iklim.co/Environment_Infrastructure
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Environment_Infrastructure/setup/05-prod-ansible-bootstrap.md
Murat ÖZDEMİR 720c79d460 Add Hetzner Cloud production infrastructure with multi-node support 
- This commit introduces the Terraform configuration to provision a production environment on Hetzner Cloud, building on the existing test setup.
- Key improvements and new features include:
* **Multi-node clusters:** Scaling to 3-node Swarm application and database clusters for improved resilience.
* **High availability:** Utilizing a Hetzner Floating IP for the application entry point and `spread` placement groups for fault tolerance across physical hosts.
* **Enhanced network security:** Internal management services (RabbitMQ, APISIX, Prometheus, Grafana) are restricted to the application subnet, expected to be accessed via an internal reverse proxy (SWAG).
* **Internal database replication:** New firewall rules enable PostgreSQL replication and MongoDB replica set traffic within the database subnet.
* **Refined test environment:** Updates to align `test` configuration with the new `prod` structure, including a dedicated floating IP and adjusted firewall rules.
* **Configuration standardization:** Environment-specific details moved to `locals.tf` for clarity, with upgraded server types and migration to Rocky Linux as the base image.
- Updates were also made to the latest version of Terraform to ensure consistency in the documentation
2026-05-10 15:43:22 +03:00

3.6 KiB
Raw Blame History

05 - Prod Ansible Bootstrap

Bu asamanin amaci Terraform ile olusturulan prod makinelerini Linux, security hardening, Docker ve Swarm acisindan hazir hale getirmektir. DB cluster yazilimi manuel kurulacaktir; bu playbook DB node'larinda sadece OS ve temel guvenlik hazirligini yapar.

Hedef Makineler

Host Rol
iklim-app-01 Swarm manager + app worker
iklim-app-02 Swarm manager + app worker
iklim-app-03 Swarm manager + app worker
iklim-db-01 Manuel DB cluster node
iklim-db-02 Manuel DB cluster node
iklim-db-03 Manuel DB cluster node

Onerilen Dosya Yapisi

ansible/
  ansible.cfg
  inventory/
    generated/
      prod.yml
  group_vars/
    all.yml
    prod.yml
  playbooks/
    prod-bootstrap.yml
  roles/
    base/
    hardening/
    docker/
    swarm/
    node_dirs/

Base Role

Tum prod node'larina uygulanir:

  • Paket cache update
  • Temel paketler:
    • curl
    • wget
    • git
    • jq
    • unzip
    • ca-certificates
    • gnupg
    • lsb-release
    • ufw
    • fail2ban
    • chrony
    • python3
    • python3-pip
  • timezone: Europe/Istanbul
  • hostname ayari
  • chrony/NTP aktif

Security Hardening Role

Tum prod node'larina uygulanir:

  • SSH password auth kapatilir.
  • Root SSH login kapatilir.
  • Sadece SSH key auth kalir.
  • PermitEmptyPasswords no
  • MaxAuthTries 3
  • fail2ban aktif edilir.
  • unattended-upgrades aktif edilir.
  • UFW default incoming deny, outgoing allow.
  • SSH sadece admin CIDR'dan acilir.
  • DB portlari public acilmaz.

Hetzner Cloud Firewall asil perimeter kabul edilir. UFW host uzerinde ikinci savunma katmanidir.

Docker Role

Sadece iklim-app-* node'larinda zorunludur.

Kurulacak paketler:

  • docker-ce
  • docker-ce-cli
  • containerd.io
  • docker-buildx-plugin
  • docker-compose-plugin

Kurulum resmi Docker apt repository uzerinden yapilacak. Convenience script kullanilmayacak.

DB node'larinda Docker zorunlu degildir. DB manuel kurulum stratejisi container tabanli olacaksa daha sonra ayri DB dokumaninda ele alinmalidir.

Swarm Role

Prod Swarm 3 manager ile kurulacak:

  1. iklim-app-01 uzerinde docker swarm init
  2. Advertise/data path addr: 10.20.10.11
  3. Manager join token alinir.
  4. iklim-app-02 ve iklim-app-03 manager olarak join olur.
  5. Overlay network olusturulur:
    • iklimco-net
    • driver: overlay
    • attachable: true
  6. Tum 3 node type=service label'i ile isaretlenir: 
    for node in iklim-app-01 iklim-app-02 iklim-app-03; do
  docker node update --label-add type=service "$node"
done
  7. Hicbir node drain edilmez. 3 node da AVAILABILITY=Active kalir; hem manager hem app worker olarak calisir.

DB node'lari (iklim-db-*) Swarm'a join ettirilmez. DB cluster ayri yonetilir.

Node Directory Role

Tum iklim-app-* node'larinda:

/opt/iklimco
/opt/iklimco/ssl
/opt/iklimco/init
/opt/iklimco/init/postgresql
/opt/iklimco/init/mongodb

DB node'larinda manuel DB kurulumu icin:

/opt/iklimco
/opt/iklimco/db
/opt/iklimco/backup

Kabul Kriterleri

  • ansible -i inventory/generated/prod.yml all -m ping basarili olur.
  • 3 Swarm node docker node ls icinde manager olarak gorunur; hepsi AVAILABILITY=Active.
  • Manager quorum saglanir (3 manager, 1 kayip tolere edilir).
  • iklimco-net overlay network vardir.
  • docker node inspect iklim-app-01 --format '{{.Spec.Labels}}' ciktisi map[type:service] icerir.
  • DB node'lari docker node ls ciktisinda gorunmez.
  • Public firewall sadece 22, 80, 443 ingress'e izin verir.
  • DB node'lari public DB portu acmaz.
  • DB yazilimi kurulumu bu playbook tarafindan yapilmaz.