iklim.co/Environment_Infrastructure
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Environment_Infrastructure/setup/04-test-db-docker-kurulum.md
Murat ÖZDEMİR 6f9d0d1588 feat(infra): Standardize StorageBox permissions and refactor DB stack name 
- Ensure consistent directory and file permissions on StorageBox mounts for improved container access across application and database services.
- Introduce application-specific `storagebox_uid`/`gid` variables for more granular ownership control.
- Enhance StorageBox mount reliability by adding systemd reload and remount handlers for configuration changes.
- Add root credentials to Patroni's etcd configuration for authenticated communication.
- Update all relevant documentation and deployment scripts to use the `iklimco` Docker stack name for database services.
- Re-encrypt production vault secrets to include the new etcd password.
2026-05-23 18:11:01 +03:00

91 lines
3.6 KiB
Markdown
Raw Blame History

# 04 - Test DB Docker Installation (Swarm Worker)
The purpose of this phase is to add the `iklim-db-01` node to Swarm as a worker and run PostgreSQL and MongoDB as Swarm services.
## Architecture Decision
The roadmap states that DBs will be installed "manually". In the test environment, this "manual" process will be implemented by starting the DBs as Docker containers on the **Swarm Worker**, instead of installing them directly on the operating system.
The installation has **two phases:**
1. **Preparation (Ansible):** The `test-db-post-stack.yml` playbook sets up DB directories, the `mongod.conf` configuration, and the WireGuard VPN service.
2. **Deploy (Gitea CI/CD):** The `deploy-test.yml` workflow deploys PostgreSQL and MongoDB services to Swarm through `docker-stack-infra.yml`.
**Why?**
1. **Ease of management:** Version transitions and configuration management are much faster with Docker.
2. **Overlay Network:** Application services (`iklim-app-01`) can access DBs through the `iklimco-net` overlay network in an encrypted and isolated way.
3. **Data persistence:** Data is stored in Docker named volumes on `iklim-db-01`. StorageBox is used only for backups.
## Prerequisites
- `03-test-ansible-bootstrap.md` must be completed on both nodes.
- Docker must be installed on `iklim-db-01`; the Bootstrap role does this.
- `vault_postgres_root_user`, `vault_postgres_password`, `vault_mongo_root_user`, and `vault_mongo_root_password` must be defined in the Ansible vault.
## 1. Firewall Update
Rules must be added to `terraform/hetzner/test/firewall.tf` so `iklim-db-01` can join Swarm and accept application traffic.
### Swarm Communication (App Subnet <-> DB Subnet)
For Swarm management, ports `2377/tcp`, `7946/tcp/udp`, and `4789/udp` must be open mutually between both subnets.
### DB Access (App Subnet -> DB Subnet)
- **PostgreSQL:** `5432/tcp`
- **MongoDB:** `27017/tcp`
After making the update:
```bash
cd terraform/hetzner/test
terraform apply
```
## 2. Vault Update
```bash
cd ansible/test
ansible-vault edit group_vars/all/vault.yml
```
Add these variables:
```yaml
vault_postgres_root_user: "postgres"
vault_postgres_password: "STRONG_PASSWORD"
vault_mongo_root_user: "mongoadmin"
vault_mongo_root_password: "STRONG_PASSWORD"
```
## 3. Installation with Ansible
```bash
cd ansible/test
ansible-playbook -i inventory/generated/test.yml test-db-post-stack.yml --ask-vault-pass
```
**What does the playbook do?**
On `iklim-db-01`, through the `db_stack` and `wireguard` roles:
- Creates the `/opt/iklimco/db/mongodb/config/` directory
- Places the `mongod.conf` file
- Installs and configures the WireGuard VPN server (`51820/udp`)
> Deploying DB services (PostgreSQL, MongoDB) to Swarm is the responsibility of the Gitea CI/CD workflow (`deploy-test.yml`), not Ansible. This workflow deploys all services at once through `docker-stack-infra.yml`.
## 4. Volume and Data Structure
DB data is stored in Docker named volumes on `iklim-db-01`:
| Volume | Content |
|---|---|
| `iklim-db_postgresql_data` | PostgreSQL data files |
| `iklim-db_mongodb_data` | MongoDB data files |
MongoDB logs are written to stdout and can be watched with `docker logs`. Configuration: `/opt/iklimco/db/mongodb/config/mongod.conf`
> StorageBox is **not used** for DB data. It only has a role in the backup strategy.
## 5. Acceptance Criteria
- `iklim-db-01` appears as Ready and Active in the `docker node ls` command.
- `docker stack services iklimco` shows both services with 1/1 replicas.
- Access from the application node is available through the `iklim-db_postgresql` and `iklim-db_mongodb` DNS names.
- Data is preserved from named volumes after reboot; verify with `docker volume ls`.
Reference in New Issue View Git Blame Copy Permalink