18. System Architecture Map — How Everything Connects¶

This document is the single reference showing every system in the KRG Digital Real Estate & Municipality Platform, which language powers it, and how they all connect.

18.1 Full Platform Overview¶

graph TD
  subgraph TOUCH["📱 Citizen Touchpoints"]
    direction LR
    MOB["📱 Mobile App<br/>Flutter 3.x (Dart)"]
    WEB["🌐 Web Portal<br/>Next.js 14+ (React)<br/>+ OpenLayers 9"]
    KIOSK["🏢 Service Center<br/>Flutter Kiosk (Dart)"]
  end

  subgraph AUTH["🔐 Identity Layer (Shared Gov)"]
    direction LR
    KRDPASS["KRDPASS (SSO)"] <-->|OIDC| KEYCLOAK["Keycloak<br/>OAuth 2.1 / RBAC"]
  end

  subgraph GW["🚪 API Gateway — Kong OSS"]
    direction LR
    RL["Rate Limiting"] ~~~ JWT["JWT Validation"] ~~~ ROUTE["Request Routing"]
    MTLS["mTLS Termination"] ~~~ IPWL["IP Allowlisting"] ~~~ CACHE["Response Caching"]
  end

  subgraph LARAVEL["🐘 PHP 8.4 / Laravel 13"]
    direction LR
    PROPSVC["Property<br/>Registration"]
    XFRSVC["Transfer<br/>Service"]
    PERMSVC["Building<br/>Permits"]
    VALSVC["Valuation<br/>Service"]
    PAYSVC["Payment<br/>Service"]
    MUNSVC["Municipal<br/>Service"]
    RENTSVC["Rental<br/>Registry"]
    APTSVC["Appointment<br/>Service"]
  end

  subgraph PYTHON["🐍 Python 3.12 / FastAPI"]
    direction LR
    DOCSVC["Document<br/>/ OCR"]
    GISSVC["GIS Service<br/>+ GeoServer"]
    ANASVC["Analytics<br/>/ ML"]
  end

  subgraph GOSVC["🔷 Go 1.22 / Gin"]
    AUDIT["Audit Service<br/>50K+ events/sec immutable logs"]
  end

  subgraph KAFKA["🔗 Apache Kafka (KRaft)"]
    direction LR
    T1["property.events"] ~~~ T2["transfer.events"] ~~~ T3["payment.events"]
    T4["permit.events"] ~~~ T5["document.events"] ~~~ T6["audit.events"]
  end

  subgraph KRGROAD["🏛️ KRG-Road (Shared Gov)"]
    direction LR
    SS_RE["Security Server<br/>(RE Platform)"]
    SSC["Security Server<br/>(Civil Status)"]
    SST["Security Server<br/>(Tax)"]
    SSN["Security Server<br/>(Notary)"]
    CENTRAL["Central Services<br/>Registry · Trust · Audit"]
  end

  subgraph DATA["💾 Data Layer"]
    direction LR
    PG["PostgreSQL 16<br/>+ PostGIS 3.4<br/>(Patroni)"]
    RDS["Redis 7<br/>Cluster"]
    MINIO["MinIO<br/>(S3)"]
    MEILI["Meilisearch"]
    GEO["GeoServer<br/>+ pg_tileserv"]
  end

  subgraph OBS["📊 Observability"]
    direction LR
    PROM["Prometheus<br/>+ Thanos"]
    LOKI["Loki<br/>+ Fluent Bit"]
    JAEG["Jaeger /<br/>Tempo"]
    GRAF["Grafana"]
    UKUMA["Uptime Kuma"]
    ALERTM["Alertmanager<br/>→ Telegram"]
  end

  subgraph SEC["🔒 Security Perimeter"]
    direction LR
    DDOS["DDoS<br/>Arbor"] --> FW["pfSense<br/>FW"] --> WAF["WAF<br/>ModSecurity"] --> ISTIO["Istio<br/>Mesh"]
    WAZUH["Wazuh SIEM"] ~~~ SURI["Suricata"] ~~~ CROW["CrowdSec"] ~~~ VAULT["Vault"]
  end

  subgraph INFRA["🏗️ Infrastructure"]
    direction LR
    SUL["Sulaymaniyah DC<br/>(Primary)<br/>Rocky Linux 9 + RKE2"]
    EBL["Erbil DC<br/>(DR)<br/>Rocky Linux 9 + RKE2"]
    SUL <-->|Dedicated Fiber| EBL
  end

