Merge pull request #42 from meaningfy-ws/feature/prepare-SRV-for-FAT-testing

feat(infra): add testing/SRV environment to unified ted-sws-stack

Author: schivmeister

.gitignore

@@ -129,3 +129,7 @@ src/infra/airflow/src
 src/infra/airflow/libraries
 !src/infra/ted-sws-stack/.env.local
 !src/infra/ted-sws-stack/.env.common
+
+# Airflow runtime directories (created manually on servers)
+/logs/
+/plugins/

Makefile

@@ -292,6 +292,22 @@ start-local-stack-nodata: init-libraries
 	@echo "$(BUILD_PRINT)Starting TED-SWS local stack (no persistent data) $(END_BUILD_PRINT)"
 	@docker compose -f $(STACK_PATH)/docker-compose.yml -f $(STACK_PATH)/docker-compose.local.yml -f $(STACK_PATH)/docker-compose.local-nodata.yml --env-file $(STACK_PATH)/.env.local up -d $(SERVICES)
 
+start-staging-stack:
+	@echo "$(BUILD_PRINT)Starting TED-SWS staging stack $(END_BUILD_PRINT)"
+	@docker compose -f $(STACK_PATH)/docker-compose.yml -f $(STACK_PATH)/docker-compose.staging.yml --env-file $(STACK_PATH)/.env.staging up -d $(SERVICES)
+
+stop-staging-stack:
+	@echo "$(BUILD_PRINT)Stopping TED-SWS staging stack $(END_BUILD_PRINT)"
+	@docker compose -f $(STACK_PATH)/docker-compose.yml -f $(STACK_PATH)/docker-compose.staging.yml --env-file $(STACK_PATH)/.env.staging down
+
+start-testing-stack:
+	@echo "$(BUILD_PRINT)Starting TED-SWS testing stack (SRV) $(END_BUILD_PRINT)"
+	@docker compose -f $(STACK_PATH)/docker-compose.yml -f $(STACK_PATH)/docker-compose.testing.yml --env-file $(STACK_PATH)/.env.testing up -d $(SERVICES)
+
+stop-testing-stack:
+	@echo "$(BUILD_PRINT)Stopping TED-SWS testing stack (SRV) $(END_BUILD_PRINT)"
+	@docker compose -f $(STACK_PATH)/docker-compose.yml -f $(STACK_PATH)/docker-compose.testing.yml --env-file $(STACK_PATH)/.env.testing down
+
 #-----------------------------------------------------------------------------
 # VAULT SERVICES
 #-----------------------------------------------------------------------------
@@ -330,6 +346,26 @@ staging-unified-dotenv: guard-VAULT_ADDR guard-VAULT_TOKEN vault-installed
 	    echo "AIRFLOW__CELERY__WORKER_CONCURRENCY=16"; \
 	  } > $(STACK_PATH)/.env.staging
 
