- Ensure consistent directory and file permissions on StorageBox mounts for improved container access across application and database services.
- Introduce application-specific `storagebox_uid`/`gid` variables for more granular ownership control.
- Enhance StorageBox mount reliability by adding systemd reload and remount handlers for configuration changes.
- Add root credentials to Patroni's etcd configuration for authenticated communication.
- Update all relevant documentation and deployment scripts to use the `iklimco` Docker stack name for database services.
- Re-encrypt production vault secrets to include the new etcd password.
Reflects a clearer organization for SWAG configuration templates across all roadmap and setup documentation. This standardizes references to template files by explicitly including the `template/` subdirectory, improving clarity and distinction from generated configuration files.
- Synchronized environment-specific settings with the new isolated architecture.
- Updated network and storage definitions to match the latest Swarm stack requirements.
- Harmonized configuration templates for consistent cross-environment deployment.
Update Environment_Infrastructure to match the current root stack conventions for database images, shared secret names, and APISIX real IP handling.
- update test Ansible DB image defaults to PostGIS 18/PostGIS 3.6 and MongoDB 8.3.2
- align Patroni configuration with DATABASE_POSTGRES_* secret variable names
- document APISIX real IP template configuration and Harbor rebuild workflow
- replace the separate DB stack env file guidance with the shared .env.secrets.shared flow
- update production setup and roadmap snippets to use current PostGIS, MongoDB, and APISIX rebuild commands
- switch WireGuard DB access defaults from proxy ports to 5432/27017
- remove obsolete db stack template for proxy-based DB access
- clean roadmap wording around deprecated DB proxy services
- Updated roadmap (03-infra-stack-changes.md) to deprecate database proxies in prod.
- Detailed direct subnet access via WireGuard for production developers.
- Provided multi-host connection parameters for Patroni and MongoDB Replica Sets in setup guide (08-prod-db-cluster-kurulum.md).
- Added environment comparison table to developer access guide.
- Split single large bash block into four logical sections (Constants, WS, Auth, Global).
- Improved Obsidian rendering compatibility by removing inline explanatory comments from code blocks.
- Enhanced readability with bold subsection headers.
- Expanded the header constants example to cover Global, Auth, and WebSocket limits.
- Provided detailed snippets for using constants in WS_PLUGINS and AUTH_LIMIT blocks.
- Reinforced maintainability standards for the APISIX initialization script.
- Recommended defining rate limit thresholds as header constants in init.sh.
- Updated documentation snippet to use GLOBAL_LIMIT_COUNT and GLOBAL_LIMIT_WINDOW variables.
- Improved maintainability for future rate limit adjustments.
- Configured 'iklimco-net' aliases for RabbitMQ nodes in prod overlay documentation.
- Updated Step 6 and Step 8 stack snippets to include network aliases and definitions.
- Added a technical note to Step 7 explaining DNS requirements for sticky sessions.
- Implemented Consistent Hashing (chash) logic in APISIX upstream configuration for prod.
- Added instructions for real IP detection in APISIX configuration template.
- Documented the bypass of Swarm VIP for better session persistence on RabbitMQ nodes.
Corrects six documentation files to match the actual deployed pipeline
behavior and align test/prod approaches where they share the same code.
prod-env/02-godaddy-credentials.md
- Step 1: correct secret file from .env.secrets.shared to .env.secrets.swag;
add clarifying note that .env.secrets.shared holds AppRole/DB secrets
and must not be used for GoDaddy credentials.
- Step 4: document that GoDaddy A records are now managed automatically
by the pipeline's 'Update DNS Records' step via the GoDaddy API;
reference the Gitea variable PROD_FLOATING_IP that must be set once.
prod-env/08-deploy-pipeline-update.md
- Add Step 2 documenting the new 'Update DNS Records' pipeline step
(GoDaddy API, idempotent check-before-update, requires jq and
vars.PROD_FLOATING_IP).
- Renumber subsequent steps 3-8 to accommodate the new step.
- Fix DB hostnames in Step 7 (Run Database Init Scripts) from
iklimco_postgresql/iklimco_mongodb to postgresql/mongodb, matching
how Swarm overlay DNS resolves service names inside iklimco-net.
- Update context block: correct DB hostname description, replace
outdated storagebox path note with env-var approach, list new steps.
- Update final step order to 24 steps including the DNS step and
Release Deploy Lock; mark Wait for etcd as NEW.
prod-env/09-verify.md
- Insert check #2 for the precipitation image directory
(/mnt/storagebox/precipitation/images) and iklimco_image-data volume
bind mount, mirroring the equivalent check in test-env/08-verify.md.
- Renumber all subsequent checks (3-12) to maintain sequential ordering.
test-env/03-infra-stack-changes.md
- Update SWAG service volume snippet: replace hardcoded paths
(swag-vl:/config, /opt/iklimco/swag/dns-conf, /opt/iklimco/swag/site-confs)
with env-var forms (${SWAG_CONFIG_DIR:-swag-vl}, ${SWAG_DNS_CONF_DIR:-...},
${SWAG_SITE_CONFS_DIR:-...}) to match docker-stack-infra.yml.
