Moves `iklimco-net` overlay network creation to be managed by the Docker Swarm stack, ensuring reliable embedded DNS resolution for inter-service communication. This resolves issues where services on external overlay networks failed to discover each other via Docker DNS.
This refactoring includes:
* Removing the manual `iklimco-net` creation from the Ansible `swarm` role.
* Adjusting `act_runner` configuration to connect job containers to `iklimco-net` only after the stack has deployed and created the network.
* Setting `storagebox_file_mode` to `0600` for DB nodes to prevent "too open" errors with MongoDB keyfiles.
* Provisioning dedicated bind mount directories for MongoDB and PostgreSQL on DB nodes with correct ownership and permissions.
* Updating documentation to reflect the consolidated stack and network changes.
Centralize and manage multiple administrator SSH public keys for server access and streamline administrative tasks.
This change:
- Allows provisioning of multiple admin SSH keys to the `iklim` user for human access.
- Adds the same admin SSH keys to the `root` user for emergency or bootstrap scenarios.
- Grants the `iklim` user passwordless sudo privileges to simplify administrative operations.
- Replaces the single `admin_ssh_public_key_path` variable with a list of keys, accommodating multiple administrators.
Refactor StorageBox mount logic for greater stability and consistent remounts by utilizing shell commands. Enable `user_allow_other` for davfs2 mounts in `/etc/fuse.conf` and `fstab`, ensuring non-root container access to mounted files.
Standardize SWAG configuration directory provisioning to include specific subdirectories for DNS, proxy, and Certbot files. Streamline local `/opt/iklimco` directory creation on app and db nodes, removing obsolete paths and consolidating relevant service directories.
- Ensure consistent directory and file permissions on StorageBox mounts for improved container access across application and database services.
- Introduce application-specific `storagebox_uid`/`gid` variables for more granular ownership control.
- Enhance StorageBox mount reliability by adding systemd reload and remount handlers for configuration changes.
- Add root credentials to Patroni's etcd configuration for authenticated communication.
- Update all relevant documentation and deployment scripts to use the `iklimco` Docker stack name for database services.
- Re-encrypt production vault secrets to include the new etcd password.
- Synchronized environment-specific settings with the new isolated architecture.
- Updated network and storage definitions to match the latest Swarm stack requirements.
- Harmonized configuration templates for consistent cross-environment deployment.
Add DB-specific StorageBox ownership variables and make the davfs mount role honor configurable uid and gid values so database containers can access mounted files.
Extend the prod DB node role to sync StorageBox writes, generate and distribute the MongoDB replica set keyfile, wait for the keyfile on each node, and enforce keyfile permissions.
Tune MongoDB and Patroni templates for quieter logging, correct secret variable names, local bootstrap trust, and production network pg_hba coverage.
Refresh the production setup history with the current bootstrap sequence, DB stack deployment workflow, MongoDB replica set initialization, Patroni validation, and completed DB cluster status.
Update Environment_Infrastructure to match the current root stack conventions for database images, shared secret names, and APISIX real IP handling.
- update test Ansible DB image defaults to PostGIS 18/PostGIS 3.6 and MongoDB 8.3.2
- align Patroni configuration with DATABASE_POSTGRES_* secret variable names
- document APISIX real IP template configuration and Harbor rebuild workflow
- replace the separate DB stack env file guidance with the shared .env.secrets.shared flow
- update production setup and roadmap snippets to use current PostGIS, MongoDB, and APISIX rebuild commands
Document and commit the production bootstrap state after the initial Hetzner and Ansible rollout.
- switch Ansible prod runbooks to use the shared vault password file
- record production admin CIDRs, SSH key path, encrypted group vault, and encrypted per-host vault files
- add generated production inventory and the prod setup history notes from the first bootstrap
- keep root password login disabled while preserving key-based root access for Ansible bootstrap continuity
- document separate Hetzner projects and tokens for test/prod and commit the prod provider lock file
- remove the private Redis firewall allowance from the prod Terraform firewall and matching setup docs
- switch WireGuard DB access defaults from proxy ports to 5432/27017
- remove obsolete db stack template for proxy-based DB access
- clean roadmap wording around deprecated DB proxy services
Add the Ansible README and expand prod bootstrap coverage for StorageBox keys, DB labels, DB stack configuration, and act runner setup. Update MongoDB configuration for replica set support and refresh prod roadmap/setup documentation for Swarm labels, StorageBox-backed cert paths, and recovery guidance.
