# Trading Bot Deployment Design

## Overview

Deploy the trading bot to the existing Kubernetes cluster behind Authentik authentication, accessible at `trading.viktorbarzin.me`.

## Architecture

### Deployments (2)

**trading-bot-frontend** (1 replica, 2 containers):
- `dashboard` — React SPA served by nginx, proxies `/api/*` and `/ws` to localhost:8000
- `api-gateway` — FastAPI REST API + WebSocket (port 8000)

**trading-bot-workers** (1 replica, 6 containers):
- `news-fetcher` — Polls RSS feeds + Reddit, publishes to `news:raw`
- `sentiment-analyzer` — Scores articles via FinBERT/Ollama, publishes to `news:scored`
- `signal-generator` — Weighted ensemble of strategies, publishes to `signals:generated`
- `trade-executor` — Risk management + order submission
- `learning-engine` — Computes P&L, adjusts strategy weights
- `market-data` — Watches ticker OHLCV data

### Networking

- 1 Service: `trading-bot-frontend` port 80 -> container port 3000 (nginx)
- 1 Ingress: `trading.viktorbarzin.me` via `ingress_factory` with `protected = true` (Authentik forward-auth)
- nginx proxies `/api/*` and `/ws` to api-gateway at localhost:8000

### Auth

- Layer 1: Authentik forward-auth on ingress (gate access to the app)
- Layer 2: WebAuthn/passkey in API gateway (existing app-level auth preserved)

### Infrastructure Dependencies (reused)

- PostgreSQL: `postgresql.dbaas.svc.cluster.local:5432` — new DB `trading`, user `trading`
- Redis: `redis.redis.svc.cluster.local:6379` — dedicated DB number
- Ollama: `ollama.ollama.svc.cluster.local:11434` — for sentiment fallback
- TimescaleDB: attempt `CREATE EXTENSION IF NOT EXISTS timescaledb` on existing PG

### Docker Images

- `viktorbarzin/trading-bot-service:<build-number>` — all Python services (single fat image)
- `viktorbarzin/trading-bot-dashboard:<build-number>` — React SPA + nginx

### CI/CD

- Repository: Forgejo at `forgejo.viktorbarzin.me` (personal account)
- CI: Woodpecker at `ci.viktorbarzin.me` (add Forgejo integration)
- Pipeline: build images -> push to Docker Hub -> patch K8s deployments -> verify -> Slack

### Secrets (in terraform.tfvars)

- `trading_bot_db_password` — PostgreSQL password
- `trading_bot_alpaca_api_key` — Alpaca broker API key
- `trading_bot_alpaca_secret_key` — Alpaca broker secret
- `trading_bot_jwt_secret` — JWT signing key
- `trading_bot_reddit_client_id` — Reddit API client ID
- `trading_bot_reddit_client_secret` — Reddit API client secret

### Storage

- NFS volume at `/mnt/main/trading-bot` for any persistent data