Architectuur Referentie
Overzicht
Dit document beschrijft de referentiearchitectuur van het Noveu platform, bedoeld voor architects en technische beslissers.
Architectuurprincipes
1. Soevereiniteit
- Alle data binnen EU juridisch bereik
- Geen US cloud providers in kritieke paden
- Transparante supply chain
2. Modulairiteit
- Loosely coupled services
- Vervangbare componenten
- API-first design
3. Resilience
- Geen single points of failure
- Graceful degradation
- Self-healing systemen
4. Security by Design
- Zero trust networking
- Defense in depth
- Encryption everywhere
Logische Architectuur
┌─────────────────────────────────────────────────────────────────────┐
│ PRESENTATION LAYER │
│ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │
│ │ Web │ │ Desktop │ │ Mobile │ │ Outlook │ │ API │ │
│ │ Portal │ │ Client │ │ Apps │ │ Plugin │ │ Gateway │ │
│ └────┬────┘ └────┬────┘ └────┬────┘ └────┬────┘ └────┬────┘ │
└───────┼────────────┼────────────┼────────────┼────────────┼────────┘
│ │ │ │ │
└────────────┴────────────┼────────────┴────────────┘
│
┌───────┴───────┐
│ API Gateway │
│ + AuthN │
└───────┬───────┘
│
┌─────────────────────────────────┼─────────────────────────────────┐
│ APPLICATION LAYER │
│ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │
│ │ Mail │ │Calendar │ │ Files │ │ Chat │ │ AI │ │
│ │ Service │ │ Service │ │ Service │ │ Service │ │ Service │ │
│ └────┬────┘ └────┬────┘ └────┬────┘ └────┬────┘ └────┬────┘ │
└───────┼────────────┼────────────┼────────────┼────────────┼───────┘
│ │ │ │ │
└────────────┴────────────┼────────────┴────────────┘
│
┌─────────────────────────────────┼─────────────────────────────────┐
│ PLATFORM LAYER │
│ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │
│ │Identity │ │ Policy │ │Observa- │ │ Compli- │ │ Event │ │
│ │ IAM │ │ Engine │ │ bility │ │ ance │ │ Bus │ │
│ └────┬────┘ └────┬────┘ └────┬────┘ └────┬────┘ └────┬────┘ │
└───────┼────────────┼────────────┼────────────┼────────────┼───────┘
│ │ │ │ │
└────────────┴────────────┼────────────┴────────────┘
│
┌─────────────────────────────────┼─────────────────────────────────┐
│ INFRASTRUCTURE LAYER │
│ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │
│ │Kubernetes│ │ Object │ │ Block │ │ DNS/ │ │ Secrets │ │
│ │ Cluster │ │ Storage │ │ Storage │ │ CDN │ │ Mgmt │ │
│ └─────────┘ └─────────┘ └─────────┘ └─────────┘ └─────────┘ │
└───────────────────────────────────────────────────────────────────┘
Componenten Detail
Presentation Layer
| Component | Technologie | Functie |
|---|
| Web Portal | React, Next.js | Browser-based UI |
| Desktop Client | Electron | Native app experience |
| Mobile Apps | React Native | iOS/Android apps |
| Outlook Plugin | COM Add-in | Microsoft integratie |
| API Gateway | Kong/Envoy | Request routing, auth |
Application Layer
| Service | Verantwoordelijkheid | Storage |
|---|
| Mail Service | IMAP/SMTP, filtering, archiving | Object + DB |
| Calendar Service | CalDAV, scheduling | PostgreSQL |
| Files Service | WebDAV, sync, versioning | Object + DB |
| Chat Service | Realtime messaging | PostgreSQL + Redis |
| AI Service | LLM, RAG, embeddings | Vector DB |
Platform Layer
| Component | Technologie | Functie |
|---|
| Identity (IAM) | Keycloak | SSO, MFA, user management |
| Policy Engine | OPA | Authorization decisions |
| Observability | Prometheus, Grafana, Loki | Metrics, logs, traces |
| Compliance | Custom | Audit, reporting, evidence |
| Event Bus | NATS/Kafka | Async communication |
Infrastructure Layer
| Component | Specificatie | Redundantie |
|---|
| Kubernetes | Managed K8s | Multi-node, multi-zone |
