LUSTE Token is LIVE on Base! Exchange tokens for AI credits. Architecture Overview
LusterCMS follows a modern, cloud-native, multi-tenant architecture designed for enterprise SaaS deployments. All services run on Kubernetes (K3s) for production workloads.
System Architectureβ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Clients β
β Browser β Mobile App β External API β CLI β Theme Frontends β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Nginx (Reverse Proxy + SSL Termination) β
β + Let's Encrypt (certbot) for SSL β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββββββββββββ΄ββββββββββββββββββββββββββββββββββββββββ
β KUBERNETES CLUSTER (K3s) β
β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β NAMESPACE: lustercms-core β β
β β β β
β β βββββββββββββββ βββββββββββββββ βββββββββββββββ βββββββββββββββ β β
β β β Backend β β Frontend β β PostgreSQL β β Redis β β β
β β β (FastAPI) β β (Next.js) β β (Core) β β (Cache) β β β
β β β 2 replicas β β 2 replicas β β Main DB β β β β β
β β βββββββββββββββ βββββββββββββββ βββββββββββββββ βββββββββββββββ β β
β β β β
β β βββββββββββββββ β β
β β β MinIO β Core DB contains: users, orgs, billing, RBAC, β β
β β β (S3 Media) β theme marketplace, global settings β β
β β βββββββββββββββ β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β NAMESPACE: themes β β
β β β β
β β βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ β β
β β β theme-org-A β β theme-org-B β β theme-org-N β β β
β β β (ecommerce) β β (starter) β β (any) β β β
β β β β β β β β β β
β β β tenant-a. β β tenant-b. β β client-domain. β β β
β β β lustercms.com β β lustercms.com β β com β β β
β β βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β NAMESPACE: tenant-ORG_ID (per-org isolation) β β
β β β β
β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β
β β β PostgreSQL POD (isolated tenant data: content, media, etc.) β β β
β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Infrastructure Componentsβ
| Component | Technology | Location | Purpose |
|---|---|---|---|
| Backend API | FastAPI + Strawberry GraphQL | K8s: lustercms-core | API, business logic |
| Admin Frontend | Next.js 14 | K8s: lustercms-core | Admin panel UI |
| Core Database | PostgreSQL + pgvector | K8s: lustercms-core | Users, orgs, RBAC |
| Cache | Redis | K8s: lustercms-core | Sessions, caching |
| Media Storage | MinIO (S3) | K8s: lustercms-core | File uploads |
| Theme Deployments | Next.js | K8s: themes | Per-org websites |
| Tenant Databases | PostgreSQL | K8s: tenant-ORG_SLUG | Content isolation |
| SSL/TLS | Let's Encrypt + certbot | Nginx (host) | HTTPS certificates |
| Reverse Proxy | Nginx | Host | Routing, SSL termination |
Multi-Tenant Isolation Modelβ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β PLATFORM (Superadmin) β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β ADMIN / AGENCY ββ
β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ββ
β β β ORGANIZATION β ββ
β β β β ββ
β β β βββββββββββββββ βββββββββββββββ βββββββββββββββ β ββ
β β β β Database β β S3 Bucket β β K8s Theme β β ββ
β β β β (isolated) β β org-SLUG- β β Pod β β ββ
β β β β β β media β β β β ββ
β β β βββββββββββββββ βββββββββββββββ βββββββββββββββ β ββ
β β β β ββ
β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ββ
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Golden Rule: "Everything down, nothing up"
- Superadmins see all organizations and data
- Agency admins see their org + all descendant/client organizations
- Regular users see only their own organization
Deployment Architectureβ
GitHub Actions CI/CDβ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β GitHub Actions Workflow β
β β
β βββββββββββββββ βββββββββββββββ βββββββββββββββββββββββββββββββ β
β β Build β β Push to β β Deploy to K8s β β
β β Frontend β β β GHCR β β β - Import image to K3s β β
β β Backend β β (Docker) β β - kubectl rollout restart β β
β βββββββββββββββ βββββββββββββββ βββββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Traffic Flowβ
User Request
β
βΌ
βββββββββββββββββββ
β Nginx β *.lustercms.com
β (SSL + Proxy) β
βββββββββββββββββββ
β
βββ admin.lustercms.com/api/* ββββ K8s Backend (ClusterIP)
βββ admin.lustercms.com/* ββββββββ K8s Frontend (ClusterIP)
βββ tenant-a.lustercms.com βββββββ K8s theme-org-A (ClusterIP)
βββ tenant-b.lustercms.com βββββββ K8s theme-org-B (ClusterIP)
βββ docs.lustercms.com βββββββββββ Static files
Frontend Architectureβ
frontend/
βββ app/ # Next.js App Router
β βββ admin/ # Admin panel pages
β βββ api/ # API routes
β βββ (public)/ # Public pages
βββ components/ # React components
βββ graphql/ # GraphQL queries/mutations
βββ hooks/ # Custom React hooks
βββ lib/ # Utilities
βββ types/ # TypeScript types
Backend Architectureβ
core/
βββ api/ # API layer (GraphQL, REST)
βββ auth/ # Authentication & RBAC
β βββ org_access.py # Multi-tenant access control ("golden rule")
βββ content/ # Content management
βββ media/ # Media handling
β βββ services.py # Media upload/process
β βββ storage.py # Local storage adapter
β βββ s3_storage.py # MinIO S3 storage (enterprise)
βββ tenants/ # Multi-tenant management
β βββ registration_wizard_service.py
β βββ provisioning.py # Database provisioning
β βββ k8s_provisioner.py # K8s namespace/DB provisioning
β βββ routes.py # Organization APIs
βββ themes/ # Theme management
β βββ service.py # Theme switching with K8s deploy
βββ theme_marketplace/ # Theme deployment
β βββ deployer_k8s.py # Kubernetes theme deployer
βββ ai/ # AI services
βββ plugins/ # Plugin system
βββ hooks.py # Hook definitions
plugins/
βββ calendar/ # Calendar plugin
βββ ecommerce/ # E-commerce plugin
βββ linkedin/ # LinkedIn plugin
βββ ...
