Three Patroni Postgres nodes with synchronous replication. One coordinator for queues and crons. Two FrankenPHP front-ends with Octane. Cloudflare in front. EU-only data, end to end. The same cluster topology we operate for our own customers.
Patroni manages the Postgres cluster with embedded etcd. Synchronous replication keeps the standbys honest. The app talks to libpq with a multi-host string and target_session_attrs=read-write so writes always reach the current leader — failover is driver-handled, in seconds.
Compute on Hetzner Frankfurt. Backups on Cloudflare R2 EU jurisdiction. Cloudflare WAF for ingress. No transatlantic detour for any byte of customer data — by design, not by configuration.
Production-grade isn't a brochure adjective. It's a list of design decisions you stop having to make.
Each tenant gets a dedicated Postgres database with RLS-enforced row isolation. No shared rows, no noisy neighbors, no JOIN-leak risk.
Every deploy is a tarball + symlink swap. Migrations run on the coordinator first, then the FE pool reloads in parallel. Rollback in 2 minutes.
PHP workers stay alive across requests. Sub-30ms cold paths. Connection pooling, opcode cache hot, Tenant DBs pre-warmed.
Tenant scoping isn't an ORM convention — it's enforced by Postgres row-level security policies. App bug? Data still doesn't leak.
pgBackRest with point-in-time recovery, replicated to Cloudflare R2 EU. Leader-aware cron survives Patroni failover.
Per-tenant request traces. Slow-query log shipped to the analytics module. Audit trail on every record. The cluster knows what it did.
Enterprise customers can run Archimedes on their own infrastructure with the same cluster topology. Talk to us about on-prem deployments — we ship the runbook with the binaries.