Global Architecture

Global Architecture

1. Architecture Overview

Browser

Control Center UI

JWT Auth

Cloudflare Edge

CF Access

JWT Auth

CF Pages

Static Hosting

CF Functions

/api/*

CF D1

SQLite Edge DB

CF Worker

cron-stats

CF Tunnels

SSH-MAIN, SSH-PROXY, Doors

Tunnels & API calls

On-Premise Infrastructure

Datacenter Central

Zabbix Server

192.168.1.88

SSH-MAIN Tunnel

Container On-Site

Zabbix Proxy

192.168.1.166

RPI-001

Entry

RPI-002

SAS

RPI-003

Exit

External Services

Azure Receipt API

DEV + PROD

Zippin Cloud

UniFi Cloud

Langflow AI

Cloudflare

On-Premise

External

AI

Browser → CF Edge (Auth, Pages, Functions, D1, Workers, Tunnels) → On-Premise + External Services

2. Network Architecture

Internet

Cloudflare Edge

CF Tunnels: SSH-MAIN, SSH-PROXY, Doors

vpn.zippin.tech

OpenVPN Server

CF Tunnels & VPN

Central Datacenter

UDM Pro

Orange WAN

USW-Pro-24-PoE

Beelink SER8

Zabbix Server

Store Container — Crolles

UDM Pro SE

Starlink WAN

→

USW Aggregation

10 Gb/s uplinks

→

USW-Pro-24-PoE

→

MikroTik hAP ax3

VPN + Firewall

→

MikroTik PoE ×2

PoE Switches

Powers & connects

Network Rack 9U

PSU 25A / 2.1kW

RPI-001

Entry

RPI-002

SAS (MikroTik + WiFi)

RPI-003

Exit

Zippin Cameras ×14

t01–t13

Tracking (daisy-chain RJ45)

s01–s02

Overhead

IP Subnets

10.27.185.0/24

Store LAN

10.12.0.0/23

VPN Tunnel

10.128.0.0/20

GCP Zippin

Cloudflare

On-Premise (UniFi)

MikroTik

Subnets

UDM Pro SE → USW Aggregation → USW-Pro-24-PoE → MikroTik hAP ax3 (VPN) → MikroTik PoE Switches → Equipment

3. Security & Auth Flow

Phase 1 — Authentication

#	From		To	Action
1	User	→	CF Access	Visit site
2	CF Access	↻	CF Access	Google / Email OTP login
3	CF Access	→	CF Pages	JWT cookie (CF_Authorization)
4	CF Pages	→	User	Static HTML / CSS / JS

Phase 2 — API Request

#	From		To	Action
5	User	→	Middleware	API Request + JWT
6	Middleware	↻	Middleware	Verify JWT signature (RS256)
7	Middleware	↻	Middleware	Check Origin header (CSRF)
8	Middleware	↻	Middleware	Rate limit check (tiered)
9	Middleware	→	RBAC	Extract caller email
10	RBAC	→	D1	Get role + permissions
11	D1	→	RBAC	role_id, permissions[]
12	RBAC	→	API	Authorized request
13	API	→	D1	Query / Mutate
14	API	→	User	JSON response

User → CF Access (Google/OTP) → JWT → Middleware (verify, CSRF, rate limit) → RBAC → D1 → API → JSON

4. Data Flow

RPi Controllers

RPI-001

Entry

RPI-002

SAS

RPI-003

Exit

Zippin Cloud

Gateway API

Metrics, Events

Cart Finalization

Azure App Service

Receipt API DEV

Receipt API PROD

Polling & Events

Cron Worker (every 15 min)

Poll

/api/status/api/occupancy/api/stats

Health Check

17 endpoints

Trigger Evaluation

INSERT

D1 Database

rpi_snapshots

rpi_alerts_history

receipt_api_health

trigger_alerts

receipt_api_requests

SELECT

Control Center UI

Operations

API Health

Monitoring

RPi + Zippin + Azure → Cron Worker (Poll, Health, Triggers) → D1 tables → Dashboard pages

