Scaffold core Swarm stacks: Traefik v3, PostgreSQL primary, MariaDB 10.11 primary, Redis master, Mosquitto, Netdata; add secrets/env inventory and DB replication guidance to migration TODO

stacks/core/mosquitto.yml

@@ -0,0 +1,32 @@
+version: '3.9'
+
+services:
+  mosquitto:
+    image: eclipse-mosquitto:2
+    volumes:
+      - mosquitto_conf:/mosquitto/config
+      - mosquitto_data:/mosquitto/data
+      - mosquitto_log:/mosquitto/log
+    networks:
+      - traefik-public
+    ports:
+      - target: 1883
+        published: 1883
+        mode: host
+    deploy:
+      replicas: 1
+      placement:
+        constraints:
+          - "node.labels.role==core"
+
+volumes:
+  mosquitto_conf:
+    driver: local
+  mosquitto_data:
+    driver: local
+  mosquitto_log:
+    driver: local
+
+networks:
+  traefik-public:
+    external: true

stacks/core/traefik.yml

@@ -0,0 +1,49 @@
+version: '3.9'
+
+services:
+  traefik:
+    image: traefik:v3.0
+    command:
+      - --providers.docker.swarmMode=true
+      - --providers.docker.exposedbydefault=false
+      - --entrypoints.web.address=:80
+      - --entrypoints.websecure.address=:443
+      - --api.dashboard=false
+      - --serversTransport.insecureSkipVerify=false
+      - --entrypoints.web.http.redirections.entryPoint.to=websecure
+      - --entrypoints.web.http.redirections.entryPoint.scheme=https
+      # ACME config: edit or mount DNS challenge as needed
+      # - --certificatesresolvers.le.acme.tlschallenge=true
+      # - --certificatesresolvers.le.acme.email=you@example.com
+      # - --certificatesresolvers.le.acme.storage=/letsencrypt/acme.json
+    ports:
+      - target: 80
+        published: 80
+        mode: host
+      - target: 443
+        published: 443
+        mode: host
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - traefik_letsencrypt:/letsencrypt
+      - /home/jonathan/Coding/HomeAudit/migration_scripts/configs/traefik/dynamic:/dynamic:ro
+    networks:
+      - traefik-public
+    deploy:
+      placement:
+        constraints:
+          - node.role == manager
+      labels:
+        - traefik.enable=true
+        - traefik.http.routers.traefik-rtr.rule=Host(`traefik.localhost`)
+        - traefik.http.routers.traefik-rtr.entrypoints=websecure
+        - traefik.http.routers.traefik-rtr.tls=true
+        - traefik.http.services.traefik-svc.loadbalancer.server.port=8080
+
+volumes:
+  traefik_letsencrypt:
+    driver: local
+
+networks:
+  traefik-public:
+    external: true

stacks/databases/mariadb-primary.yml

@@ -0,0 +1,31 @@
+version: '3.9'
+
+services:
+  mariadb_primary:
+    image: mariadb:10.11
+    environment:
+      MYSQL_ROOT_PASSWORD_FILE: /run/secrets/mariadb_root_password
+    secrets:
+      - mariadb_root_password
+    command: ["--log-bin=mysql-bin", "--server-id=1"]
+    volumes:
+      - mariadb_data:/var/lib/mysql
+    networks:
+      - database-network
+    deploy:
+      placement:
+        constraints:
+          - "node.labels.role==db"
+      replicas: 1
+
+volumes:
+  mariadb_data:
+    driver: local
+
+secrets:
+  mariadb_root_password:
+    external: true
+
+networks:
+  database-network:
+    external: true

stacks/databases/postgresql-primary.yml

@@ -0,0 +1,30 @@
+version: '3.9'
+
+services:
+  postgresql_primary:
+    image: postgres:16
+    environment:
+      POSTGRES_PASSWORD_FILE: /run/secrets/pg_root_password
+    secrets:
+      - pg_root_password
+    volumes:
+      - pg_data:/var/lib/postgresql/data
+    networks:
+      - database-network
+    deploy:
+      placement:
+        constraints:
+          - "node.labels.role==db"
+      replicas: 1
+
+volumes:
+  pg_data:
+    driver: local
+
+secrets:
+  pg_root_password:
+    external: true
+
+networks:
+  database-network:
+    external: true

stacks/databases/redis-cluster.yml

@@ -0,0 +1,23 @@
+version: '3.9'
+
+services:
+  redis_master:
+    image: redis:7-alpine
+    command: ["redis-server", "--appendonly", "yes"]
+    volumes:
+      - redis_data:/data
+    networks:
+      - database-network
+    deploy:
+      replicas: 1
+      placement:
+        constraints:
+          - "node.labels.role==db"
+
+volumes:
+  redis_data:
+    driver: local
+
+networks:
+  database-network:
+    external: true

stacks/monitoring/netdata.yml

@@ -0,0 +1,44 @@
+version: '3.9'
+
+services:
+  netdata:
+    image: netdata/netdata:stable
+    cap_add:
+      - SYS_PTRACE
+    security_opt:
+      - apparmor:unconfined
+    ports:
+      - target: 19999
+        published: 19999
+        mode: host
+    volumes:
+      - netdata_config:/etc/netdata
+      - netdata_lib:/var/lib/netdata
+      - netdata_cache:/var/cache/netdata
+      - /etc/passwd:/host/etc/passwd:ro
+      - /etc/group:/host/etc/group:ro
+      - /proc:/host/proc:ro
+      - /sys:/host/sys:ro
+    environment:
+      - NETDATA_CLAIM_TOKEN=
+    networks:
+      - monitoring-network
+    deploy:
+      placement:
+        constraints:
+          - node.role == manager
+      labels:
+        - traefik.enable=true
+        - traefik.http.routers.netdata.rule=Host(`netdata.localhost`)
+        - traefik.http.routers.netdata.entrypoints=websecure
+        - traefik.http.routers.netdata.tls=true
+        - traefik.http.services.netdata.loadbalancer.server.port=19999
+
+volumes:
+  netdata_config: { driver: local }
+  netdata_lib: { driver: local }
+  netdata_cache: { driver: local }
+
+networks:
+  monitoring-network:
+    external: true