Technical Architecture Real Estate Platform¶
This section provides the consolidated technical architecture view. For detailed component specifications, see Blueprint Section 18: System Architecture Map.
6.1 Architecture Overview¶
`mermaid graph TB subgraph Clients["Client Layer"] WEB["Next.js 14
Property Web Portal"] MOB["Flutter 3.x
Mobile App"] KIOSK["Flutter
Kiosk App"] ADMIN["Filament 3
Admin Dashboard"] end
subgraph Gateway["API Gateway"] KONG["Kong OSS
Rate limiting, JWT, routing"] end
subgraph Services["Microservices (Kubernetes RKE2 1.30)"] subgraph Laravel["Laravel 13 Services"] PROP["Property Registration"] TRANS["Transfer Service"] PERMIT["Building Permits"] PAY["Payment Service"] MUNI["Municipal / Zoning"] RENTAL["Rental Registry"] APPT["Appointment"] NOTIF["Notifications"] end subgraph Python["FastAPI Services"] DOC["Document / OCR"] GIS["GIS Service"] ANALYTICS["Analytics / ML"] end subgraph Go["Go Service"] AUDIT["Audit (Gin)"] end end
subgraph Data["Data Layer"] PG["PostgreSQL 16 + Citus
+ PostGIS 3.4"] REDIS["Redis 7.2
Cache + Sessions"] MINIO["MinIO
Documents + Deeds"] KAFKA["Kafka (KRaft)
Event Streaming"] GEO["GeoServer 2.25+
WMS / WFS / WMTS"] TILES["pg_tileserv
Vector Tiles"] end
subgraph External["Shared Government Services (via KRG-Road)"] KRDPASS["KRDPASS
Identity"] ROAD["KRG-Road
Interoperability"] PGWY["Payment Gateway"] CERT["EJBCA
PKI / Digital Signatures"] end
Clients → Gateway Gateway → Services Services → Data Services → External GIS → GEO GIS → TILES GEO → PG TILES → PG `
6.2 Service Communication¶
| Pattern | Technology | Use Case |
|---|---|---|
| Synchronous (request/response) | REST over HTTP/2, mTLS via Istio | Service-to-service queries, API Gateway services |
| Asynchronous (events) | Kafka (KRaft mode) | Property transfers, audit events, notifications, OCR results |
| External integration | X-Road (KRG-Road) Security Servers | All cross-government data exchange |
| Real-time map data | WMS/WFS/WMTS (OGC standards) | GeoServer serves map tiles to clients |
| Vector tiles | pg_tileserv (Protobuf MVT) | Fast map rendering in web/mobile (OpenLayers/Leaflet) |
Kafka Topics¶
| Topic | Producer | Consumer(s) |
|---|---|---|
property.events | Property Registration | Audit, Analytics, Notification |
transfer.events | Transfer Service | Audit, Analytics, Notification, Tax (via KRG-Road) |
payment.events | Payment Service | Audit, Analytics, Notification |
permit.events | Building Permits | Audit, Analytics, Notification, Zoning |
document.events | Document/OCR | Audit, Property Registration (auto-link OCR results) |
audit.events | Audit Service | Analytics (long-term storage) |
6.3 Security Architecture¶
`mermaid graph TB subgraph Perimeter["Perimeter Defense"] WAF["WAF
(ModSecurity / Kong plugin)"] DDOS["DDoS Protection
(CrowdSec)"] IDS["IDS/IPS
(Suricata)"] end
subgraph Identity["Identity & Access"] KC["Keycloak 24
OIDC / OAuth 2.0"] RBAC["RBAC
Governorate-scoped roles"] PKI["EJBCA
Digital certificates"] end
subgraph Network["Network Security"] MESH["Istio Service Mesh
mTLS everywhere"] NETPOL["K8s Network Policies
namespace isolation"] end
subgraph Data["Data Security"] ENC_REST["AES-256 at rest
(LUKS + PostgreSQL TDE)"] ENC_TRANSIT["TLS 1.3 in transit"] VAULT["HashiCorp Vault
Secret management"] HSM["HSMs
Key protection"] end
subgraph Monitoring["Security Monitoring"] SIEM["Wazuh SIEM"] AUDIT_LOG["Immutable Audit Trail
