feat(db): align WireGuard DB access with standard ports

- switch WireGuard DB access defaults from proxy ports to 5432/27017

- remove obsolete db stack template for proxy-based DB access

- clean roadmap wording around deprecated DB proxy services

ansible/roles/db_stack/templates/db.stack.yml.j2

@@ -1,45 +0,0 @@
-version: "3.8"
-
-networks:
-  iklimco-net:
-    external: true
-
-volumes:
-  postgresql_data:
-  mongodb_data:
-
-services:
-  postgresql:
-    image: {{ db_postgres_image }}
-    environment:
-      POSTGRES_USER: "{{ db_postgres_root_user }}"
-      POSTGRES_PASSWORD: "{{ db_postgres_password }}"
-      POSTGRES_DB: postgres
-      PGDATA: /var/lib/postgresql/data/pgdata
-    volumes:
-      - postgresql_data:/var/lib/postgresql/data
-    networks:
-      - iklimco-net
-    deploy:
-      placement:
-        constraints:
-          - node.labels.role == db
-
-  mongodb:
-    image: {{ db_mongo_image }}
-    environment:
-      MONGO_INITDB_ROOT_USERNAME: "{{ db_mongo_root_user }}"
-      MONGO_INITDB_ROOT_PASSWORD: "{{ db_mongo_root_password }}"
-    volumes:
-      - mongodb_data:/data/db
-      - /opt/iklimco/db/mongodb/config/mongod.conf:/etc/mongod.conf
-    command: ["--config", "/etc/mongod.conf"]
-    networks:
-      - iklimco-net
-    deploy:
-      placement:
-        constraints:
-          - node.labels.role == db
-
-  # WireGuard üzerinden DB manager erişimi için köprü servisler.
-  # Host portları firewalld ile sadece WireGuard subnet'ine (10.8.0.0/24) açılır.

ansible/roles/wireguard/defaults/main.yml

@@ -4,9 +4,9 @@ wireguard_address: "10.8.0.1/24"
 wireguard_port: 51820
 wireguard_subnet: "10.8.0.0/24"
 
-# DB proxy portları — host ağında dinlenecek, sadece wireguard_subnet'ten erişilebilir
+# DB portları — host ağında dinlenecek, sadece wireguard_subnet'ten erişilebilir
-wireguard_db_pg_proxy_port: 15432
+wireguard_db_pg_proxy_port: 5432
-wireguard_db_mongo_proxy_port: 17017
+wireguard_db_mongo_proxy_port: 27017
 
 # Her client için: name, public_key, allowed_ips
 # group_vars/all/vars.yml içinde tanımlanır

ansible/roles/wireguard/tasks/main.yml

@@ -66,7 +66,7 @@
     immediate: true
   loop: "{{ admin_allowed_cidrs.split(' ') }}"
 
-- name: Allow DB proxy ports from WireGuard subnet only
+- name: Allow DB ports from WireGuard subnet only
   ansible.posix.firewalld:
     rich_rule: >-
       rule family="ipv4" source address="{{ wireguard_subnet }}"

roadmap/prod-env/01-swarm-init-multinode.md

@@ -27,7 +27,7 @@
 App nodes carry `type=service`, DB nodes carry `role=db`. The two different label keys are not an inconsistency — they operate on different semantic planes:
 
 - **`type=service`** — "this node carries service workload"; determines which node group microservices and infrastructure services (APISIX, Vault, RabbitMQ, Redis, SWAG, etc.) are scheduled on.
-- **`role=db`** — "this node is a database node"; pins PostgreSQL (Patroni), MongoDB, and their proxy services exclusively to DB nodes.
+- **`role=db`** — "this node is a database node"; pins PostgreSQL (Patroni) and MongoDB exclusively to DB nodes.
 
 Docker Swarm's **built-in** `node.role` property (`manager` / `worker`) does **not** conflict with the custom `node.labels.role` label — the placement constraint syntax distinguishes them explicitly: