Murat ÖZDEMİR
67dc2986dd
- Anglicized setup and facts markdown file names for better consistency. - Updated 01-swarm-init-multinode.md to highlight Ansible automation of Swarm initialization and labeling. - Overhauled 03-infra-stack-changes.md to describe the single monolithic file strategy and reflect current Redis, RabbitMQ, and etcd cluster configurations. - Fixed minor overrides and typos in Patroni templates and Ansible bootstrap documents. - Restructured README and roadmap mapping to align with the renamed setup documents.
3.6 KiB
04 - Test DB Docker Setup (Swarm Worker)
The purpose of this phase is to add the iklim-db-01 node to Swarm as a worker and prepare the host for PostgreSQL and MongoDB Swarm services.
Architecture Decision
The roadmap states that DBs will be installed "manually". In the test environment, this "manual" process will be implemented by starting the DBs as Docker containers on the Swarm Worker, instead of installing them directly on the operating system.
The installation has two phases:
- Preparation (Ansible): The
test-db-post-stack.ymlplaybook sets up DB directories, themongod.confconfiguration, and the WireGuard VPN service. - Deploy (Gitea CI/CD): The test deploy workflow deploys PostgreSQL and MongoDB services as part of the environment stack.
Why?
- Ease of management: Version transitions and configuration management are much faster with Docker.
- Overlay Network: Application services (
iklim-app-01) can access DBs through theiklimco-netoverlay network in an encrypted and isolated way. - Data persistence: Runtime data is kept on the DB node. StorageBox is used for shared configuration, operational files, and backup-related paths, not as the primary DB data path.
Prerequisites
03-test-ansible-bootstrap.mdmust be completed on both nodes.- Docker must be installed on
iklim-db-01; the Bootstrap role does this. vault_postgres_root_user,vault_postgres_password,vault_mongo_root_user, andvault_mongo_root_passwordmust be defined in the Ansible vault.
1. Firewall Update
Rules must be added to terraform/hetzner/test/firewall.tf so iklim-db-01 can join Swarm and accept application traffic.
Swarm Communication (App Subnet <-> DB Subnet)
For Swarm management, ports 2377/tcp, 7946/tcp/udp, and 4789/udp must be open mutually between both subnets.
DB Access (App Subnet -> DB Subnet)
- PostgreSQL:
5432/tcp - MongoDB:
27017/tcp
After making the update:
cd terraform/hetzner/test
terraform apply
2. Vault Update
cd ansible/test
ansible-vault edit group_vars/all/vault.yml
Add these variables:
vault_postgres_root_user: "postgres"
vault_postgres_password: "STRONG_PASSWORD"
vault_mongo_root_user: "mongoadmin"
vault_mongo_root_password: "STRONG_PASSWORD"
3. Installation with Ansible
cd ansible/test
ansible-playbook -i inventory/generated/test.yml test-db-post-stack.yml --ask-vault-pass
What does the playbook do?
On iklim-db-01, through the db_stack and wireguard roles:
- Creates the
/opt/iklimco/db/mongodb/config/directory - Places the
mongod.conffile - Installs and configures the WireGuard VPN server (
51820/udp)
Deploying DB services (PostgreSQL, MongoDB) to Swarm is the responsibility of the Gitea CI/CD workflow, not Ansible. The Ansible playbook prepares host directories, configuration, and WireGuard.
4. Volume and Data Structure
DB data is stored on iklim-db-01 through the stack's configured volume or bind-mount layout. The Ansible db_stack role prepares MongoDB configuration at:
/opt/iklimco/db/mongodb/config/mongod.conf
MongoDB logs are written to stdout and can be watched with docker logs.
5. Acceptance Criteria
iklim-db-01appears as Ready and Active in thedocker node lscommand.docker stack services iklimcoshows both services with 1/1 replicas.- Access from the application node is available through the
iklim-db_postgresqlandiklim-db_mongodbDNS names. - Data is preserved after reboot according to the stack's configured DB volume/bind-mount layout.