(hash chain)"] SCAN["Trivy + SonarQube
(CI/CD scanning)"] end
Perimeter → Identity → Network → Data Network → Monitoring `
RBAC Model¶
| Role | Scope | Permissions |
|---|---|---|
| Property Clerk | Own governorate | View/create/edit property records, process transfer applications |
| Senior Clerk | Own governorate | All clerk permissions + approve transfers + override ML valuations |
| GIS Specialist | Own governorate | Edit parcel geometries, publish map layers, run spatial queries |
| Office Manager | Own governorate | All permissions + staff management + reports |
| Auditor | All governorates (read-only) | View all records, audit trails, analytics |
| System Admin | Platform-wide | Infrastructure, deployment, user management (no property data edit) |
| Citizen | Own records only | View own properties, submit applications, download documents |
6.4 Deployment Topology¶
Kubernetes Namespaces¶
| Namespace | Services |
|---|---|
re-gateway | Kong API Gateway, Istio ingress |
re-laravel | All 8 Laravel microservices |
re-python | Document/OCR, GIS Service, Analytics/ML |
re-go | Audit service |
re-data | PostgreSQL + Citus, Redis, MinIO, Kafka |
re-geo | GeoServer, pg_tileserv |
re-auth | Keycloak, EJBCA integration |
re-interop | KRG-Road Security Server |
re-observability | Prometheus, Grafana, Loki, Jaeger |
re-security | Wazuh, CrowdSec, Suricata, Trivy |
re-devops | GitLab Runner, Argo CD, SonarQube, Harbor |
Resource Allocation (Initial)¶
| Namespace | CPU (cores) | Memory (GB) | Storage |
|---|---|---|---|
| re-laravel | 16 | 32 | |
| re-python | 12 | 24 | |
| re-go | 4 | 8 | |
| re-data | 32 | 128 | 10 TB (PostgreSQL) + 50 TB (MinIO) |
| re-geo | 8 | 16 | 2 TB (tile cache) |
| re-auth | 4 | 8 | |
| re-observability | 8 | 16 | 5 TB (logs/metrics) |
| Total | ~84 cores | ~232 GB | ~67 TB |
We are tenants in the shared Sulaymaniyah Data Center. Resources are provisioned per Phase 0 infrastructure agreement.
6.5 Data Flow Property Transfer¶
See Blueprint Section 18 for the full 18-step sequence diagram.
Summary flow:
- Citizen authenticates via KRDPASS (Keycloak)
- Submits transfer application via Portal/App Kong Transfer Service
- Transfer Service queries Property Registration (ownership check) + GIS (parcel validation)
- Transfer Service queries KRDPASS via KRG-Road (identity verification)
- Transfer Service queries Tax Authority via KRG-Road (tax clearance)
- Payment processed via shared Payment Gateway
- Both parties digitally sign (EJBCA)
- Ownership updated in PostgreSQL, event published to Kafka
- Audit Service records immutable log entry
- Notification sent to all parties
- New digital deed stored in MinIO Document Vault
6.6 Technology Summary¶
| Layer | Components |
|---|---|
| Frontend | Next.js 14, Flutter 3.x, Filament 3, OpenLayers 9, Leaflet 1.9+ |
| Backend | Laravel 13 (PHP 8.4), FastAPI (Python 3.12), Go 1.22 (Gin) |
| GIS Stack | PostGIS 3.4, GeoServer 2.25+, pg_tileserv, QGIS 3.34 LTS |
| Data | PostgreSQL 16 + Citus, Redis 7.2, MinIO, Kafka (KRaft) |
| Identity | Keycloak 24, KRDPASS (via KRG-Road), EJBCA |
| Infrastructure | RKE2 K8s 1.30, Istio, Kong OSS, Argo CD |
| Observability | Prometheus, Grafana, Loki, Jaeger |
| Security | Wazuh, CrowdSec, Suricata, Trivy, SonarQube, HashiCorp Vault |
| ML/Analytics | scikit-learn, XGBoost, PaddleOCR, GeoPandas, Metabase |