iklim.co/Environment_Infrastructure
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Environment_Infrastructure/setup/04-test-db-docker-kurulum.md
Murat ÖZDEMİR 6f9d0d1588 feat(infra): Standardize StorageBox permissions and refactor DB stack name 
- Ensure consistent directory and file permissions on StorageBox mounts for improved container access across application and database services.
- Introduce application-specific `storagebox_uid`/`gid` variables for more granular ownership control.
- Enhance StorageBox mount reliability by adding systemd reload and remount handlers for configuration changes.
- Add root credentials to Patroni's etcd configuration for authenticated communication.
- Update all relevant documentation and deployment scripts to use the `iklimco` Docker stack name for database services.
- Re-encrypt production vault secrets to include the new etcd password.
2026-05-23 18:11:01 +03:00

3.6 KiB
Raw Blame History

04 - Test DB Docker Installation (Swarm Worker)

The purpose of this phase is to add the iklim-db-01 node to Swarm as a worker and run PostgreSQL and MongoDB as Swarm services.

Architecture Decision

The roadmap states that DBs will be installed "manually". In the test environment, this "manual" process will be implemented by starting the DBs as Docker containers on the Swarm Worker, instead of installing them directly on the operating system.

The installation has two phases:

  1. Preparation (Ansible): The test-db-post-stack.yml playbook sets up DB directories, the mongod.conf configuration, and the WireGuard VPN service.
  2. Deploy (Gitea CI/CD): The deploy-test.yml workflow deploys PostgreSQL and MongoDB services to Swarm through docker-stack-infra.yml.

Why?

  1. Ease of management: Version transitions and configuration management are much faster with Docker.
  2. Overlay Network: Application services (iklim-app-01) can access DBs through the iklimco-net overlay network in an encrypted and isolated way.
  3. Data persistence: Data is stored in Docker named volumes on iklim-db-01. StorageBox is used only for backups.

Prerequisites

  • 03-test-ansible-bootstrap.md must be completed on both nodes.
  • Docker must be installed on iklim-db-01; the Bootstrap role does this.
  • vault_postgres_root_user, vault_postgres_password, vault_mongo_root_user, and vault_mongo_root_password must be defined in the Ansible vault.

1. Firewall Update

Rules must be added to terraform/hetzner/test/firewall.tf so iklim-db-01 can join Swarm and accept application traffic.

Swarm Communication (App Subnet <-> DB Subnet)

For Swarm management, ports 2377/tcp, 7946/tcp/udp, and 4789/udp must be open mutually between both subnets.

DB Access (App Subnet -> DB Subnet)

  • PostgreSQL: 5432/tcp
  • MongoDB: 27017/tcp

After making the update:

cd terraform/hetzner/test
terraform apply

2. Vault Update

cd ansible/test
ansible-vault edit group_vars/all/vault.yml

Add these variables:

vault_postgres_root_user: "postgres"
vault_postgres_password: "STRONG_PASSWORD"
vault_mongo_root_user: "mongoadmin"
vault_mongo_root_password: "STRONG_PASSWORD"

3. Installation with Ansible

cd ansible/test
ansible-playbook -i inventory/generated/test.yml test-db-post-stack.yml --ask-vault-pass

What does the playbook do?

On iklim-db-01, through the db_stack and wireguard roles:

  • Creates the /opt/iklimco/db/mongodb/config/ directory
  • Places the mongod.conf file
  • Installs and configures the WireGuard VPN server (51820/udp)

Deploying DB services (PostgreSQL, MongoDB) to Swarm is the responsibility of the Gitea CI/CD workflow (deploy-test.yml), not Ansible. This workflow deploys all services at once through docker-stack-infra.yml.

4. Volume and Data Structure

DB data is stored in Docker named volumes on iklim-db-01:

Volume Content
iklim-db_postgresql_data PostgreSQL data files
iklim-db_mongodb_data MongoDB data files

MongoDB logs are written to stdout and can be watched with docker logs. Configuration: /opt/iklimco/db/mongodb/config/mongod.conf

StorageBox is not used for DB data. It only has a role in the backup strategy.

5. Acceptance Criteria

  • iklim-db-01 appears as Ready and Active in the docker node ls command.
  • docker stack services iklimco shows both services with 1/1 replicas.
  • Access from the application node is available through the iklim-db_postgresql and iklim-db_mongodb DNS names.
  • Data is preserved from named volumes after reboot; verify with docker volume ls.