iklim.co/Environment_Infrastructure
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Environment_Infrastructure/setup/07-prod-ansible-bootstrap.md
Murat ÖZDEMİR b115a4cbdf Implement Hetzner sizing report recommendations and detailed DB setups 
- Add `hetzner-sizing-report.md` defining data-driven server type recommendations for test and prod environments.
- Update Terraform configurations to align with the recommended `CPX` server types and refine firewall rules for Docker Swarm and database interactions.
- Introduce comprehensive documentation and stack files for:
    - Single-node PostgreSQL/MongoDB deployment on a test DB worker node.
    - High-availability 3-node MongoDB replica set and Patroni+etcd PostgreSQL cluster for production.
- Enhance Ansible bootstrap roles with SELinux disabling, fail2ban configuration, and StorageBox SSH key management for CI/CD.
- Reorganize and rename setup documentation files for improved structure and clarity.
2026-05-11 14:54:09 +03:00

150 lines
3.8 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 05 - Prod Ansible Bootstrap
Bu asamanin amaci Terraform ile olusturulan prod makinelerini Linux, security hardening, Docker ve Swarm acisindan hazir hale getirmektir. DB cluster yazilimi manuel kurulacaktir; bu playbook DB node'larinda sadece OS ve temel guvenlik hazirligini yapar.
## Hedef Makineler
| Host | Rol |
| --- | --- |
| `iklim-app-01` | Swarm manager + app worker |
| `iklim-app-02` | Swarm manager + app worker |
| `iklim-app-03` | Swarm manager + app worker |
| `iklim-db-01` | Manuel DB cluster node |
| `iklim-db-02` | Manuel DB cluster node |
| `iklim-db-03` | Manuel DB cluster node |
## Onerilen Dosya Yapisi
```text
ansible/
ansible.cfg
inventory/
generated/
prod.yml
group_vars/
all.yml
prod.yml
playbooks/
prod-bootstrap.yml
roles/
base/
hardening/
docker/
swarm/
node_dirs/
```
## Base Role
Tum prod node'larina uygulanir:
- Paket cache update
- Temel paketler (sirasıyla kurulur):
- `epel-release` — fail2ban ve davfs2 bu repo'dan gelir; once kurulur
- `curl`
- `wget`
- `git`
- `jq`
- `tar`
- `unzip`
- `bash-completion`
- `gettext` — envsubst icin; CI/CD deploy pipeline'larinda gerekli
- `tree`
- `ca-certificates`
- `fail2ban`
- `firewalld`
- `chrony`
- `python3`
- `python3-pip`
- timezone: `Europe/Istanbul`
- hostname ayari
- chrony/NTP aktif
## Security Hardening Role
Tum prod node'larina uygulanir:
- SSH password auth kapatilir.
- Root SSH login kapatilir.
- Sadece SSH key auth kalir.
- `PermitEmptyPasswords no`
- `MaxAuthTries 3`
- `fail2ban` aktif edilir.
- `unattended-upgrades` aktif edilir.
- UFW default incoming deny, outgoing allow.
- SSH sadece admin CIDR'dan acilir.
- DB portlari public acilmaz.
Hetzner Cloud Firewall asil perimeter kabul edilir. UFW host uzerinde ikinci savunma katmanidir.
## Docker Role
Sadece `iklim-app-*` node'larinda zorunludur.
Kurulacak paketler:
- `docker-ce`
- `docker-ce-cli`
- `containerd.io`
- `docker-buildx-plugin`
- `docker-compose-plugin`
Kurulum resmi Docker apt repository uzerinden yapilacak. Convenience script kullanilmayacak.
DB node'larinda Docker zorunlu degildir. DB manuel kurulum stratejisi container tabanli olacaksa daha sonra ayri DB dokumaninda ele alinmalidir.
## Swarm Role
Prod Swarm 3 manager ile kurulacak:
1. `iklim-app-01` uzerinde `docker swarm init`
2. Advertise/data path addr: `10.20.10.11`
3. Manager join token alinir.
4. `iklim-app-02` ve `iklim-app-03` manager olarak join olur.
5. Overlay network olusturulur:
- `iklimco-net`
- driver: `overlay`
- attachable: `true`
6. Tum 3 node `type=service` label'i ile isaretlenir:
```bash
for node in iklim-app-01 iklim-app-02 iklim-app-03; do
docker node update --label-add type=service "$node"
done
```
7. Hicbir node drain edilmez. 3 node da `AVAILABILITY=Active` kalir; hem manager hem app worker olarak calisir.
> DB node'lari (`iklim-db-*`) Swarm'a join ettirilmez. DB cluster ayri yonetilir.
## Node Directory Role
Tum `iklim-app-*` node'larinda:
```text
/opt/iklimco
/opt/iklimco/ssl
/opt/iklimco/init
/opt/iklimco/init/postgresql
/opt/iklimco/init/mongodb
```
DB node'larinda manuel DB kurulumu icin:
```text
/opt/iklimco
/opt/iklimco/db
/opt/iklimco/backup
```
## Kabul Kriterleri
- `ansible -i inventory/generated/prod.yml all -m ping` basarili olur.
- 3 Swarm node `docker node ls` icinde manager olarak gorunur; hepsi `AVAILABILITY=Active`.
- Manager quorum saglanir (3 manager, 1 kayip tolere edilir).
- `iklimco-net` overlay network vardir.
- `docker node inspect iklim-app-01 --format '{{.Spec.Labels}}'` ciktisi `map[type:service]` icerir.
- DB node'lari `docker node ls` ciktisinda gorunmez.
- Public firewall sadece `22`, `80`, `443` ingress'e izin verir.
- DB node'lari public DB portu acmaz.
- DB yazilimi kurulumu bu playbook tarafindan yapilmaz.
Reference in New Issue View Git Blame Copy Permalink