Strategy for Deploying the Federal Reserve's Open-Source Direct File System

This document outlines a strategic plan for deploying the Internal Revenue Service's (IRS) open-source Direct File tax system. This deployment will take place within a Docker container hosted on an Oxide Silo, as a proof-of-concept (POC) for the Univrs.io Commons Cloud initiative.

Phase 1: Infrastructure Preparation in the Oxide Silo

The initial phase focuses on preparing the Oxide Silo for the Direct File application.

1. Silo and Project Setup

• An Oxide Silo, a logically and cryptographically separated multi-tenancy environment, will be dedicated to this project to ensure resource isolation and security.

• Within the Silo, a dedicated project will be created to house all the virtual machines (VMs), storage, and networking resources for the Direct File application. This will allow for granular access control and resource management.

2. Virtual Machine Provisioning

• One or more VMs will be provisioned within the project.

• Operating System: Ubuntu or Debian Linux will be installed on the VMs, as specified.

• Resource Allocation: The VMs will be configured with sufficient CPU, memory, and storage to run the Direct File application and its dependencies. The provided context suggests that the application may require 2-4GB of JVM heap per service, which should be a baseline for memory allocation.

3. Network Configuration

• A virtual private cloud (VPC) will be configured within the project to provide a private network for the application components.

• Firewall rules will be established to control inbound and outbound traffic, only allowing access to necessary ports (e.g., HTTPS on port 443).

• A floating IP will be provisioned and associated with the VM or load balancer that will serve as the entry point for the application. This IP will be used for the file.univrs.io domain.

Phase 2: Application Containerization

This phase involves packaging the Direct File application into Docker containers for portability and ease of deployment.

1. Backend Containerization (Scala/JVM)

• The Scala-based backend of the Direct File application will be packaged into a Docker container.

• A "fat JAR" of the application will be created using a build tool like sbt-assembly.

• A lightweight Docker base image, such as openjdk:8-jre-alpine, will be used to minimize the container size.

• The sbt-native-packager tool can be used to automate the creation of the Docker image.

• The Dockerfile will be configured to copy the fat JAR and a startup script into the image. The startup script will be used to pass any necessary runtime arguments to the JVM.

2. Frontend Containerization

• The React-based frontend of the Direct File application will be packaged into a separate Docker container.

• A multi-stage Docker build will be used to first build the static assets (HTML, CSS, JavaScript) and then copy them into a lightweight web server image like Nginx.

3. Configuration Management

• All application configuration, including database connection strings, API keys, and other secrets, will be externalized from the Docker images.

• Environment variables or Docker secrets will be used to pass configuration to the containers at runtime.

Phase 3: Database and Storage

This phase focuses on setting up the necessary data persistence layers for the application.

1. PostgreSQL Database

• A PostgreSQL database, required by the Direct File application, will be deployed within the Oxide Silo.

• For the POC, the database can be run in a Docker container. For a production environment, a dedicated VM or a managed PostgreSQL service would be more appropriate.

2. S3-Compatible Object Storage

• The Direct File application requires S3-compatible object storage.

• An open-source, S3-compatible object storage system like MinIO will be deployed in a Docker container within the Silo. This will provide the necessary object storage capabilities for the application.

Phase 4: Deployment and Orchestration

This phase covers the deployment and management of the containerized application.

1. Initial POC Deployment

• For the initial POC, Docker Compose will be used to define and run the multi-container application (backend, frontend, database, object storage).

• A docker-compose.yml file will be created to specify the services, networks, and volumes for the application.

2. Future Scalability with Kubernetes

• For future scalability and high availability, a move to a container orchestration platform like Kubernetes is recommended.

• Talos Linux, a minimalist and secure Linux distribution for Kubernetes, can be run on the Oxide Cloud Computer. This would provide a robust platform for running the Direct File application at scale.

Phase 5: Domain, Security, and Compliance

This phase focuses on securing the application and ensuring it meets the necessary compliance requirements.

1. Domain Configuration

• The DNS for the file.univrs.io domain will be configured to point to the floating IP of the load balancer or VM in the Oxide Silo.

• A valid SSL/TLS certificate will be obtained and installed to enable HTTPS for the domain. Given the nature of the application, an Extended Validation (EV) certificate should be considered to enhance trust.

2. Security Best Practices

• HTTPS: HTTPS will be enforced for all traffic to the application.

• Firewall: The Oxide Silo's firewall will be configured to restrict access to the application and its components.

• Vulnerability Scanning: Regular vulnerability scans of the Docker images and application dependencies will be performed.

• Compliance: The security measures will be designed to meet the compliance requirements outlined in the provided document, including the FTC Safeguards Rule and IRS standards.

Roadmap and Future Considerations

• Proof of Concept: The initial focus will be on deploying a functional POC of the Direct File application in the Oxide Silo.