infrastructure/
βββ k8s/ # Kubernetes manifests
β βββ core/ # Core services (backend, frontend, db, redis, minio)
β βββ themes/ # Per-org theme deployment templates
β βββ tenant-template/ # Per-tenant namespace template
βββ contabo/ # Legacy Docker Compose (deprecated)
Data Flowβ
- Request β Frontend or API client
- Authentication β JWT validation
- Authorization β Permission check + org_id validation
- Business Logic β Service layer
- Data Access β SQLAlchemy ORM (main or tenant DB)
- Response β JSON/GraphQL
Registration Flowβ
Two registration paths based on account type:
βββββββββββββββββββββββ
β Registration β
β (project_type: β
β website/ecommerce)β
βββββββββββββββββββββββ
β
βββββββββββββββββ΄ββββββββββββββββ
βΌ βΌ
βββββββββββββββββββββββββββ βββββββββββββββββββββββββββ
β ORGANIZATION β β AGENCY β
β (Auto-provisioned) β β (Requires approval) β
βββββββββββββββββββββββββββ βββββββββββββββββββββββββββ
β β
βΌ βΌ
βββββββββββββββββββββββββββ βββββββββββββββββββββββββββ
β 1. Create user (pending)β β 1. Create user (pending)β
β 2. Create organization β β 2. Create organization β
β 3. Provision tenant β β (PENDING_REVIEW) β
β namespace + DB (K8s) β β 3. Wait for approval β
β 4. Assign theme β β 4. On approve: provisionβ
β 5. Seed demo data β β 5. Deploy to K8s β
β 6. Deploy theme to K8s β β 6. Send welcome email β
β 7. Configure nginx β β β
β 8. Send welcome email β β β
βββββββββββββββββββββββββββ βββββββββββββββββββββββββββ
Theme and plugin selection based on project_type:
- Website:
luster-startertheme + SEO Assistant plugin - E-commerce:
luster-ecommerce-startertheme + E-commerce + SEO plugins
Theme Marketplace & Deploymentβ
Per-organization theme deployments for full isolation:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Kubernetes Cluster β
β (themes namespace) β
β β
β βββββββββββββββββββ βββββββββββββββββββ β
β β theme-org-A β β theme-org-B β β
β β (ecommerce) β β (starter) β β
β β β β β β
β β βββββββββββββββ β β βββββββββββββββ β β
β β β Deployment β β β β Deployment β β β
β β β Service β β β β Service β β β
β β β HPA (Pro+) β β β β HPA (Pro+) β β β
β β βββββββββββββββ β β βββββββββββββββ β β
β βββββββββββββββββββ βββββββββββββββββββ β
β β
β URLs (via nginx): β
β - tenant-a.lustercms.com β theme-org-A β
β - tenant-b.lustercms.com β theme-org-B β
β - client-domain.com β theme-org-N (custom domains) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Features:
- Per-organization resource quotas (Starter/Pro/Enterprise tiers)
- Horizontal Pod Autoscaling (Pro/Enterprise)
- Theme switching with zero-downtime redeployment
- Automatic subdomain provisioning
Media Storage (MinIO S3)β
Enterprise-grade, multi-tenant media storage using S3-compatible MinIO:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β MinIO S3 Storage β
β β
β βββββββββββββββ βββββββββββββββ βββββββββββββββ β
β βorg-A-media β βorg-B-media β βorg-N-media β ... β
β β /YYYY/MM/ β β /YYYY/MM/ β β /YYYY/MM/ β β
β β img.jpg β β doc.pdf β β vid.mp4 β β
β βββββββββββββββ βββββββββββββββ βββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Each organization gets an isolated bucket (org-SLUG-media), ensuring:
- Complete data isolation between tenants
- RBAC-aware file listing (agency admins see their org + clients)
- Automatic bucket provisioning on registration
Securityβ
- JWT authentication with role-based claims
- Multi-tenant RBAC ("everything down, nothing up")
- Per-organization database isolation (separate PostgreSQL per tenant)
- Per-organization S3 bucket isolation
- Input validation (Pydantic)
- SQL injection prevention (ORM)
- XSS protection (React)
- HTTPS/SSL everywhere (Let's Encrypt + certbot)
Key Technologiesβ
| Layer | Technology |
|---|---|
| Container Orchestration | Kubernetes (K3s) |
| Backend | Python 3.11, FastAPI, Strawberry GraphQL |
| Frontend | Next.js 14, React 18, TypeScript |
| Database | PostgreSQL 16 + pgvector |
| Cache | Redis 7 |
| Storage | MinIO (S3-compatible) |
| CI/CD | GitHub Actions |
| SSL | Let's Encrypt + certbot |
| Reverse Proxy | Nginx |