+# Get secrets in dotenv format (unified stack - testing/SRV environment)
+testing-unified-dotenv: guard-VAULT_ADDR guard-VAULT_TOKEN vault-installed
+	@ echo -e "$(BUILD_PRINT)Creating unified stack .env.testing from Vault $(END_BUILD_PRINT)"
+	@ VAULT_JSON=$$(vault kv get -format="json" ted-staging/ted-sws-deployment-secrets) && \
+	  MONGO_PW=$$(echo "$$VAULT_JSON" | jq -r '.data.data.MONGO_ROOT_PASSWORD') && \
+	  MINIO_PW=$$(echo "$$VAULT_JSON" | jq -r '.data.data.MINIO_ROOT_PASSWORD') && \
+	  { \
+	    echo "$$VAULT_JSON" | jq -r ".data.data | keys[] as \$$k | \"\(\$$k)=\(.[\$$k])\""; \
+	    echo "MONGO_DB_AUTH_URL=mongodb://admin:$$MONGO_PW@mongodb:27017/"; \
+	    echo "S3_PUBLISH_PASSWORD=$$MINIO_PW"; \
+	    echo "ENVIRONMENT=testing"; \
+	    echo "SUBDOMAIN=tedsws-testing."; \
+	    echo "DOMAIN=meaningfy.ws"; \
+	    echo "AIRFLOW_INFRA_FOLDER=/home/lps/work/ted-rdf-conversion-pipeline"; \
+	    echo "AIRFLOW__CORE__PARALLELISM=32"; \
+	    echo "AIRFLOW__CORE__MAX_ACTIVE_TASKS_PER_DAG=16"; \
+	    echo "AIRFLOW__CORE__MAX_ACTIVE_RUNS_PER_DAG=16"; \
+	    echo "AIRFLOW__CELERY__WORKER_CONCURRENCY=16"; \
+	  } > $(STACK_PATH)/.env.testing
+
 # Get secrets in dotenv format (old - pulls everything from multiple Vault paths)
 staging-dotenv-file: guard-VAULT_ADDR guard-VAULT_TOKEN vault-installed
 	@ echo -e "$(BUILD_PRINT)Creating .env.staging file $(END_BUILD_PRINT)"

src/infra/ted-sws-stack/README.md

@@ -34,17 +34,19 @@ labels.
 ## Quick Start
 
 ```bash
-# Start all services
+# Local development
 make start-local-stack
-
-# Start specific services only
-make start-local-stack SERVICES="mongodb fuseki minio"
-
-# Stop the stack
+make start-local-stack SERVICES="mongodb fuseki minio"  # specific services only
 make stop-local-stack
+make cleanup-local-stack  # remove all data, volumes, images, build cache
 
-# Stop and remove all data, volumes, images, and build cache
-make cleanup-local-stack
+# Staging (Hetzner VM) -- requires Vault access
+make staging-unified-dotenv  # generate .env.staging from Vault (first time / secret rotation)
+make start-staging-stack
+
+# Testing (SRV) -- requires Vault access
+make testing-unified-dotenv  # generate .env.testing from Vault (first time / secret rotation)
+make start-testing-stack
 
 # View logs
 docker compose -p ted-sws-stack logs -f
@@ -57,10 +59,12 @@ docker compose -p ted-sws-stack logs -f
 | `docker-compose.yml` | Base config -- service structure, `${VAR}` for passwords |
 | `docker-compose.local.yml` | Local overrides -- build, volumes, ports, Traefik labels |
 | `docker-compose.staging.yml` | Staging overrides -- host paths, TLS, labels |
+| `docker-compose.testing.yml` | Testing/SRV overrides -- host paths under `/home/lps/` |
 | `docker-compose.local-nodata.yml` | Ephemeral mode -- no persistent volumes |
 | `.env.common` | Shared app configs -- hostnames, ports, tool paths (committed) |
 | `.env.local` | Local passwords and connection strings (committed, safe defaults) |
 | `.env.staging` | Staging passwords from Vault (generated by `make staging-unified-dotenv`) |
+| `.env.testing` | Testing/SRV passwords from Vault (generated by `make testing-unified-dotenv`) |
 | `airflow/Dockerfile` | Airflow image with celery provider |
 | `airflow/requirements.txt` | Python dependencies for Airflow |
 
@@ -77,16 +81,24 @@ env_file:
   - .env.local     # local passwords + connection strings
 ```
 
-**Staging:**
+**Staging (Hetzner VM):**
 
 ```yaml
 env_file:
   - .env.common    # same shared configs
   - .env.staging   # Vault passwords + staging-specific overrides
 ```
 
+**Testing (SRV):**
+
+```yaml
+env_file:
+  - .env.common    # same shared configs
+  - .env.testing   # Vault passwords + SRV-specific overrides (higher concurrency)
+```
+
 The `.env.common` file is shared across all environments. Only passwords and
-environment-specific values differ between `.env.local` and `.env.staging`.
+environment-specific values differ between `.env.local`, `.env.staging`, and `.env.testing`.
 