• Scalability: Once the POC is successful, the deployment can be scaled up by moving to a Kubernetes-based orchestration and potentially utilizing multiple Silos or racks for high availability.

• Collaboration: Close collaboration with Cargill, Oxide.Computer, and the Univrs.io organization will be essential for the success of this project.

By following this strategic plan, the Univrs.io Commons Cloud initiative can successfully deploy the IRS Direct File system, providing a valuable and free service to the public while demonstrating the capabilities of an on-premise cloud infrastructure. This project aligns with the Univrs.io mission of advocating for a public cloud infrastructure and running pilot projects to demonstrate its feasibility and benefits.

Deploying JVM Scala Tax Filing Application on Cloudflare

The Direct File tax application presents unique challenges for Cloudflare deployment due to its complex JVM architecture and government compliance requirements. Cloudflare cannot directly host traditional JVM applications in Workers or Pages, but several viable deployment strategies exist combining Cloudflare’s edge services with cloud infrastructure optimized for JVM workloads.

Current Cloudflare JVM limitations and opportunities

Cloudflare Workers and Pages run on V8 JavaScript runtime, not the JVM, making direct deployment of the Direct File application impossible. However, Cloudflare’s new Containers service (2025 beta) represents a breakthrough, offering full JVM support with global edge deployment. Additionally, hybrid architectures leveraging Cloudflare as a CDN/security layer in front of traditional cloud infrastructure provide immediate, practical solutions.

The Direct File application is a sophisticated Spring Boot microservices system with Scala components, requiring PostgreSQL, AWS services integration, and extensive government compliance features. This enterprise-grade architecture demands careful deployment planning beyond simple serverless solutions.

Cloudflare service capabilities for JVM applications

Workers and Pages constraints

Cloudflare Workers impose strict limitations incompatible with traditional JVM applications: 128MB memory limit, 30-second execution time, single-threaded execution, and no native JVM support. The Direct File application’s Spring Boot architecture, multi-threading requirements, and resource needs exceed these constraints by orders of magnitude.

Scala.js compilation offers a path for new applications but requires complete rewriting of the Direct File codebase, eliminating most JVM libraries and frameworks. Given the application’s complexity and government compliance requirements, this approach is impractical for the existing system.

Cloudflare Containers - the game changer

The beta Containers service enables full JVM deployment on Cloudflare’s global network with Docker compatibility, multi-threading support, and unlimited memory allocation. This represents the most promising path for traditional JVM applications, though production readiness and pricing remain uncertain in beta status.

Storage and edge services

R2 object storage provides S3-compatible storage with zero egress fees, offering significant cost advantages for the application’s document storage needs. D1 database supports SQL but is SQLite-based rather than PostgreSQL-compatible, requiring application modifications. Workers KV excels at caching configuration data and session management.

Architecture analysis of Direct File application

The repository reveals a complex microservices architecture built on Spring Boot with Scala-based tax calculation engines. Key components include:

• Backend API: Spring Boot application handling core business logic

• Fact Graph: Scala-based tax rule processing engine running server-side and client-side

• React Frontend: TypeScript/Vite-based responsive interface

• Supporting Services: Email, state tax integration, authentication simulation

Infrastructure requirements include PostgreSQL database, AWS services (S3, SQS, SNS, KMS), comprehensive logging, and multi-container orchestration. The application expects 2-4GB JVM heap per service, multiple CPU cores, and persistent storage - far exceeding serverless limitations.

Government compliance features embed extensive security controls, audit trails, and integration with IRS systems, making migration complex and requiring careful preservation of security posture.

Deployment options comparison

Hybrid architecture - recommended approach

The optimal strategy combines Cloudflare’s edge services with traditional cloud infrastructure:

Cloudflare Layer: CDN, DDoS protection, WAF, SSL termination, bot management Application Layer: Kubernetes cluster or managed container service hosting the JVM application Storage Layer: Mix of R2 for documents, managed PostgreSQL for transactional data

This approach delivers global performance through edge caching while maintaining full JVM compatibility and government security requirements.

Serverless limitations

AWS Lambda and similar platforms support JVM applications but face cold start penalties (2-6 seconds typical, reduced to 1.4 seconds with SnapStart). For tax filing applications with extreme seasonality - 90% of returns filed by late May - the traffic spikes exceed serverless cost-efficiency thresholds. Beyond 66 requests/second, container solutions become more economical.

Container orchestration benefits

Managed Kubernetes services (EKS, GKE, AKS) provide ideal foundations for the microservices architecture. GraalVM Native Image compilation can reduce startup times by 90% and memory usage by 70%, improving autoscaling behavior during traffic spikes.