5. Payment Flow (Zippin)

Phase 1 — Entry

#	From		To	Action
1	Customer	→	Entry (RPI-001)	Badge / QR Scan
2	Entry	→	JES (Moneweb)	Verify account: balance, account type, status
3	JES	→	Entry	Approved / Denied (balance & account check)
4	Entry	↻	Entry	Open gate 1

Phase 2 — SAS Zone

#	From		To	Action
5	Customer	→	SAS (RPI-002)	Enter SAS zone
6	SAS	↻	SAS	Badge scan + door sensor check
7	SAS	→	Zippin Cloud	Start shopping session
8	Zippin	→	SAS	Session confirmed
9	SAS	↻	SAS	Open gate 2

Phase 3 — Shopping & Exit

#	From		To	Action
10	Customer	→	Store Zone	Shopping (tracked by cameras)
11	Customer	→	Exit (RPI-003)	Approach exit
12	Exit	→	Zippin Cloud	Cart finalization
13	Zippin	↻	Zippin	Process cart items

Phase 4 — Payment

#	From		To	Action
14	Zippin	→	Receipt API (Azure)	Charges API call
15	Receipt API	→	Elior / Moneweb	Payment processing
16	Elior	→	Customer	Receipt / Notification
17	Receipt API	↻	Receipt API	MetricsService.Log()
18	Receipt API	→	D1	POST /api/receipt-api/logs

Customer → Badge Entry → SAS → Shopping (tracked) → Exit → Zippin Cart → Receipt API → Elior/Moneweb → Payment

6. Monitoring Stack

Zabbix Monitoring

Zabbix Server

192.168.1.88

SNMP Polling

Zabbix Proxy

192.168.1.166

Zabbix Web UI

monitoring.fjzippin.com

SNMP Targets

MikroTik hAP ax3

HOST-RESOURCES-MIBIF-MIBMIKROTIK-MIB

UDM Pro SE

SNMPv2c — 35 interfaces

USW Switches

Health Checks & SNMP

Health Checks (17 endpoints)

6

CF Tunnels

4

TUGA APIs

4

Back Offices

2

Azure APIs

1

UniFi Cloud

Alert Pipeline

Alert Pipeline

Trigger Alerts

→

RPI Alerts

→

Notifications

Dashboard

Zabbix

SNMP Targets

Health Checks

Alerts

Zabbix (Server → Proxy) + SNMP Targets + 17 Health Check endpoints → Alert Pipeline → Dashboard Notifications

7. AI Pipeline (Langflow)

User Question

Chat input

→

POST /api/langflow

Control Center

→

Prompt Template

System + Context

→

Embeddings

OpenAI

→

ChromaDB

Vector Store

→

LLM

GPT-4 / Claude

→

D1: messages

Response stored

→

Response

Displayed to user

AI / Langflow Pipeline

Cloudflare (API + D1)

User → API → Prompt → Embeddings → ChromaDB → LLM (GPT-4/Claude) → D1 messages → Response

8. Store Physical Layout

STMicroelectronics Crolles — Autonomous Store

SAS Entry Zone

Entry Door

RPI-001 — Badge + QR

SAS Door

RPI-002 — Zippin Session

Shopping Zone

Shelves + Products

Tracking Cameras

t01–t13 (daisy-chain RJ45)

Overhead Cameras

s01–s02

Exit Zone

Exit Door

RPI-003 — Auto-close

All cameras → RJ45 daisy-chain → Network Rack

Network Rack 9U — NR-AU-40-LR-01

PSU

25A / 2.1kW

RPI-001

Entry

RPI-002

SAS

RPI-003

Exit

MikroTik PoE ×2

→

MikroTik hAP ax3

Router + VPN

→

USW-Pro-24-PoE

→

USW Aggregation

Entry / RPi / UniFi

Shopping zone

Exit zone

MikroTik / Power

Cameras (daisy-chain) → MikroTik PoE → MikroTik Router → USW-Pro-24 → USW Aggregation