Frontend layers

Frontends are the transport entrypoints. They accept client connections, perform protocol-specific work such as authentication or host-based routing, and hand off domain operations to backend instances.

flowchart TD
Request[Incoming request] --> Choice{Which transport?}
Choice -->|SSH| SSH[SSH auth and channel routing]
Choice -->|HTTP| HTTP[Host header to vhost, then path mount]
Choice -->|DNS| DNS[Longest matching zone]
Choice -->|SMTP| SMTP[Inbound mail session]
Choice -->|IMAP| IMAP[IMAPS / STARTTLS session]
SSH --> Git[Git backend or admin backend]
HTTP --> HttpBackends[Mounted backend instance]
DNS --> DnsBackend[DNS backend instance]
SMTP --> MailBackend[Mail backend]
IMAP --> ImapBackend[IMAP backend]

Current transport model

Why the split matters

• Git can exist behind more than one frontend over time.
• HTTP-only domains such as sites and OCI do not need to know about socket handling or TLS details.
• Authentication can stay transport-facing while access control stays backend-facing.

Important routing ideas

SSH

SSH carries two things:

• git-upload-pack / git-receive-pack
• admin PTY sessions

HTTP

HTTP is config-driven. A request is routed by:

1. Host header to a vhost
2. path prefix to a backend instance

For the current implementation, frontend-http keeps its persisted config in everlock-system/config/frontend-http.toml. That config can declare:

• plain and HTTPS listen addresses
• ACME contact and renewal settings
• host-to-backend mappings
• certificate metadata for issued public-host certificates

Local development hosts such as localhost, *.local, and raw IPs stay plain HTTP. Public hostnames become ACME-managed when an HTTPS listener is configured, with certificate files written under config/<host>/fullchain.pem and config/<host>/privkey.pem.

DNS

DNS uses zone ownership and longest-match dispatch rather than path prefixes.

Read Architecture for the bigger picture, or Configuration reference for the operational view.