- Updated roadmap (03-infra-stack-changes.md) to deprecate database proxies in prod.
- Detailed direct subnet access via WireGuard for production developers.
- Provided multi-host connection parameters for Patroni and MongoDB Replica Sets in setup guide (08-prod-db-cluster-kurulum.md).
- Added environment comparison table to developer access guide.
Corrects six documentation files to match the actual deployed pipeline
behavior and align test/prod approaches where they share the same code.
prod-env/02-godaddy-credentials.md
- Step 1: correct secret file from .env.secrets.shared to .env.secrets.swag;
add clarifying note that .env.secrets.shared holds AppRole/DB secrets
and must not be used for GoDaddy credentials.
- Step 4: document that GoDaddy A records are now managed automatically
by the pipeline's 'Update DNS Records' step via the GoDaddy API;
reference the Gitea variable PROD_FLOATING_IP that must be set once.
prod-env/08-deploy-pipeline-update.md
- Add Step 2 documenting the new 'Update DNS Records' pipeline step
(GoDaddy API, idempotent check-before-update, requires jq and
vars.PROD_FLOATING_IP).
- Renumber subsequent steps 3-8 to accommodate the new step.
- Fix DB hostnames in Step 7 (Run Database Init Scripts) from
iklimco_postgresql/iklimco_mongodb to postgresql/mongodb, matching
how Swarm overlay DNS resolves service names inside iklimco-net.
- Update context block: correct DB hostname description, replace
outdated storagebox path note with env-var approach, list new steps.
- Update final step order to 24 steps including the DNS step and
Release Deploy Lock; mark Wait for etcd as NEW.
prod-env/09-verify.md
- Insert check #2 for the precipitation image directory
(/mnt/storagebox/precipitation/images) and iklimco_image-data volume
bind mount, mirroring the equivalent check in test-env/08-verify.md.
- Renumber all subsequent checks (3-12) to maintain sequential ordering.
test-env/03-infra-stack-changes.md
- Update SWAG service volume snippet: replace hardcoded paths
(swag-vl:/config, /opt/iklimco/swag/dns-conf, /opt/iklimco/swag/site-confs)
with env-var forms (${SWAG_CONFIG_DIR:-swag-vl}, ${SWAG_DNS_CONF_DIR:-...},
${SWAG_SITE_CONFS_DIR:-...}) to match docker-stack-infra.yml.
- Update cert-reloader volume snippet: replace swag-vl and /opt/iklimco/ssl
with ${SWAG_CONFIG_DIR:-swag-vl} and ${SWAG_CERT_DIR:-/opt/iklimco/ssl},
enabling StorageBox override in prod without changing the base file.
test-env/04-swag-nginx-configs.md
- Replace RESTRICTED_IP_1/RESTRICTED_IP_2 individual env vars with
RESTRICTED_IPS (comma-separated CIDR list) in the required-vars section,
matching env-test/.env and the actual pipeline.
- Update all three IP-restricted template examples (apigw, rabbitmq,
grafana) from allow ${RESTRICTED_IP_1}; allow ${RESTRICTED_IP_2}; to
${RESTRICTED_IPS_BLOCK}, matching the actual .conf.tpl files in the repo.
- Rewrite the deploy step section to match the real pipeline: docker run
alpine for file writing, RESTRICTED_IPS_BLOCK generation via sed, and
envsubst with explicit SWAG_VARS filter to protect nginx $upstream_* vars.
test-env/07-deploy-pipeline-update.md
- Step 2 (Prepare SWAG Directories): replace sudo-tee approach with the
actual docker-run-alpine method used in deploy-test.yml; add nginx
reload block; update notes to reflect RESTRICTED_IPS_BLOCK generation.
- Step 4 (Re-order): correct step numbering to match actual pipeline
(21 steps); mark 'Wait for etcd' as already present in pipeline rather
than a new addition; add Bootstrap Vault TLS Placeholder which was
missing from the documented order.
- Refactor production setup documentation to reflect a 3-node Vault Raft cluster starting from launch.
- Update all paths to use StorageBox mounts for shared state (SWAG config, TLS certs, Monitoring data).
- Switch Nginx configuration convention from proxy-confs to site-confs to align with SWAG's auto-include behavior.
- Standardize TLS private key extensions to .pem.
- Update node failover and recovery facts to include monitoring services.
- Align deployment pipeline instructions with the latest environment variable-driven approach.
Add the Ansible README and expand prod bootstrap coverage for StorageBox keys, DB labels, DB stack configuration, and act runner setup. Update MongoDB configuration for replica set support and refresh prod roadmap/setup documentation for Swarm labels, StorageBox-backed cert paths, and recovery guidance.
