_BUCKET_NAME=bookwyrm-bucket
AWS_S3_CUSTOM_DOMAIN=bm.keyboardvagabond.com
AWS_DEFAULT_ACL=""  # Backblaze B2 doesn't support ACLs
```

### Ruby Applications (Mastodon)
```yaml
# Mastodon Dual Ingress Pattern
# Web: mastodon.keyboardvagabond.com
# Streaming: streamingmastodon.keyboardvagabond.com (WebSocket)
STREAMING_API_BASE_URL: wss://streamingmastodon.keyboardvagabond.com
```

## Container Build Patterns

### Multi-Stage Docker Strategy ✅ WORKING
Optimized builds reduce image size by ~75%:
- **Base Image**: Shared foundation with dependencies and source code
- **Web Container**: Production web server configuration  
- **Worker Container**: Background processing optimizations
- **Size Reduction**: From 1.3GB single-stage to ~350MB multi-stage

### Harbor Registry Integration
- **Registry**: `<YOUR_REGISTRY_URL>`
- **Image Pattern**: `<YOUR_REGISTRY_URL>/library/app-name:tag`
- **Build Process**: `./build-all.sh` in project root

## ActivityPub Inbox Rate Limiting ✅ OPERATIONAL

### Nginx Burst Configuration Pattern
Implemented across all fediverse applications to handle federation traffic spikes:
```nginx
# Rate limiting zone - 100MB buffer, 10 requests/second
limit_req_zone $binary_remote_addr zone=inbox:100m rate=10r/s;

# ActivityPub inbox location block
location /inbox {
    limit_req zone=inbox burst=300;  # 300 request buffer
    # Extended timeouts for ActivityPub processing
}
```

### Rate Limiting Behavior
- **Normal Operation**: 10 requests/second processed immediately
- **Burst Handling**: Up to 300 additional requests queued
- **Overflow Response**: HTTP 503 when buffer exceeds capacity
- **Federation Impact**: Protects backend from overwhelming traffic spikes

## Application Deployment Standards
- **Zero Trust Ingress**: All applications use Cloudflare tunnel pattern
- **Container Registry**: Harbor for all custom images  
- **Multi-Stage Builds**: Required for Python/Node.js applications
- **Storage**: Longhorn with 2-replica redundancy
- **Monitoring**: ServiceMonitor integration with OpenObserve
- **Rate Limiting**: ActivityPub inbox protection for all fediverse apps

@fediverse-app-template.yaml
@s3-storage-config-template.yaml  
@activitypub-rate-limiting-template.yaml
add source code and readme 2025-12-24 14:35:17 +01:00			`---`
			`description: Fediverse applications deployment patterns and configurations`
			`globs: ["manifests/applications/*/", "build/*/"]`
			`alwaysApply: false`
			`---`

			`# Fediverse Applications ✅ OPERATIONAL`

			`## Application Overview`
			`All applications use Zero Trust architecture via Cloudflare tunnels with dedicated S3 buckets for media storage:`

			`### Currently Deployed Applications`
			- Mastodon: `https://mastodon.keyboardvagabond.com` - Microblogging platform ✅ OPERATIONAL
			- Pixelfed: `https://pixelfed.keyboardvagabond.com` - Photo sharing platform ✅ OPERATIONAL
			- PieFed: `https://piefed.keyboardvagabond.com` - Forum/Reddit-like platform ✅ OPERATIONAL
			- BookWyrm: `https://bookwyrm.keyboardvagabond.com` - Social reading platform ✅ OPERATIONAL
			- Picsur: `https://picsur.keyboardvagabond.com` - Image storage ✅ OPERATIONAL

			`## Application Architecture Patterns`

			`### Multi-Container Design`
			`Most fediverse applications use multi-container architecture:`
			`- Web Container: HTTP requests, API, web UI (Nginx + app server)`
			`- Worker Container: Background jobs, federation, media processing`
			`- Beat Container: (Django apps only) Celery Beat scheduler for periodic tasks`

			`### Storage Strategy ✅ OPERATIONAL`
			`Per-Application CDN Strategy: Each application uses dedicated Backblaze B2 bucket with Cloudflare CDN:`