 No Vault access is needed for local development.
 

src/infra/ted-sws-stack/docker-compose.testing.yml

@@ -0,0 +1,175 @@
+# =============================================================================
+# TED-SWS Stack - Testing Environment (SRV)
+# Usage: docker compose -f docker-compose.yml -f docker-compose.testing.yml --env-file .env.testing up -d
+# =============================================================================
+
+x-airflow-build: &airflow-build
+  context: ./airflow
+  dockerfile: Dockerfile
+
+x-testing-volumes: &testing-volumes
+  - /home/lps/work/ted-rdf-conversion-pipeline/src:/opt/airflow/src
+  - /home/lps/work/ted-rdf-conversion-pipeline/test:/opt/airflow/test
+  - /home/lps/work/ted-rdf-conversion-pipeline/logs:/opt/airflow/logs
+  - /home/lps/work/ted-rdf-conversion-pipeline/plugins:/opt/airflow/plugins
+  - /home/lps/work/ted-rdf-conversion-pipeline/libraries/.rmlmapper:/home/airflow/.rmlmapper
+  - /home/lps/work/ted-rdf-conversion-pipeline/libraries/.saxon:/home/airflow/.saxon
+  - /home/lps/work/ted-rdf-conversion-pipeline/libraries/.limes:/home/airflow/.limes
+
+services:
+  traefik:
+    profiles:
+      - disabled
+    entrypoint: ["true"]
+
+  minio:
+    volumes:
+      - minio-data:/data
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=proxy-net"
+      - "traefik.http.routers.testing-minio.entrypoints=web"
+      - "traefik.http.routers.testing-minio.rule=Host(`minio.${SUBDOMAIN}${DOMAIN}`)"
+      - "traefik.http.routers.testing-minio.middlewares=redirect@file"
+      - "traefik.http.routers.testing-minio-secured.entrypoints=web-secured"
+      - "traefik.http.routers.testing-minio-secured.rule=Host(`minio.${SUBDOMAIN}${DOMAIN}`)"
+      - "traefik.http.routers.testing-minio-secured.tls.certresolver=mytlschallenge"
+      - "traefik.http.services.testing-minio-secured.loadbalancer.server.port=9001"
+
+  mongodb:
+    volumes:
+      - mongodb-data:/data/db
+
+  mongo-express:
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=proxy-net"
+      - "traefik.http.routers.testing-mongo-express.entrypoints=web"
+      - "traefik.http.routers.testing-mongo-express.rule=Host(`mongo.${SUBDOMAIN}${DOMAIN}`)"
+      - "traefik.http.routers.testing-mongo-express.middlewares=redirect@file"
+      - "traefik.http.routers.testing-mongo-express-secured.entrypoints=web-secured"
+      - "traefik.http.routers.testing-mongo-express-secured.rule=Host(`mongo.${SUBDOMAIN}${DOMAIN}`)"
+      - "traefik.http.routers.testing-mongo-express-secured.tls.certresolver=mytlschallenge"
+
+  fuseki:
+    volumes:
+      - fuseki-data:/fuseki-base/databases
+      - fuseki-config:/fuseki-base/configuration
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=proxy-net"
+      - "traefik.http.routers.testing-fuseki.entrypoints=web"
+      - "traefik.http.routers.testing-fuseki.rule=Host(`fuseki.${SUBDOMAIN}${DOMAIN}`)"
+      - "traefik.http.routers.testing-fuseki.middlewares=redirect@file"
+      - "traefik.http.routers.testing-fuseki-secured.entrypoints=web-secured"
+      - "traefik.http.routers.testing-fuseki-secured.rule=Host(`fuseki.${SUBDOMAIN}${DOMAIN}`)"
+      - "traefik.http.routers.testing-fuseki-secured.tls.certresolver=mytlschallenge"