  TOUCH --> AUTH --> GW
  GW --> LARAVEL
  GW --> PYTHON
  GW --> GOSVC
  LARAVEL --> KAFKA
  PYTHON --> KAFKA
  GOSVC --> KAFKA
  LARAVEL --> DATA
  PYTHON --> DATA
  KAFKA --> KRGROAD
  DATA --> OBS
  OBS --> SEC
  SEC --> INFRA

18.2 Service-to-Language Map (Quick Reference)¶

Service	Language	Framework	Why This Language
Property Registration	PHP 8.4	Laravel 13 + Workflow	Core CRUD, team expertise, Spatie ecosystem
Transfer Service	PHP 8.4	Laravel 13 + Workflow	Multi-step approval workflows, state machines
Building Permits	PHP 8.4	Laravel 13 + Workflow	Permit lifecycle, inspection scheduling
Valuation Service	PHP 8.4	Laravel 13	CRUD + calls Python ML endpoint for automated valuation
Payment Service	PHP 8.4	Laravel 13	Bank API integrations, fee calculation, reconciliation
Municipal Service	PHP 8.4	Laravel 13	Zoning, subdivision, address management
Rental Registry	PHP 8.4	Laravel 13	Contract CRUD, tenant/landlord management
Appointment Service	PHP 8.4	Laravel 13	Booking logic, calendar, QR check-in
Document / OCR Service	Python 3.12	FastAPI	Tesseract/PaddleOCR, ML-based deed extraction
GIS Service	Python 3.12	FastAPI + GeoServer	GeoPandas, PostGIS, Shapely, WMS/WFS publishing
Analytics / ML Service	Python 3.12	FastAPI	XGBoost valuation, Prophet forecasting, Metabase
Audit Service	Go 1.22	Gin	50K+ events/sec write throughput, immutable logs
Admin Dashboard	PHP 8.4	Filament 3 (Livewire)	Municipality staff UI, same language as backend
Property Mobile App	Dart	Flutter 3.x	Single codebase iOS + Android
Property Web Portal	TypeScript	Next.js 14+ (React)	SSR, SEO, i18n (4 languages + RTL), OpenLayers 9
Kiosk App	Dart	Flutter 3.x (Android)	Shared code with mobile, thermal print
Digital Signage	TypeScript	React SPA	Lightweight, WebSocket queue updates

18.3 How a Property Transfer Flows (End-to-End)¶

sequenceDiagram
    autonumber
    participant C as 👤 Property Owner
    participant APP as 📱 Flutter / Next.js
    participant KONG as 🚪 Kong Gateway
    participant XFR as 🐘 Transfer Service
    participant ROAD as 🏛️ KRG-Road
    participant DB as 💾 PostgreSQL + PostGIS
    participant KAFKA as 📨 Apache Kafka
    participant PAY as 💳 Payment Service
    participant AUDIT as 🔷 Audit (Go)
    participant NOTIF as 🔔 Notification