Add hetzner-floating-ip.service systemd unit to base role so that
the floating IP is bound to eth0 on every boot. The task is
conditional (runs only when hetzner_floating_ip is defined in
host_vars). Add 49.12.116.113 as the floating IP for iklim-app-01
in test host_vars.
The docker role only opened Swarm ports (2377, 7946, 4789).
HTTP and HTTPS were missing, making SWAG unreachable from outside.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add new Ansible role `wireguard` to set up WireGuard VPN server on
DB node with key generation, firewalld rules, and client peer config.
- Introduce `pg-proxy` and `mongo-proxy` socat containers in db_stack
to expose PostgreSQL (15432) and MongoDB (17017) on host ports,
restricted to WireGuard subnet via firewalld.
- Update test environment group_vars with WireGuard client entry for
`murat-inspiron-15-3525`.
- Modify act_runner config: set `docker_host` to unix socket, remove
explicit socket mount from options, and change runner label image to
`catthehacker/ubuntu:act-22.04`.
- Open UDP port 51820 in Hetzner firewall for WireGuard inbound.
- Adjust test-db-post-stack playbook to include wireguard role (tagged).
- Update roadmap document with APISIX init step order.
Migrates `act_runner` configuration from shell-generated to an Ansible-templated `config.yaml`. This enables:
- Dynamic label provisioning, including `test-runner:docker://ubuntu:22.04`.
- Explicit configuration for joining the `iklimco-net` overlay network.
- Docker socket mounting for CI/CD jobs to interact with the Docker daemon.
Updates `setup/05-test-runner-ve-deploy-onkosullari.md` and other related documentation to reflect the new automated and integrated runner setup.
* Introduces an Ansible role for installing and registering `act_runner` for Gitea Actions.
* Automates PostgreSQL and MongoDB deployment on Docker Swarm in the test environment, leveraging Docker named volumes for data persistence.
* Translates core documentation, including `README.md` and `setup/04-test-db-docker-kurulum.md`, to Turkish.
* Adds comprehensive documentation for firewall architecture (`facts/firewall.md`) and Docker Swarm node recovery (`facts/swarm-node-recovery.md`).
* Enhances security hardening by ensuring `fail2ban` is enabled and streamlining admin SSH key management via Ansible.
* Updates Ansible vault structure to support new secret variables and adds `.vault_pass` to `.gitignore`.
This commit introduces several core configurations and structural improvements:
* **User Management:** Creates a new `iklim` administrative user with a securely hashed password, enabled by `python3-passlib`.
* **System Configuration:** Sets the system keyboard layout to Turkish Q (`trq`).
* **Security Hardening:** Refines firewall rules for SSH using a rich rule and ensures `journald` log limits file creation.
* **Ansible Variable Management:** Restructures `group_vars` by consolidating global variables into `group_vars/all/vars.yml` and sensitive data into a dedicated `group_vars/all/vault.yml`.
* **Ansible Compatibility:** Adds `!unsafe` to a `docker info` shell command to prevent future warnings.
This commit introduces the foundational Ansible playbooks, roles, and configurations for automated provisioning of both production and test environments.
Key capabilities include:
- **Base System Setup:** Common packages, timezone, chrony, and hostname.
- **Security Hardening:** SELinux disable, SSH configuration, `dnf-automatic`, `fail2ban`, `firewalld` setup, and `journald` log limits.
- **Docker & Swarm:** Docker installation and configuration, Docker Swarm initialization/joining for managers and workers, overlay network creation, and node labeling.
- **Storage:** Hetzner StorageBox integration using `davfs2`.
- **Directory Structure:** Creation of application and database-specific directories.
This establishes a comprehensive, automated pipeline for infrastructure deployment and initial configuration.
Overhaul and expand firewall definitions for both `prod` and `test` environments to enable comprehensive inter-subnet communication.
This includes implementing explicit rules supporting:
- Docker Swarm overlay networks between application and database subnets.
- High-availability database clusters (PostgreSQL replication, MongoDB replica sets, Patroni, etcd).
- Internal access for various infrastructure services (Vault, Redis, RabbitMQ, APISIX, Prometheus, Grafana).
All firewall rule descriptions are standardized in English for improved clarity and consistency.
Additionally, update default `server_type_swarm` and `server_type_db` variables to the recommended `CPX` series for both environments. An initial generated Ansible inventory for the test environment is also added.