- Update cert-reloader volume snippet: replace swag-vl and /opt/iklimco/ssl
with ${SWAG_CONFIG_DIR:-swag-vl} and ${SWAG_CERT_DIR:-/opt/iklimco/ssl},
enabling StorageBox override in prod without changing the base file.
test-env/04-swag-nginx-configs.md
- Replace RESTRICTED_IP_1/RESTRICTED_IP_2 individual env vars with
RESTRICTED_IPS (comma-separated CIDR list) in the required-vars section,
matching env-test/.env and the actual pipeline.
- Update all three IP-restricted template examples (apigw, rabbitmq,
grafana) from allow ${RESTRICTED_IP_1}; allow ${RESTRICTED_IP_2}; to
${RESTRICTED_IPS_BLOCK}, matching the actual .conf.tpl files in the repo.
- Rewrite the deploy step section to match the real pipeline: docker run
alpine for file writing, RESTRICTED_IPS_BLOCK generation via sed, and
envsubst with explicit SWAG_VARS filter to protect nginx $upstream_* vars.
test-env/07-deploy-pipeline-update.md
- Step 2 (Prepare SWAG Directories): replace sudo-tee approach with the
actual docker-run-alpine method used in deploy-test.yml; add nginx
reload block; update notes to reflect RESTRICTED_IPS_BLOCK generation.
- Step 4 (Re-order): correct step numbering to match actual pipeline
(21 steps); mark 'Wait for etcd' as already present in pipeline rather
than a new addition; add Bootstrap Vault TLS Placeholder which was
missing from the documented order.
- Refactor production setup documentation to reflect a 3-node Vault Raft cluster starting from launch.
- Update all paths to use StorageBox mounts for shared state (SWAG config, TLS certs, Monitoring data).
- Switch Nginx configuration convention from proxy-confs to site-confs to align with SWAG's auto-include behavior.
- Standardize TLS private key extensions to .pem.
- Update node failover and recovery facts to include monitoring services.
- Align deployment pipeline instructions with the latest environment variable-driven approach.
Add the Ansible README and expand prod bootstrap coverage for StorageBox keys, DB labels, DB stack configuration, and act runner setup. Update MongoDB configuration for replica set support and refresh prod roadmap/setup documentation for Swarm labels, StorageBox-backed cert paths, and recovery guidance.
- Add new Ansible role `wireguard` to set up WireGuard VPN server on
DB node with key generation, firewalld rules, and client peer config.
- Introduce `pg-proxy` and `mongo-proxy` socat containers in db_stack
to expose PostgreSQL (15432) and MongoDB (17017) on host ports,
restricted to WireGuard subnet via firewalld.
- Update test environment group_vars with WireGuard client entry for
`murat-inspiron-15-3525`.
- Modify act_runner config: set `docker_host` to unix socket, remove
explicit socket mount from options, and change runner label image to
`catthehacker/ubuntu:act-22.04`.
- Open UDP port 51820 in Hetzner firewall for WireGuard inbound.
- Adjust test-db-post-stack playbook to include wireguard role (tagged).
- Update roadmap document with APISIX init step order.
Migrates `act_runner` configuration from shell-generated to an Ansible-templated `config.yaml`. This enables:
- Dynamic label provisioning, including `test-runner:docker://ubuntu:22.04`.
- Explicit configuration for joining the `iklimco-net` overlay network.
- Docker socket mounting for CI/CD jobs to interact with the Docker daemon.
Updates `setup/05-test-runner-ve-deploy-onkosullari.md` and other related documentation to reflect the new automated and integrated runner setup.
This commit introduces a reordered and renumbered set of setup documentation files to better reflect the deployment stages for both test and production environments.
Key changes include:
* A new `setup-vs-roadmap-map.md` file to provide a clear mapping between roadmap tasks and their corresponding setup phases.
* Significantly expanded Ansible bootstrap documentation for both test and production, detailing Docker, Swarm, security hardening, and StorageBox SSH key management roles.
* Formalized database Docker and Swarm cluster setup instructions for test and production, including explicit steps for Swarm worker integration of DB nodes.
* Updated roadmap documentation (`roadmap/prod-env/*`) to align with the refined setup, incorporating correct private IP addresses for Swarm joins, new node labels, and floating IP usage for GoDaddy DNS records.
- Database nodes now join the Docker Swarm as workers with `role=db` labels, allowing Swarm to manage their dedicated services.
- The `docker-stack-infra.yml` has been updated for production to focus solely on application-level infrastructure components.
- Dedicated database services (PostgreSQL, MongoDB, Patroni-etcd) are now explicitly deployed in separate Swarm stacks on `iklim-db-XX` nodes.
- Standardizes node naming conventions (`iklim-app-XX`, `iklim-db-XX`) across the production roadmap documentation.
- Clarifies that the `etcd` service within `docker-stack-infra.yml` is exclusively for APISIX configuration, distinct from Patroni's etcd cluster.
