honeyDueAPI/docs/deployment/appendices/c-file-locations.md

Appendix C — File Locations

Complete map of where every significant file lives — on the operator workstation, in the git repo, and on the Hetzner nodes.

Operator workstation

Kubernetes

Path	Purpose
~/.kube/honeydue-k3s.yaml	kubeconfig for the k3s cluster. Contains an admin bearer token. Mode 0600.
~/.kube/config	Default kubeconfig (points elsewhere, not our cluster).

Set KUBECONFIG=~/.kube/honeydue-k3s.yaml before any kubectl command.

SSH

Path	Purpose
~/.ssh/hetzner	Private key for node SSH (ed25519). Mode 0600.
~/.ssh/hetzner.pub	Public key corresponding to above.
~/.ssh/config	Host aliases for hetzner1/hetzner2/hetzner3 → node IPs.

Public key content:

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBU9xTTBD78tYUqHijgyU9PDqtmS4NuM/6uy8XgDzva+ hetzner2@myhoneydue.com

Docker

Path	Purpose
~/.docker/config.json	Docker CLI config. After docker login to Gitea, contains creds. Log out after each deploy to not leave PATs on disk.
~/Library/Containers/com.docker.docker/	Docker Desktop state (macOS).

Apple / Cloudflare credentials on disk

Path	Purpose
~/Desktop/code/honeyDue/AuthKey_5L5BVF5G48.p8	APNs auth key (Apple). Source file for the honeydue-apns-key k8s secret. Sensitive — treat as a credential.
~/Desktop/code/honeyDue/cf-origin-cert.pem	Cloudflare Origin CA cert (PEM). Source file for the cloudflare-origin-cert k8s secret. *.myhoneydue.com + myhoneydue.com, expires 2041.
~/Desktop/code/honeyDue/cf-origin-key.pem	Private key for the Origin cert. CF only shows this once at generation time. Sensitive — treat as a credential.

Git repo (/Users/treyt/Desktop/code/honeyDue/honeyDueAPI-go/)

Top-level

Path	Purpose
CLAUDE.md	Project-wide instructions for Claude assistant. Never commit secrets here.
Dockerfile	Multi-stage Docker build: api, worker, admin targets.
go.mod, go.sum	Go module definition.
package.json (admin-ui/)	Next.js dependencies.

Application code

Path	Purpose
cmd/api/main.go	API server entry point.
cmd/worker/main.go	Background worker entry point.
cmd/admin/main.go	(may or may not exist for Go admin variant)
internal/config/	Viper configuration loading.
internal/database/	Postgres connection, migrations.
internal/handlers/	HTTP handlers (one file per domain).
internal/services/	Business logic. cache_service.go is where the sync.Once bug was (Chapter 19).
internal/repositories/	GORM repositories.
internal/router/router.go	Echo routes, including static file serving. CSP is set here.
internal/middleware/	Echo middleware (auth, logging, etc.).
internal/task/	Task predicates/scopes/categorization. See docs/TASK_LOGIC_ARCHITECTURE.md.

Deploy config (Swarm era — still exists, unused)

Path	Purpose
deploy/	Legacy Swarm deploy root.
deploy/prod.env	Non-secret config (ConfigMap source). Gitignored.
deploy/registry.env	Gitea PAT + registry URL. Gitignored.
deploy/cluster.env	Swarm cluster settings. Partly used for k3s too (manager host). Gitignored.
deploy/secrets/postgres_password.txt	Neon password. Gitignored.
deploy/secrets/secret_key.txt	App signing key (≥32 chars). Gitignored.
deploy/secrets/email_host_password.txt	Fastmail password. Gitignored.
deploy/secrets/fcm_server_key.txt	FCM key (placeholder, push off). Gitignored.
deploy/secrets/apns_auth_key.p8	APNs key (placeholder, push off). Gitignored.
deploy/swarm-stack.prod.yml	Swarm stack definition. Unused after migration.
deploy/Caddyfile	Caddy config. Unused after migration.
deploy/scripts/deploy_prod.sh	Swarm deploy script. Unused.
deploy/DEPLOYING.md, deploy/README.md, deploy/shit_deploy_cant_do.md	Swarm-era docs. Historical reference.

Deploy config (k3s)