    C->>APP: Submit transfer request (buyer, property, price)
    APP->>KONG: HTTPS + JWT
    KONG->>XFR: Route to Transfer Service
    XFR->>DB: Create transaction record (status: initiated)
    XFR->>ROAD: Query Civil Status (verify buyer identity)
    ROAD-->>XFR: Identity confirmed ✓
    XFR->>ROAD: Query Tax Authority (no outstanding debt?)
    ROAD-->>XFR: Tax clearance ✓
    XFR->>DB: Check encumbrances (mortgages, liens)
    DB-->>XFR: No active encumbrances ✓
    XFR->>KAFKA: Publish transfer.initiated
    XFR-->>APP: Application submitted — awaiting review
    Note over XFR: Staff reviews in Filament admin
    XFR->>PAY: Calculate & collect transfer tax + fees
    PAY-->>XFR: Payment confirmed
    XFR->>DB: Update ownership_records + ownership_history
    XFR->>KAFKA: Publish transfer.completed
    KAFKA->>AUDIT: Log immutably (hash chain)
    KAFKA->>NOTIF: SMS + Push to buyer & seller
    NOTIF->>C: 🎉 "Transfer registered — new deed available"

18.4 External Integration Flow (via KRG-Road)¶

graph TD
  CIT["👤 Citizen requests<br/>property transfer"] --> KONG["🚪 Kong Gateway"]
  KONG --> ENGINE["⚙️ Transfer Service<br/>(Laravel 13 — PHP 8.4)<br/>Needs data from 3 sources"]

  ENGINE -->|KRG-Road<br/>mTLS + signed| SSC["🔐 Security Server<br/>(Civil Status)"]
  ENGINE -->|KRG-Road<br/>mTLS + signed| SST["🔐 Security Server<br/>(Tax Authority)"]
  ENGINE -->|KRG-Road<br/>mTLS + signed| SSN["🔐 Security Server<br/>(Notary)"]

  SSC --> CIVIL["👤 Civil Status<br/>Registry"]
  SST --> TAX["💰 Tax<br/>System"]
  SSN --> NOTARY["📜 Notary<br/>Records"]

  CIVIL -->|Identity verified ✓| RESULT["⚙️ Transfer Service<br/>compiles results"]
  TAX -->|No debt ✓| RESULT
  NOTARY -->|Power of attorney valid ✓| RESULT

  RESULT --> PAY["💳 Payment<br/>(Laravel)"]
  RESULT --> DIGSIG["🔏 Digital Sig<br/>(EJBCA)"]
  RESULT --> DOC["📄 Doc Vault<br/>(MinIO)"]
  RESULT --> NOTIFY["🔔 Notify"]
  RESULT --> AUDIT2["📝 Audit<br/>(Go)"]

18.5 Language Boundary Rules¶

Rule	Detail
Laravel owns all property CRUD	Any service that primarily reads/writes property business data is Laravel. This keeps ~70% of the codebase in one language with one team.
FastAPI owns GIS, OCR, and ML	Anything touching ML models, OCR, geospatial analysis, or heavy data science libraries runs in Python.
Go owns audit only	The single Go service handles the write-heaviest, most performance-critical path: immutable audit logging.
Kafka connects everything	Services never call each other directly for side effects. Events flow through Kafka topics.
KRG-Road connects external systems	Cross-system data (civil status, tax, notary) never goes through our services directly. Always through Security Servers.
Kong is the single entry point	No client (app, web, kiosk) talks to any backend service directly. Everything goes through Kong.
GeoServer handles map tiles	Web/mobile map clients request tiles from GeoServer / pg_tileserv, not from Python directly.

18.6 Port/Protocol Map¶

Component	Internal Port	Protocol	Exposed Via
Kong Gateway	8000/8443	HTTP/HTTPS	Public (443 via Nginx)
Laravel Services	8080	HTTP	Kong (internal)
FastAPI Services	8000	HTTP	Kong (internal)
Go Audit Service	9090	HTTP/gRPC	Kong + direct Kafka consumer
GeoServer	8080	HTTP	Kong (internal, /geoserver/*)
pg_tileserv	7800	HTTP	Kong (internal, /tiles/*)
PostgreSQL	5432	TCP	Internal only (Patroni VIP)
Redis	6379	TCP	Internal only
Kafka	9092	TCP	Internal only
MinIO	9000	HTTP	Internal only
Keycloak	8080	HTTP	Kong (internal)
Meilisearch	7700	HTTP	Internal only
Grafana	3000	HTTP	Internal (staff VPN)
Prometheus	9090	HTTP	Internal only
Loki	3100	HTTP	Internal only

18.7 Deployment Topology (Kubernetes)¶

graph LR
  CLUSTER["☸️ RKE2 Kubernetes<br/>Sulaymaniyah DC"]

  subgraph NS1["re-gateway"]
    KONG2["Kong (3 replicas, HPA)"]
  end
  subgraph NS2["re-laravel"]
    L1["property-registration (3)"]
    L2["transfer-service (3)"]
    L3["building-permits (2)"]
    L4["valuation-service (2)"]
    L5["payment-service (3)"]
    L6["municipal-service (2)"]
    L7["rental-registry (2)"]
    L8["appointment-service (2)"]
    L9["filament-admin (2)"]
  end
  subgraph NS3["re-python"]
    P1["document-ocr-service (2)"]
    P2["gis-service (2)"]
    P3["analytics-ml-service (2)"]
  end
  subgraph NS4["re-go"]
    G1["audit-service (3, high IOPS)"]
  end
  subgraph NS5["re-data"]
    D1["PostgreSQL + PostGIS Patroni (3)"]
    D2["Redis Sentinel (3)"]
    D3["Kafka KRaft (3)"]
    D4["MinIO (4, erasure)"]
    D5["Meilisearch (2)"]
    D6["Schema Registry (2)"]
  end
  subgraph NS6["re-geo"]
    GS1["GeoServer (2)"]
    GS2["pg_tileserv (2)"]
  end
  subgraph NS7["re-auth"]
    A1["Keycloak (3, shared)"]
    A2["EJBCA (2, shared)"]
  end
  subgraph NS8["re-interop"]
    I1["Security Server (RE)"]
  end
  subgraph NS9["re-observability"]
    O1["Prometheus + Thanos"]
    O2["Loki + Fluent Bit"]
    O3["Grafana"]
    O4["Jaeger / Tempo"]
    O5["Uptime Kuma"]
    O6["Alertmanager"]
  end
  subgraph NS10["re-security"]
    S1["Wazuh + Elasticsearch"]
    S2["Suricata"]
    S3["CrowdSec"]
    S4["OPA / Gatekeeper"]
  end
  subgraph NS11["re-devops"]
    DV1["GitLab CE"]
    DV2["ArgoCD"]
    DV3["Harbor"]
    DV4["SonarQube"]
    DV5["HashiCorp Vault"]
  end

  CLUSTER --> NS1
  CLUSTER --> NS2
  CLUSTER --> NS3
  CLUSTER --> NS4
  CLUSTER --> NS5
  CLUSTER --> NS6
  CLUSTER --> NS7
  CLUSTER --> NS8
  CLUSTER --> NS9
  CLUSTER --> NS10
  CLUSTER --> NS11

18.8 Technology Count Summary¶

Category	Count	Technologies
Programming Languages	5	PHP, Python, Go, Dart, TypeScript
Backend Frameworks	3	Laravel 13, FastAPI, Gin
Frontend Frameworks	3	Flutter, Next.js, Filament/Livewire
Databases	1 primary	PostgreSQL 16 (+ PostGIS 3.4 extension)
GIS Stack	4	GeoServer, pg_tileserv, OpenLayers, QGIS
Cache	1	Redis 7
Search	2	Meilisearch (app), Elasticsearch (SIEM only)
Message Broker	1	Apache Kafka
Object Storage	1	MinIO
API Gateway	1	Kong OSS
Service Mesh	1	Istio / Envoy
Container Orchestration	1	RKE2 (Kubernetes)
CI/CD	2	GitLab CI + ArgoCD
Monitoring	6	Prometheus, Loki, Grafana, Jaeger, Thanos, Uptime Kuma
Security	8	Keycloak, Wazuh, OPA, Vault, Suricata, CrowdSec, EJBCA, Trivy