# Architectuur Referentie ## Overzicht Dit document beschrijft de referentiearchitectuur van het Noveu platform, bedoeld voor architects en technische beslissers. ## Architectuurprincipes ### 1. Soevereiniteit - Alle data binnen EU juridisch bereik - Geen US cloud providers in kritieke paden - Transparante supply chain ### 2. Modulairiteit - Loosely coupled services - Vervangbare componenten - API-first design ### 3. Resilience - Geen single points of failure - Graceful degradation - Self-healing systemen ### 4. Security by Design - Zero trust networking - Defense in depth - Encryption everywhere ## Logische Architectuur ``` ┌─────────────────────────────────────────────────────────────────────┐ │ PRESENTATION LAYER │ │ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │ │ │ Web │ │ Desktop │ │ Mobile │ │ Outlook │ │ API │ │ │ │ Portal │ │ Client │ │ Apps │ │ Plugin │ │ Gateway │ │ │ └────┬────┘ └────┬────┘ └────┬────┘ └────┬────┘ └────┬────┘ │ └───────┼────────────┼────────────┼────────────┼────────────┼────────┘ │ │ │ │ │ └────────────┴────────────┼────────────┴────────────┘ │ ┌───────┴───────┐ │ API Gateway │ │ + AuthN │ └───────┬───────┘ │ ┌─────────────────────────────────┼─────────────────────────────────┐ │ APPLICATION LAYER │ │ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │ │ │ Mail │ │Calendar │ │ Files │ │ Chat │ │ AI │ │ │ │ Service │ │ Service │ │ Service │ │ Service │ │ Service │ │ │ └────┬────┘ └────┬────┘ └────┬────┘ └────┬────┘ └────┬────┘ │ └───────┼────────────┼────────────┼────────────┼────────────┼───────┘ │ │ │ │ │ └────────────┴────────────┼────────────┴────────────┘ │ ┌─────────────────────────────────┼─────────────────────────────────┐ │ PLATFORM LAYER │ │ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │ │ │Identity │ │ Policy │ │Observa- │ │ Compli- │ │ Event │ │ │ │ IAM │ │ Engine │ │ bility │ │ ance │ │ Bus │ │ │ └────┬────┘ └────┬────┘ └────┬────┘ └────┬────┘ └────┬────┘ │ └───────┼────────────┼────────────┼────────────┼────────────┼───────┘ │ │ │ │ │ └────────────┴────────────┼────────────┴────────────┘ │ ┌─────────────────────────────────┼─────────────────────────────────┐ │ INFRASTRUCTURE LAYER │ │ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │ │ │Kubernetes│ │ Object │ │ Block │ │ DNS/ │ │ Secrets │ │ │ │ Cluster │ │ Storage │ │ Storage │ │ CDN │ │ Mgmt │ │ │ └─────────┘ └─────────┘ └─────────┘ └─────────┘ └─────────┘ │ └───────────────────────────────────────────────────────────────────┘ ``` ## Componenten Detail ### Presentation Layer | Component | Technologie | Functie | |-----------|-------------|---------| | Web Portal | React, Next.js | Browser-based UI | | Desktop Client | Electron | Native app experience | | Mobile Apps | React Native | iOS/Android apps | | Outlook Plugin | COM Add-in | Microsoft integratie | | API Gateway | Kong/Envoy | Request routing, auth | ### Application Layer | Service | Verantwoordelijkheid | Storage | |---------|---------------------|---------| | Mail Service | IMAP/SMTP, filtering, archiving | Object + DB | | Calendar Service | CalDAV, scheduling | PostgreSQL | | Files Service | WebDAV, sync, versioning | Object + DB | | Chat Service | Realtime messaging | PostgreSQL + Redis | | AI Service | LLM, RAG, embeddings | Vector DB | ### Platform Layer | Component | Technologie | Functie | |-----------|-------------|---------| | Identity (IAM) | Keycloak | SSO, MFA, user management | | Policy Engine | OPA | Authorization decisions | | Observability | Prometheus, Grafana, Loki | Metrics, logs, traces | | Compliance | Custom | Audit, reporting, evidence | | Event Bus | NATS/Kafka | Async communication | ### Infrastructure Layer | Component | Specificatie | Redundantie | |-----------|--------------|-------------| | Kubernetes | Managed K8s | Multi-node, multi-zone | | Object Storage | S3-compatible | 3x replicatie | | Block Storage | SSD | RAID, snapshotting | | Secrets Management | HashiCorp Vault | HA cluster | | DNS/CDN | EU-based | Global edge | ## Deployment Architectuur ### Multi-Tenant (SaaS) ``` ┌────────────────────────────────────────────┐ │ Shared Control Plane │ │ ┌────────┐ ┌────────┐ ┌────────┐ │ │ │ IAM │ │ Billing│ │Provisn │ │ │ └────────┘ └────────┘ └────────┘ │ └────────────────────────────────────────────┘ │ │ │ ┌─────────┘ │ └─────────┐ ▼ ▼ ▼ ┌────────┐ ┌────────┐ ┌────────┐ │Tenant A│ │Tenant B│ │Tenant C│ │ (Data) │ │ (Data) │ │ (Data) │ └────────┘ └────────┘ └────────┘ ``` ### Dedicated Tenant ``` ┌────────────────────────────────────────────┐ │ Dedicated Control Plane │ │ ┌────────┐ ┌────────┐ ┌────────┐ │ │ │ IAM │ │ Config │ │ Ops │ │ │ └────────┘ └────────┘ └────────┘ │ └────────────────────────────────────────────┘ │ ▼ ┌────────────────────────────────────────────┐ │ Dedicated Data Plane (Customer) │ │ ┌────────┐ ┌────────┐ ┌────────┐ │ │ │ Apps │ │ Data │ │Network │ │ │ └────────┘ └────────┘ └────────┘ │ └────────────────────────────────────────────┘ ``` ## Data Flow ### E-mail Ontvangst ``` Internet ─► MX ─► Antispam ─► Policy ─► Delivery ─► Mailbox │ │ │ ▼ ▼ ▼ [Block] [Quarantine] [Store] │ │ │ └───────────┴───────────┘ │ ▼ [Audit Log] ``` ### Authenticatie Flow ``` User ─► Client ─► API Gateway ─► IAM ─► Service │ │ │ │ ┌─────┘ │ │ ▼ │ │ [Token] │ │ │ │ └────┼───────────────┘ │ ▼ [Validate + Authorize] │ ▼ [Response] ``` ## Security Architecture ### Network Zones | Zone | Components | Ingress | Egress | |------|------------|---------|--------| | Edge | LB, WAF, CDN | Internet | DMZ | | DMZ | API Gateway | Edge | Services | | Services | App containers | DMZ | Data | | Data | Databases, storage | Services | None | | Mgmt | Monitoring, CI/CD | Jump only | All | ### Encryption | Layer | Mechanism | Key Management | |-------|-----------|----------------| | Transport | TLS 1.3 | PKI, auto-rotation | | Application | S/MIME, PGP | User managed | | Storage | AES-256-GCM | Vault, per-tenant | | Backup | AES-256 | Separate key hierarchy | ## Integration Patterns ### Synchronous ``` Client ──► API Gateway ──► Service ──► Response │ │ │ ┌────┴────┐ │ ▼ ▼ │ [Cache] [Database] │ └► [Rate Limit] [Circuit Breaker] ``` ### Asynchronous ``` Producer ──► Event Bus ──► Consumer(s) │ │ │ ┌────┴────┐ │ ▼ ▼ │ [Worker] [Worker] │ └► [Dead Letter Queue] ``` ## Disaster Recovery ### RTO/RPO Targets | Tier | RTO | RPO | Strategy | |------|-----|-----|----------| | Basis | 4 uur | 1 uur | Backup + restore | | Pro | 1 uur | 15 min | Warm standby | | Overheid | 15 min | 5 min | Active-active | ### Backup Strategy ``` Continuous ─► Transaction Logs ─► 5 min RPO Every hour ─► Incremental ─► Offsite Daily ─► Full snapshot ─► 2nd DC Weekly ─► Full backup ─► Tape/Archive ``` ## Capacity Planning ### Sizing Guidelines | Component | Per 1000 users | Notes | |-----------|----------------|-------| | API nodes | 2-4 | Auto-scaling | | Mail storage | 50-100 GB | Average mailbox | | File storage | 100-500 GB | Afhankelijk gebruik | | Database | 50 GB | Excluding mail | | Network | 100 Mbps | Peak burst | ## Technology Choices | Category | Choice | Rationale | |----------|--------|-----------| | Container orchestration | Kubernetes | Industry standard, portable | | Service mesh | Istio/Linkerd | mTLS, observability | | Secrets | HashiCorp Vault | Enterprise features | | Monitoring | Prometheus + Grafana | Open source, flexible | | Logging | Loki | Kubernetes native | | Tracing | Jaeger | OpenTelemetry compatible | | Database | PostgreSQL | Reliable, EU cloud native | | Cache | Redis | Performance, pub/sub | | Object storage | MinIO/S3 | S3-compatible, EU-hosted | | Message bus | NATS | Lightweight, performant | --- *Laatste update: Januari 2026* *Architectuur kan variëren per deployment model*