Step-by-step deployment instructions

Phase 1: Infrastructure preparation

1. Domain Setup: Configure file.univrs.io subdomain in Cloudflare DNS with proxied status

2. SSL Configuration: Obtain Extended Validation certificate (required for tax software)

3. Security Setup: Configure WAF rules, rate limiting, and bot protection

4. Cloud Infrastructure: Provision Kubernetes cluster or container service

Phase 2: Application containerization

1. Docker Optimization: Create multi-stage builds reducing image size

2. GraalVM Integration: Compile critical services to native images for faster scaling

3. Configuration Management: Externalize all configuration for cloud deployment

4. Health Checks: Implement comprehensive readiness and liveness probes

Phase 3: Cloudflare integration

1. Origin Configuration: Point Cloudflare to load balancer or ingress controller

2. Caching Rules: Configure appropriate cache policies for static assets

3. Security Policies: Implement government-compliant security headers

4. Monitoring Setup: Enable audit logging and performance monitoring

Phase 4: Database and storage

1. PostgreSQL Setup: Deploy managed PostgreSQL with read replicas

2. R2 Integration: Migrate document storage to R2 for cost savings

3. Backup Strategy: Implement encrypted backups with secure retention

4. Performance Tuning: Optimize database connections and query performance

Domain configuration and compliance

Critical domain considerations

Using .io domains presents sovereignty risks for government applications. The British Indian Ocean Territory faces territorial disputes, potentially leading to domain retirement within 5+ years. Government services should prioritize .gov domains for credibility and regulatory compliance.

Extended Validation SSL certificates are mandatory for IRS e-File providers, requiring rigorous business verification. Cloudflare supports custom certificate upload, enabling EV SSL while maintaining edge security benefits.

Security requirements

Tax software faces extensive compliance requirements:

FTC Safeguards Rule: Mandates multi-factor authentication, data encryption, access controls, and comprehensive audit trails IRS Standards: Require quarterly vulnerability scans, incident reporting, and specific security architectures FISMA Compliance: Applies to federal systems with NIST SP 800-53 control requirements

Implementation checklist

• ✅ HTTPS enforcement with TLS 1.2 minimum

• ✅ Security headers (HSTS, CSP, X-Frame-Options)

• ✅ Web Application Firewall with OWASP rule sets

• ✅ DDoS protection and rate limiting

• ✅ Comprehensive audit logging

• ✅ Multi-factor authentication integration

• ✅ Encrypted data storage and transmission

Cost analysis and scaling considerations

Cost-effective hybrid approach

Annual cost projections for 10 million tax filings:

Hybrid Architecture: $2,800 Annually ($0.28 per filing)

• Off-season: $77/month (Cloudflare + minimal VPS)

• Peak season: $300-800/month (auto-scaled cluster)

Pure Cloud Solutions: $4,500-6,000 annually

On-premises Equivalent: $15,000+ annually

Traffic pattern optimization

Tax filing exhibits extreme seasonality with 10:1 ratio between peak and off-season traffic. The architecture must handle:

• Off-season: 1,000-5,000 concurrent users

• Peak season: 50,000-100,000 concurrent users

• Final deadline: 1M+ concurrent users

Predictive autoscaling based on historical patterns enables cost-effective resource provisioning while maintaining performance during critical periods.

Special considerations for government software

Compliance requirements

Government tax software demands stringent security measures: data classification handling (PII, FTI, SBU), encryption at rest and in transit, comprehensive audit trails, and integration with IRS systems. The application must maintain these features regardless of deployment platform.

Risk mitigation strategies

Multi-region deployment ensures availability during extreme traffic events. Progressive traffic shifting allows testing new configurations without disrupting live tax filing operations. Disaster recovery planning must account for both technical failures and security incidents.

Recommended implementation path

For the Direct File application, implement a phased hybrid deployment:

Immediate: Deploy on cloud containers (AWS EKS/Azure AKS/GCP GKE) behind Cloudflare CDN Phase 2: Migrate document storage to R2 for cost savings and performance Phase 3: Monitor Cloudflare Containers service for production readiness Future: Evaluate full Cloudflare Containers deployment once beta limitations resolve

This approach provides immediate deployment capability while positioning for future Cloudflare-native hosting. The combination delivers global performance, government-grade security, and cost efficiency essential for public tax filing services.

The hybrid architecture handles the application’s complexity while leveraging Cloudflare’s strengths in edge delivery, security, and cost optimization - creating a robust, compliant, and scalable platform for this critical government service.

Connect with Univrs.io

• Univrs.io Discord

• Univrs Patreon

• Univrs.io

• https://ardeshir.io

• https://hachyderm.io/@sepahsalar

• https://github.com/ardeshir

• https://medium.com/@sepahsalar

• https://www.linkedin.com/in/ardeshir

• https://sepahsalar.substack.com/

• LinkTree @Sepahsalar

• Univrs MetaLabel