From 17be81a66ea83614871b79366824b9730cc30492 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Murat=20=C3=96ZDEM=C4=B0R?= <muratozdemir@tarla.io>
Date: Tue, 19 May 2026 17:47:23 +0300
Subject: [PATCH] feat(db): align WireGuard DB access with standard ports

- switch WireGuard DB access defaults from proxy ports to 5432/27017

- remove obsolete db stack template for proxy-based DB access

- clean roadmap wording around deprecated DB proxy services
---
 .../roles/db_stack/templates/db.stack.yml.j2  | 45 -------------------
 ansible/roles/wireguard/defaults/main.yml     |  6 +--
 ansible/roles/wireguard/tasks/main.yml        |  2 +-
 roadmap/prod-env/01-swarm-init-multinode.md   |  2 +-
 4 files changed, 5 insertions(+), 50 deletions(-)
 delete mode 100644 ansible/roles/db_stack/templates/db.stack.yml.j2

diff --git a/ansible/roles/db_stack/templates/db.stack.yml.j2 b/ansible/roles/db_stack/templates/db.stack.yml.j2
deleted file mode 100644
index 7d98635..0000000
--- a/ansible/roles/db_stack/templates/db.stack.yml.j2
+++ /dev/null
@@ -1,45 +0,0 @@
-version: "3.8"
-
-networks:
-  iklimco-net:
-    external: true
-
-volumes:
-  postgresql_data:
-  mongodb_data:
-
-services:
-  postgresql:
-    image: {{ db_postgres_image }}
-    environment:
-      POSTGRES_USER: "{{ db_postgres_root_user }}"
-      POSTGRES_PASSWORD: "{{ db_postgres_password }}"
-      POSTGRES_DB: postgres
-      PGDATA: /var/lib/postgresql/data/pgdata
-    volumes:
-      - postgresql_data:/var/lib/postgresql/data
-    networks:
-      - iklimco-net
-    deploy:
-      placement:
-        constraints:
-          - node.labels.role == db
-
-  mongodb:
-    image: {{ db_mongo_image }}
-    environment:
-      MONGO_INITDB_ROOT_USERNAME: "{{ db_mongo_root_user }}"
-      MONGO_INITDB_ROOT_PASSWORD: "{{ db_mongo_root_password }}"
-    volumes:
-      - mongodb_data:/data/db
-      - /opt/iklimco/db/mongodb/config/mongod.conf:/etc/mongod.conf
-    command: ["--config", "/etc/mongod.conf"]
-    networks:
-      - iklimco-net
-    deploy:
-      placement:
-        constraints:
-          - node.labels.role == db
-
-  # WireGuard üzerinden DB manager erişimi için köprü servisler.
-  # Host portları firewalld ile sadece WireGuard subnet'ine (10.8.0.0/24) açılır.
diff --git a/ansible/roles/wireguard/defaults/main.yml b/ansible/roles/wireguard/defaults/main.yml
index eb379c4..12e5ff9 100644
--- a/ansible/roles/wireguard/defaults/main.yml
+++ b/ansible/roles/wireguard/defaults/main.yml
@@ -4,9 +4,9 @@ wireguard_address: "10.8.0.1/24"
 wireguard_port: 51820
 wireguard_subnet: "10.8.0.0/24"
 
-# DB proxy portları — host ağında dinlenecek, sadece wireguard_subnet'ten erişilebilir
-wireguard_db_pg_proxy_port: 15432
-wireguard_db_mongo_proxy_port: 17017
+# DB portları — host ağında dinlenecek, sadece wireguard_subnet'ten erişilebilir
+wireguard_db_pg_proxy_port: 5432
+wireguard_db_mongo_proxy_port: 27017
 
 # Her client için: name, public_key, allowed_ips
 # group_vars/all/vars.yml içinde tanımlanır
diff --git a/ansible/roles/wireguard/tasks/main.yml b/ansible/roles/wireguard/tasks/main.yml
index c1cf13f..6518b87 100644
--- a/ansible/roles/wireguard/tasks/main.yml
+++ b/ansible/roles/wireguard/tasks/main.yml
@@ -66,7 +66,7 @@
     immediate: true
   loop: "{{ admin_allowed_cidrs.split(' ') }}"
 
-- name: Allow DB proxy ports from WireGuard subnet only
+- name: Allow DB ports from WireGuard subnet only
   ansible.posix.firewalld:
     rich_rule: >-
       rule family="ipv4" source address="{{ wireguard_subnet }}"
diff --git a/roadmap/prod-env/01-swarm-init-multinode.md b/roadmap/prod-env/01-swarm-init-multinode.md
index c815411..2f9c268 100644
--- a/roadmap/prod-env/01-swarm-init-multinode.md
+++ b/roadmap/prod-env/01-swarm-init-multinode.md
@@ -27,7 +27,7 @@
 App nodes carry `type=service`, DB nodes carry `role=db`. The two different label keys are not an inconsistency — they operate on different semantic planes:
 
 - **`type=service`** — "this node carries service workload"; determines which node group microservices and infrastructure services (APISIX, Vault, RabbitMQ, Redis, SWAG, etc.) are scheduled on.
-- **`role=db`** — "this node is a database node"; pins PostgreSQL (Patroni), MongoDB, and their proxy services exclusively to DB nodes.
+- **`role=db`** — "this node is a database node"; pins PostgreSQL (Patroni) and MongoDB exclusively to DB nodes.
 
 Docker Swarm's **built-in** `node.role` property (`manager` / `worker`) does **not** conflict with the custom `node.labels.role` label — the placement constraint syntax distinguishes them explicitly: