feat(db): align WireGuard DB access with standard ports

- switch WireGuard DB access defaults from proxy ports to 5432/27017 - remove obsolete db stack template for proxy-based DB access - clean roadmap wording around deprecated DB proxy services
2026-05-19 17:47:23 +03:00 · 2026-05-19 17:47:23 +03:00 · 17be81a66e
commit 17be81a66e
parent 27f4f83f73
4 changed files with 5 additions and 50 deletions
--- a/ansible/roles/db_stack/templates/db.stack.yml.j2
+++ b/ansible/roles/db_stack/templates/db.stack.yml.j2
@ -1,45 +0,0 @@
-version: "3.8"
-
-networks:
-  iklimco-net:
-    external: true
-
-volumes:
-  postgresql_data:
-  mongodb_data:
-
-services:
-  postgresql:
-    image: {{ db_postgres_image }}
-    environment:
-      POSTGRES_USER: "{{ db_postgres_root_user }}"
-      POSTGRES_PASSWORD: "{{ db_postgres_password }}"
-      POSTGRES_DB: postgres
-      PGDATA: /var/lib/postgresql/data/pgdata
-    volumes:
-      - postgresql_data:/var/lib/postgresql/data
-    networks:
-      - iklimco-net
-    deploy:
-      placement:
-        constraints:
-          - node.labels.role == db
-
-  mongodb:
-    image: {{ db_mongo_image }}
-    environment:
-      MONGO_INITDB_ROOT_USERNAME: "{{ db_mongo_root_user }}"
-      MONGO_INITDB_ROOT_PASSWORD: "{{ db_mongo_root_password }}"
-    volumes:
-      - mongodb_data:/data/db
-      - /opt/iklimco/db/mongodb/config/mongod.conf:/etc/mongod.conf
-    command: ["--config", "/etc/mongod.conf"]
-    networks:
-      - iklimco-net
-    deploy:
-      placement:
-        constraints:
-          - node.labels.role == db
-
-  # WireGuard üzerinden DB manager erişimi için köprü servisler.
-  # Host portları firewalld ile sadece WireGuard subnet'ine (10.8.0.0/24) açılır.
--- a/ansible/roles/wireguard/defaults/main.yml
+++ b/ansible/roles/wireguard/defaults/main.yml
@ -4,9 +4,9 @@ wireguard_address: "10.8.0.1/24"
 wireguard_port: 51820
 wireguard_subnet: "10.8.0.0/24"

-# DB proxy portları — host ağında dinlenecek, sadece wireguard_subnet'ten erişilebilir
-wireguard_db_pg_proxy_port: 15432
-wireguard_db_mongo_proxy_port: 17017
+# DB portları — host ağında dinlenecek, sadece wireguard_subnet'ten erişilebilir
+wireguard_db_pg_proxy_port: 5432
+wireguard_db_mongo_proxy_port: 27017

 # Her client için: name, public_key, allowed_ips
 # group_vars/all/vars.yml içinde tanımlanır
--- a/ansible/roles/wireguard/tasks/main.yml
+++ b/ansible/roles/wireguard/tasks/main.yml
@ -66,7 +66,7 @@
    immediate: true
  loop: "{{ admin_allowed_cidrs.split(' ') }}"

- name: Allow DB proxy ports from WireGuard subnet only
+- name: Allow DB ports from WireGuard subnet only
  ansible.posix.firewalld:
    rich_rule: >-
      rule family="ipv4" source address="{{ wireguard_subnet }}"
--- a/roadmap/prod-env/01-swarm-init-multinode.md
+++ b/roadmap/prod-env/01-swarm-init-multinode.md
@ -27,7 +27,7 @@
 App nodes carry `type=service`, DB nodes carry `role=db`. The two different label keys are not an inconsistency — they operate on different semantic planes:

 - **`type=service`** — "this node carries service workload"; determines which node group microservices and infrastructure services (APISIX, Vault, RabbitMQ, Redis, SWAG, etc.) are scheduled on.
- **`role=db`** — "this node is a database node"; pins PostgreSQL (Patroni), MongoDB, and their proxy services exclusively to DB nodes.
+- **`role=db`** — "this node is a database node"; pins PostgreSQL (Patroni) and MongoDB exclusively to DB nodes.

 Docker Swarm's **built-in** `node.role` property (`manager` / `worker`) does **not** conflict with the custom `node.labels.role` label — the placement constraint syntax distinguishes them explicitly: