Skip to main content

Deployment

Alpaca Universe runs on Kubernetes and deploys via GitOps: ArgoCD watches the alpun-gitops repo and reconciles the cluster from its manifests.

Workloads

WorkloadImageHostReplicas
alpun-webregistry.bitview.club/alpun/alpun-webwww.alpun.io2
alpun-apiregistry.bitview.club/alpun/alpun-apiapi.alpun.io2
alpun-workerregistry.bitview.club/alpun/alpun-worker1–2
alpun-indexerregistry.bitview.club/alpun/alpun-indexer1
checkpointregistry.bitview.club/alpun/checkpointcheckpoint.alpun.io1
mongodbmongo:7— (cluster-internal)1 (replica set rs0)

How a deploy happens

1. Developer pushes to main in an app repo.
2. GitHub Actions builds the image and pushes
registry.bitview.club/alpun/<name>:<sha> and :latest.
3. The workflow checks out alpun-gitops, rewrites the image: line in
manifests/<name>/deployment.yaml, and commits.
4. ArgoCD detects the change and rolls the workload.

The gitops repo holds no Dockerfiles or workflows — it is a passive manifest store; the only commits it receives are tag bumps.

Initial sizing

Next.js web 2 replicas 250–500 MB memory each
Rust API 2 replicas 256–512 MB memory each
Worker 1–2 replicas 256–512 MB memory each
Indexer 1 replica 256–512 MB memory
MongoDB replica set persistent NVMe storage
Redis optional — required when scaling real-time rooms
across API replicas

MongoDB

A single-member replica set (rs0) from day one — transactions and change streams require replica-set mode. Scale to three members before mainnet launch. Credentials come from a manually created secret (see alpun-gitops/examples/); the database is not exposed outside the cluster.

Ingress and TLS

ingress-nginx with cert-manager (Let's Encrypt letsencrypt-prod cluster issuer). Hosts:

www.alpun.io → alpun-web (apex redirects to www)
api.alpun.io → alpun-api (REST + WebSocket)
checkpoint.alpun.io → checkpoint (this site)

Observability

Every Rust deployable exposes Prometheus metrics on port 9100 (see the metric list). Alerts worth having from day one:

  • blockchain_indexer_lag_slots above threshold — indexer falling behind.
  • reward_duplicate_attempts_total increasing — someone probing the claim endpoints.
  • MongoDB replica set without primary.

Identity

Authentication uses the cluster's existing Keycloak at identity.bitview.club with a dedicated alpun realm and alpun-app client. The realm/client setup steps live in the alpun-gitops repo's SETUP.md.

Secrets

Secrets are created out-of-band (never committed): MongoDB credentials, JWT signing key, server HMAC secret, Solana RPC URL with API key, treasury/mint authority keys. Templates live in alpun-gitops/examples/.