			- Pixelfed CDN: `pm.keyboardvagabond.com` → `pixelfed-bucket`
			- PieFed CDN: `pfm.keyboardvagabond.com` → `piefed-bucket`
			- Mastodon CDN: `mm.keyboardvagabond.com` → `mastodon-bucket`
			- BookWyrm CDN: `bm.keyboardvagabond.com` → `bookwyrm-bucket`

			`### Database Integration`
			`All applications use the shared PostgreSQL HA cluster:`
			- Connection: `postgresql-shared-rw.postgresql-system.svc.cluster.local:5432`
			- Dedicated Databases: Each app has its own database (e.g., `mastodon`, `pixelfed`, `piefed`, `bookwyrm`)
			`- High Availability: 3-instance cluster with automatic failover`

			`## Framework-Specific Patterns`

			`### Laravel Applications (Pixelfed)`
			```yaml
			`# Critical Laravel S3 Configuration`
			`FILESYSTEM_DRIVER=s3`
			`PF_ENABLE_CLOUD=true`
			`FILESYSTEM_CLOUD=s3`
			`AWS_BUCKET=pixelfed-bucket # Dedicated bucket approach`
			`AWS_URL=https://pm.keyboardvagabond.com/ # CDN URL`
			```

			`### Flask Applications (PieFed)`
			```yaml
			`# Flask Configuration with Redis and S3`
			`FLASK_APP=pyfedi.py`
			`DATABASE_URL=`
			`CACHE_REDIS_URL=`
			`S3_BUCKET=`
			`S3_PUBLIC_URL=https://pfm.keyboardvagabond.com`
			```

			`### Django Applications (BookWyrm)`
			```yaml
			`# Django S3 Configuration`
			`USE_S3=true`
			`AWS_STORAGE_BUCKET_NAME=bookwyrm-bucket`
			`AWS_S3_CUSTOM_DOMAIN=bm.keyboardvagabond.com`
			`AWS_DEFAULT_ACL="" # Backblaze B2 doesn't support ACLs`
			```

			`### Ruby Applications (Mastodon)`
			```yaml
			`# Mastodon Dual Ingress Pattern`
			`# Web: mastodon.keyboardvagabond.com`
			`# Streaming: streamingmastodon.keyboardvagabond.com (WebSocket)`
			`STREAMING_API_BASE_URL: wss://streamingmastodon.keyboardvagabond.com`
			```

			`## Container Build Patterns`

			`### Multi-Stage Docker Strategy ✅ WORKING`
			`Optimized builds reduce image size by ~75%:`
			`- Base Image: Shared foundation with dependencies and source code`
			`- Web Container: Production web server configuration`
			`- Worker Container: Background processing optimizations`
			`- Size Reduction: From 1.3GB single-stage to ~350MB multi-stage`

			`### Harbor Registry Integration`
			- Registry: `<YOUR_REGISTRY_URL>`
			- Image Pattern: `<YOUR_REGISTRY_URL>/library/app-name:tag`
			- Build Process: `./build-all.sh` in project root

			`## ActivityPub Inbox Rate Limiting ✅ OPERATIONAL`

			`### Nginx Burst Configuration Pattern`
			`Implemented across all fediverse applications to handle federation traffic spikes:`
			```nginx
			`# Rate limiting zone - 100MB buffer, 10 requests/second`
			`limit_req_zone $binary_remote_addr zone=inbox:100m rate=10r/s;`

			`# ActivityPub inbox location block`
			`location /inbox {`
			`limit_req zone=inbox burst=300; # 300 request buffer`
			`# Extended timeouts for ActivityPub processing`
			`}`
			```

			`### Rate Limiting Behavior`
			`- Normal Operation: 10 requests/second processed immediately`
			`- Burst Handling: Up to 300 additional requests queued`
			`- Overflow Response: HTTP 503 when buffer exceeds capacity`
			`- Federation Impact: Protects backend from overwhelming traffic spikes`

			`## Application Deployment Standards`
			`- Zero Trust Ingress: All applications use Cloudflare tunnel pattern`
			`- Container Registry: Harbor for all custom images`
			`- Multi-Stage Builds: Required for Python/Node.js applications`
			`- Storage: Longhorn with 2-replica redundancy`
			`- Monitoring: ServiceMonitor integration with OpenObserve`
			`- Rate Limiting: ActivityPub inbox protection for all fediverse apps`

			`@fediverse-app-template.yaml`
			`@s3-storage-config-template.yaml`
			`@activitypub-rate-limiting-template.yaml`