Path	Purpose
deploy-k3s/README.md	k3s deployment README (scaffold version).
deploy-k3s/MIGRATION_NOTES.md	Notes from Swarm → k3s migration.
deploy-k3s/SECURITY.md	Security posture doc (scaffold).
deploy-k3s/config.yaml.example	Template for a unified config.yaml (unused — we kept Swarm's file layout).
deploy-k3s/manifests/namespace.yaml	Creates honeydue namespace.
deploy-k3s/manifests/rbac.yaml	ServiceAccounts + automountServiceAccountToken: false.
deploy-k3s/manifests/pod-disruption-budgets.yaml	PDBs for api (2/3) and worker (0/1).
deploy-k3s/manifests/network-policies.yaml	Default-deny + allows. Applied. Includes web policies; Traefik hostNetwork handled via node IP ipBlocks rather than namespaceSelector.
deploy-k3s/manifests/api/deployment.yaml	api Deployment.
deploy-k3s/manifests/api/service.yaml	api ClusterIP Service.
deploy-k3s/manifests/api/hpa.yaml	api HorizontalPodAutoscaler. NOT currently applied.
deploy-k3s/manifests/admin/deployment.yaml	admin Deployment.
deploy-k3s/manifests/admin/service.yaml	admin Service.
deploy-k3s/manifests/web/deployment.yaml	web Deployment (3 replicas, customer-facing Next.js at app.myhoneydue.com).
deploy-k3s/manifests/web/service.yaml	web ClusterIP Service.
deploy-k3s/manifests/worker/deployment.yaml	worker Deployment.
deploy-k3s/manifests/redis/deployment.yaml	Redis Deployment.
deploy-k3s/manifests/redis/service.yaml	Redis Service.
deploy-k3s/manifests/redis/pvc.yaml	Redis PersistentVolumeClaim.
deploy-k3s/manifests/ingress/ingress.yaml	Alternate full Ingress scaffold (unused; we apply ingress-simple.yaml).
deploy-k3s/manifests/ingress/ingress-simple.yaml	Primary Ingress. TLS via CF Origin cert, security-headers + rate-limit middleware attached to all three rules (api/admin/web).
deploy-k3s/manifests/ingress/middleware.yaml	Traefik middleware CRDs (rate-limit, security-headers, cloudflare-only). Applied. admin-auth was defined but removed at runtime (needs an unset basic-auth secret).
deploy-k3s/manifests/traefik-helmchartconfig.yaml	Our DaemonSet + hostNetwork override for Traefik.
deploy-k3s/manifests/secrets.yaml.example	Template (never deployed).
deploy-k3s/scripts/01-provision-cluster.sh	hetzner-k3s provisioning (we didn't use it; existing nodes).
deploy-k3s/scripts/02-setup-secrets.sh	Creates Secrets + ConfigMap (scaffold version; we ran commands manually).
deploy-k3s/scripts/03-deploy.sh	Applies manifests (unused; we ran kubectl manually).
deploy-k3s/scripts/04-verify.sh	Post-deploy verification.
deploy-k3s/scripts/rollback.sh	Rollback helper.

Documentation

Path	Purpose
docs/deployment/	This book.
docs/TASK_LOGIC_ARCHITECTURE.md	Task logic internals.
docs/PUSH_NOTIFICATIONS.md	Push notifications setup (for future).
docs/SUBSCRIPTION_WEBHOOKS.md	Apple/Google subscription webhooks.
docs/Dokku_notes	Pre-Swarm era deployment notes. Historical.
docs/server_2026_2_24.md	Earlier architecture doc (predates k3s migration).

On the Hetzner nodes

System

Path	Purpose
/etc/ssh/sshd_config	SSH config — PermitRootLogin no, PasswordAuthentication no, AllowUsers deploy.
/etc/sudoers.d/deploy	deploy ALL=(ALL) NOPASSWD: ALL.
/etc/ufw/	UFW configuration. See Chapter 4 for rule inventory.
/etc/sysctl.d/99-unprivileged-ports.conf	net.ipv4.ip_unprivileged_port_start=0 for Traefik.
/home/deploy/.ssh/authorized_keys	Our hetzner.pub.

K3s

Path	Purpose
/etc/rancher/k3s/k3s.yaml	Kubeconfig (localhost-scoped; we copied to workstation).
/etc/systemd/system/k3s.service	systemd service file.
/etc/systemd/system/k3s.service.env	K3s install args (INSTALL_K3S_EXEC).
/var/lib/rancher/k3s/	K3s state root (etcd, containerd, PVC storage).
/var/lib/rancher/k3s/server/node-token	Token for joining additional nodes.
/var/lib/rancher/k3s/storage/	local-path PVC storage. Redis data lives here.
/var/lib/rancher/k3s/agent/containerd/	containerd state.
/var/log/containers/	Container log files.

Commands installed

Path	Purpose
/usr/local/bin/k3s	The k3s binary.
/usr/local/bin/kubectl	Symlink to k3s (CLI for this cluster).
/usr/local/bin/crictl	containerd CLI.
/usr/local/bin/k3s-killall.sh	Emergency kill-all-k3s script.
/usr/local/bin/k3s-uninstall.sh	Clean uninstall script.

Docker (legacy; disabled)

Path	Purpose
/etc/systemd/system/docker.service	systemd unit (stopped + disabled).
/var/lib/docker/	Docker state (unused on current cluster).

On Cloudflare

Not a filesystem, but worth noting the dashboard hierarchy:

Websites → myhoneydue.com
├── DNS → Records              (A records for api, admin, @)
├── SSL/TLS → Overview          (SSL mode: Flexible)
├── SSL/TLS → Edge Certificates (Always Use HTTPS: On)
├── SSL/TLS → Origin Server     (would live the Origin CA cert if we enabled it)
├── Rules → Overview            (where Origin Rules live if we had them)
├── Rules → Page Rules          (none)
├── Security → WAF              (managed rules only)
├── Speed → Optimization        (default)
└── Analytics & Logs            (read-only stats)

On Gitea (gitea.treytartt.com)

The image registry lives at:

gitea.treytartt.com/admin/-/packages         # UI listing of all packages
gitea.treytartt.com/admin/-/packages/container/honeydue-api      # API image
gitea.treytartt.com/admin/-/packages/container/honeydue-worker   # Worker image
gitea.treytartt.com/admin/-/packages/container/honeydue-admin    # Admin image

Per-version tags visible in the UI with docker pull commands.

PATs at gitea.treytartt.com/-/user/settings/applications.

On Neon

console.neon.tech → project → Branches       (production branch default)
console.neon.tech → project → Monitoring     (CU-hour usage, slow queries)
console.neon.tech → project → Operations     (history of schema changes)

Connection strings at console.neon.tech → project → Connection Details.

On Backblaze B2

secure.backblaze.com/b2_buckets.htm          # Buckets list
secure.backblaze.com/b2_app_keys.htm         # App keys

honeyDueProd bucket → Files tab for browsing contents.