Add hetzner-floating-ip.service systemd unit to base role so that
the floating IP is bound to eth0 on every boot. The task is
conditional (runs only when hetzner_floating_ip is defined in
host_vars). Add 49.12.116.113 as the floating IP for iklim-app-01
in test host_vars.
The docker role only opened Swarm ports (2377, 7946, 4789).
HTTP and HTTPS were missing, making SWAG unreachable from outside.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add new Ansible role `wireguard` to set up WireGuard VPN server on
DB node with key generation, firewalld rules, and client peer config.
- Introduce `pg-proxy` and `mongo-proxy` socat containers in db_stack
to expose PostgreSQL (15432) and MongoDB (17017) on host ports,
restricted to WireGuard subnet via firewalld.
- Update test environment group_vars with WireGuard client entry for
`murat-inspiron-15-3525`.
- Modify act_runner config: set `docker_host` to unix socket, remove
explicit socket mount from options, and change runner label image to
`catthehacker/ubuntu:act-22.04`.
- Open UDP port 51820 in Hetzner firewall for WireGuard inbound.
- Adjust test-db-post-stack playbook to include wireguard role (tagged).
- Update roadmap document with APISIX init step order.
Migrates `act_runner` configuration from shell-generated to an Ansible-templated `config.yaml`. This enables:
- Dynamic label provisioning, including `test-runner:docker://ubuntu:22.04`.
- Explicit configuration for joining the `iklimco-net` overlay network.
- Docker socket mounting for CI/CD jobs to interact with the Docker daemon.
Updates `setup/05-test-runner-ve-deploy-onkosullari.md` and other related documentation to reflect the new automated and integrated runner setup.
* Introduces an Ansible role for installing and registering `act_runner` for Gitea Actions.
* Automates PostgreSQL and MongoDB deployment on Docker Swarm in the test environment, leveraging Docker named volumes for data persistence.
* Translates core documentation, including `README.md` and `setup/04-test-db-docker-kurulum.md`, to Turkish.
* Adds comprehensive documentation for firewall architecture (`facts/firewall.md`) and Docker Swarm node recovery (`facts/swarm-node-recovery.md`).
* Enhances security hardening by ensuring `fail2ban` is enabled and streamlining admin SSH key management via Ansible.
* Updates Ansible vault structure to support new secret variables and adds `.vault_pass` to `.gitignore`.
This commit introduces several core configurations and structural improvements:
* **User Management:** Creates a new `iklim` administrative user with a securely hashed password, enabled by `python3-passlib`.
* **System Configuration:** Sets the system keyboard layout to Turkish Q (`trq`).
* **Security Hardening:** Refines firewall rules for SSH using a rich rule and ensures `journald` log limits file creation.
* **Ansible Variable Management:** Restructures `group_vars` by consolidating global variables into `group_vars/all/vars.yml` and sensitive data into a dedicated `group_vars/all/vault.yml`.
* **Ansible Compatibility:** Adds `!unsafe` to a `docker info` shell command to prevent future warnings.
This commit introduces the foundational Ansible playbooks, roles, and configurations for automated provisioning of both production and test environments.
Key capabilities include:
- **Base System Setup:** Common packages, timezone, chrony, and hostname.
- **Security Hardening:** SELinux disable, SSH configuration, `dnf-automatic`, `fail2ban`, `firewalld` setup, and `journald` log limits.
- **Docker & Swarm:** Docker installation and configuration, Docker Swarm initialization/joining for managers and workers, overlay network creation, and node labeling.
- **Storage:** Hetzner StorageBox integration using `davfs2`.
- **Directory Structure:** Creation of application and database-specific directories.
This establishes a comprehensive, automated pipeline for infrastructure deployment and initial configuration.
Overhaul and expand firewall definitions for both `prod` and `test` environments to enable comprehensive inter-subnet communication.
This includes implementing explicit rules supporting:
- Docker Swarm overlay networks between application and database subnets.
- High-availability database clusters (PostgreSQL replication, MongoDB replica sets, Patroni, etcd).
- Internal access for various infrastructure services (Vault, Redis, RabbitMQ, APISIX, Prometheus, Grafana).
All firewall rule descriptions are standardized in English for improved clarity and consistency.
Additionally, update default `server_type_swarm` and `server_type_db` variables to the recommended `CPX` series for both environments. An initial generated Ansible inventory for the test environment is also added.
