Reflects a clearer organization for SWAG configuration templates across all roadmap and setup documentation. This standardizes references to template files by explicitly including the `template/` subdirectory, improving clarity and distinction from generated configuration files.
Update Environment_Infrastructure to match the current root stack conventions for database images, shared secret names, and APISIX real IP handling.
- update test Ansible DB image defaults to PostGIS 18/PostGIS 3.6 and MongoDB 8.3.2
- align Patroni configuration with DATABASE_POSTGRES_* secret variable names
- document APISIX real IP template configuration and Harbor rebuild workflow
- replace the separate DB stack env file guidance with the shared .env.secrets.shared flow
- update production setup and roadmap snippets to use current PostGIS, MongoDB, and APISIX rebuild commands
Corrects six documentation files to match the actual deployed pipeline
behavior and align test/prod approaches where they share the same code.
prod-env/02-godaddy-credentials.md
- Step 1: correct secret file from .env.secrets.shared to .env.secrets.swag;
add clarifying note that .env.secrets.shared holds AppRole/DB secrets
and must not be used for GoDaddy credentials.
- Step 4: document that GoDaddy A records are now managed automatically
by the pipeline's 'Update DNS Records' step via the GoDaddy API;
reference the Gitea variable PROD_FLOATING_IP that must be set once.
prod-env/08-deploy-pipeline-update.md
- Add Step 2 documenting the new 'Update DNS Records' pipeline step
(GoDaddy API, idempotent check-before-update, requires jq and
vars.PROD_FLOATING_IP).
- Renumber subsequent steps 3-8 to accommodate the new step.
- Fix DB hostnames in Step 7 (Run Database Init Scripts) from
iklimco_postgresql/iklimco_mongodb to postgresql/mongodb, matching
how Swarm overlay DNS resolves service names inside iklimco-net.
- Update context block: correct DB hostname description, replace
outdated storagebox path note with env-var approach, list new steps.
- Update final step order to 24 steps including the DNS step and
Release Deploy Lock; mark Wait for etcd as NEW.
prod-env/09-verify.md
- Insert check #2 for the precipitation image directory
(/mnt/storagebox/precipitation/images) and iklimco_image-data volume
bind mount, mirroring the equivalent check in test-env/08-verify.md.
- Renumber all subsequent checks (3-12) to maintain sequential ordering.
test-env/03-infra-stack-changes.md
- Update SWAG service volume snippet: replace hardcoded paths
(swag-vl:/config, /opt/iklimco/swag/dns-conf, /opt/iklimco/swag/site-confs)
with env-var forms (${SWAG_CONFIG_DIR:-swag-vl}, ${SWAG_DNS_CONF_DIR:-...},
${SWAG_SITE_CONFS_DIR:-...}) to match docker-stack-infra.yml.
- Update cert-reloader volume snippet: replace swag-vl and /opt/iklimco/ssl
with ${SWAG_CONFIG_DIR:-swag-vl} and ${SWAG_CERT_DIR:-/opt/iklimco/ssl},
enabling StorageBox override in prod without changing the base file.
test-env/04-swag-nginx-configs.md
- Replace RESTRICTED_IP_1/RESTRICTED_IP_2 individual env vars with
RESTRICTED_IPS (comma-separated CIDR list) in the required-vars section,
matching env-test/.env and the actual pipeline.
- Update all three IP-restricted template examples (apigw, rabbitmq,
grafana) from allow ${RESTRICTED_IP_1}; allow ${RESTRICTED_IP_2}; to
${RESTRICTED_IPS_BLOCK}, matching the actual .conf.tpl files in the repo.
- Rewrite the deploy step section to match the real pipeline: docker run
alpine for file writing, RESTRICTED_IPS_BLOCK generation via sed, and
envsubst with explicit SWAG_VARS filter to protect nginx $upstream_* vars.
test-env/07-deploy-pipeline-update.md
- Step 2 (Prepare SWAG Directories): replace sudo-tee approach with the
actual docker-run-alpine method used in deploy-test.yml; add nginx
reload block; update notes to reflect RESTRICTED_IPS_BLOCK generation.
- Step 4 (Re-order): correct step numbering to match actual pipeline
(21 steps); mark 'Wait for etcd' as already present in pipeline rather
than a new addition; add Bootstrap Vault TLS Placeholder which was
missing from the documented order.
- Refactor production setup documentation to reflect a 3-node Vault Raft cluster starting from launch.
- Update all paths to use StorageBox mounts for shared state (SWAG config, TLS certs, Monitoring data).
- Switch Nginx configuration convention from proxy-confs to site-confs to align with SWAG's auto-include behavior.
- Standardize TLS private key extensions to .pem.
- Update node failover and recovery facts to include monitoring services.
- Align deployment pipeline instructions with the latest environment variable-driven approach.
- Add new Ansible role `wireguard` to set up WireGuard VPN server on
DB node with key generation, firewalld rules, and client peer config.
- Introduce `pg-proxy` and `mongo-proxy` socat containers in db_stack
to expose PostgreSQL (15432) and MongoDB (17017) on host ports,
restricted to WireGuard subnet via firewalld.
- Update test environment group_vars with WireGuard client entry for
`murat-inspiron-15-3525`.
- Modify act_runner config: set `docker_host` to unix socket, remove
explicit socket mount from options, and change runner label image to
`catthehacker/ubuntu:act-22.04`.
- Open UDP port 51820 in Hetzner firewall for WireGuard inbound.
- Adjust test-db-post-stack playbook to include wireguard role (tagged).
- Update roadmap document with APISIX init step order.
Migrates `act_runner` configuration from shell-generated to an Ansible-templated `config.yaml`. This enables:
- Dynamic label provisioning, including `test-runner:docker://ubuntu:22.04`.
- Explicit configuration for joining the `iklimco-net` overlay network.
- Docker socket mounting for CI/CD jobs to interact with the Docker daemon.
Updates `setup/05-test-runner-ve-deploy-onkosullari.md` and other related documentation to reflect the new automated and integrated runner setup.
- Database nodes now join the Docker Swarm as workers with `role=db` labels, allowing Swarm to manage their dedicated services.
- The `docker-stack-infra.yml` has been updated for production to focus solely on application-level infrastructure components.
- Dedicated database services (PostgreSQL, MongoDB, Patroni-etcd) are now explicitly deployed in separate Swarm stacks on `iklim-db-XX` nodes.
- Standardizes node naming conventions (`iklim-app-XX`, `iklim-db-XX`) across the production roadmap documentation.
- Clarifies that the `etcd` service within `docker-stack-infra.yml` is exclusively for APISIX configuration, distinct from Patroni's etcd cluster.