+      - "traefik.http.services.testing-fuseki-secured.loadbalancer.server.port=3030"
+
+  metabase-postgres:
+    image: postgres:14-alpine
+    container_name: metabase-postgres
+    restart: unless-stopped
+    environment:
+      POSTGRES_DB: metabase
+      POSTGRES_USER: metabase
+      POSTGRES_PASSWORD: ${METABASE_POSTGRES_PASSWORD}
+    healthcheck:
+      test: ["CMD", "pg_isready", "-U", "metabase"]
+      interval: 5s
+      retries: 5
+    volumes:
+      - metabase-postgres-data:/var/lib/postgresql/data
+    networks:
+      - internal
+
+  metabase:
+    environment:
+      MB_DB_TYPE: postgres
+      MB_DB_DBNAME: metabase
+      MB_DB_PORT: 5432
+      MB_DB_USER: metabase
+      MB_DB_PASS: ${METABASE_POSTGRES_PASSWORD}
+      MB_DB_HOST: metabase-postgres
+    depends_on:
+      metabase-postgres:
+        condition: service_healthy
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=proxy-net"
+      - "traefik.http.routers.testing-metabase.entrypoints=web"
+      - "traefik.http.routers.testing-metabase.rule=Host(`metabase.${SUBDOMAIN}${DOMAIN}`)"
+      - "traefik.http.routers.testing-metabase.middlewares=redirect@file"
+      - "traefik.http.routers.testing-metabase-secured.entrypoints=web-secured"
+      - "traefik.http.routers.testing-metabase-secured.rule=Host(`metabase.${SUBDOMAIN}${DOMAIN}`)"
+      - "traefik.http.routers.testing-metabase-secured.tls.certresolver=mytlschallenge"
+      - "traefik.http.services.testing-metabase-secured.loadbalancer.server.port=3000"
+
+  sftp:
+    ports:
+      - "2235:22"
+    volumes:
+      - sftp-data:/home
+
+  airflow-postgres:
+    volumes:
+      - airflow-postgres-data:/var/lib/postgresql/data
+
+  airflow-init:
+    build: *airflow-build
+    volumes: *testing-volumes
+    env_file:
+      - .env.common
+      - .env.testing
+
+  airflow-webserver:
+    build: *airflow-build
+    volumes: *testing-volumes
+    env_file:
+      - .env.common
+      - .env.testing
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=proxy-net"
+      - "traefik.http.routers.testing-airflow.entrypoints=web"
+      - "traefik.http.routers.testing-airflow.rule=Host(`airflow.${SUBDOMAIN}${DOMAIN}`)"
+      - "traefik.http.routers.testing-airflow.middlewares=redirect@file"
+      - "traefik.http.routers.testing-airflow-secured.entrypoints=web-secured"
+      - "traefik.http.routers.testing-airflow-secured.rule=Host(`airflow.${SUBDOMAIN}${DOMAIN}`)"
+      - "traefik.http.routers.testing-airflow-secured.tls.certresolver=mytlschallenge"
+      - "traefik.http.services.testing-airflow-secured.loadbalancer.server.port=8080"
+
+  airflow-scheduler:
+    build: *airflow-build
+    volumes: *testing-volumes
+    env_file:
+      - .env.common
+      - .env.testing
+
+  airflow-worker:
+    build: *airflow-build
+    volumes: *testing-volumes
+    env_file:
+      - .env.common
+      - .env.testing
+
+  airflow-triggerer:
+    build: *airflow-build
+    volumes: *testing-volumes
+    env_file:
+      - .env.common
+      - .env.testing
+
+volumes:
+  minio-data:
+  mongodb-data:
+  fuseki-data:
+  fuseki-config:
+  sftp-data:
+  airflow-postgres-data:
+  metabase-postgres-data:
+
+networks:
+  proxy-net:
+    name: proxy-net
+    external: true