| Object Storage | S3-compatible | 3x replicatie |
| Block Storage | SSD | RAID, snapshotting |
| Secrets Management | HashiCorp Vault | HA cluster |
| DNS/CDN | EU-based | Global edge |
Deployment Architectuur
Multi-Tenant (SaaS)
┌────────────────────────────────────────────┐
│ Shared Control Plane │
│ ┌────────┐ ┌────────┐ ┌────────┐ │
│ │ IAM │ │ Billing│ │Provisn │ │
│ └────────┘ └────────┘ └────────┘ │
└────────────────────────────────────────────┘
│ │ │
┌─────────┘ │ └─────────┐
▼ ▼ ▼
┌────────┐ ┌────────┐ ┌────────┐
│Tenant A│ │Tenant B│ │Tenant C│
│ (Data) │ │ (Data) │ │ (Data) │
└────────┘ └────────┘ └────────┘
Dedicated Tenant
┌────────────────────────────────────────────┐
│ Dedicated Control Plane │
│ ┌────────┐ ┌────────┐ ┌────────┐ │
│ │ IAM │ │ Config │ │ Ops │ │
│ └────────┘ └────────┘ └────────┘ │
└────────────────────────────────────────────┘
│
▼
┌────────────────────────────────────────────┐
│ Dedicated Data Plane (Customer) │
│ ┌────────┐ ┌────────┐ ┌────────┐ │
│ │ Apps │ │ Data │ │Network │ │
│ └────────┘ └────────┘ └────────┘ │
└────────────────────────────────────────────┘
Data Flow
E-mail Ontvangst
Internet ─► MX ─► Antispam ─► Policy ─► Delivery ─► Mailbox
│ │ │
▼ ▼ ▼
[Block] [Quarantine] [Store]
│ │ │
└───────────┴───────────┘
│
▼
[Audit Log]
Authenticatie Flow
User ─► Client ─► API Gateway ─► IAM ─► Service
│ │ │
│ ┌─────┘ │
│ ▼ │
│ [Token] │
│ │ │
└────┼───────────────┘
│
▼
[Validate + Authorize]
│
▼
[Response]
Security Architecture
Network Zones
| Zone | Components | Ingress | Egress |
|---|
| Edge | LB, WAF, CDN | Internet | DMZ |
| DMZ | API Gateway | Edge | Services |
| Services | App containers | DMZ | Data |
| Data | Databases, storage | Services | None |
| Mgmt | Monitoring, CI/CD | Jump only | All |
Encryption
| Layer | Mechanism | Key Management |
|---|
| Transport | TLS 1.3 | PKI, auto-rotation |
| Application | S/MIME, PGP | User managed |
| Storage | AES-256-GCM | Vault, per-tenant |
| Backup | AES-256 | Separate key hierarchy |
Integration Patterns
Synchronous
Client ──► API Gateway ──► Service ──► Response
│ │
│ ┌────┴────┐
│ ▼ ▼
│ [Cache] [Database]
│
└► [Rate Limit] [Circuit Breaker]
Asynchronous
Producer ──► Event Bus ──► Consumer(s)
│ │
│ ┌────┴────┐
│ ▼ ▼
│ [Worker] [Worker]
│
└► [Dead Letter Queue]
Disaster Recovery
RTO/RPO Targets
| Tier | RTO | RPO | Strategy |
|---|
| Basis | 4 uur | 1 uur | Backup + restore |
| Pro | 1 uur | 15 min | Warm standby |
| Overheid | 15 min | 5 min | Active-active |
Backup Strategy
Continuous ─► Transaction Logs ─► 5 min RPO
Every hour ─► Incremental ─► Offsite
Daily ─► Full snapshot ─► 2nd DC
Weekly ─► Full backup ─► Tape/Archive
Capacity Planning
Sizing Guidelines
| Component | Per 1000 users | Notes |
|---|
| API nodes | 2-4 | Auto-scaling |
| Mail storage | 50-100 GB | Average mailbox |
| File storage | 100-500 GB | Afhankelijk gebruik |
| Database | 50 GB | Excluding mail |
| Network | 100 Mbps | Peak burst |
Technology Choices
| Category | Choice | Rationale |
|---|
| Container orchestration | Kubernetes | Industry standard, portable |
| Service mesh | Istio/Linkerd | mTLS, observability |
| Secrets | HashiCorp Vault | Enterprise features |
| Monitoring | Prometheus + Grafana | Open source, flexible |
| Logging | Loki | Kubernetes native |
| Tracing | Jaeger | OpenTelemetry compatible |
| Database | PostgreSQL | Reliable, EU cloud native |
| Cache | Redis | Performance, pub/sub |
| Object storage | MinIO/S3 | S3-compatible, EU-hosted |
| Message bus | NATS | Lightweight, performant |
Laatste update: Januari 2026
Architectuur kan variëren per deployment model
