# fleet/data — in-cluster data tier PostgreSQL 16 (Authentik + OCIS), MongoDB 7 (portal/platform-api) and Redis 7 (cache/sessions) as single-node StatefulSets on **Longhorn** volumes (`storageClassName: longhorn` — see `../longhorn/`), in the `dezky-data` namespace. Mirrors the dev docker-compose stack. Self-hosted on the box — no external/managed DBs (EU-sovereign). > Prereq: Longhorn must be installed and its `longhorn` StorageClass present > before applying these (the PVCs request it). See `../longhorn/README.md`. Stable in-cluster DNS: - `postgres.dezky-data.svc.cluster.local:5432` - `mongo.dezky-data.svc.cluster.local:27017` - `redis.dezky-data.svc.cluster.local:6379` ## Apply ```bash # 1) Secrets first (out-of-band — NOT in git). Generate values with openssl. cp secrets.example.yaml /tmp/data-secrets.yaml $EDITOR /tmp/data-secrets.yaml # fill every REPLACE_* (openssl rand -hex 24) kubectl create namespace dezky-data --dry-run=client -o yaml | kubectl apply -f - kubectl apply -f /tmp/data-secrets.yaml && rm /tmp/data-secrets.yaml # 2) The data tier kubectl apply -k . # 3) Watch them come up kubectl -n dezky-data rollout status statefulset/postgres kubectl -n dezky-data rollout status statefulset/mongo kubectl -n dezky-data rollout status statefulset/redis kubectl -n dezky-data get pods,pvc ``` ## Notes - **Postgres init runs once** (empty data dir): `postgres-init` ConfigMap creates the `authentik` + `ocis` databases/roles using `AUTHENTIK_DB_PASSWORD` / `OCIS_DB_PASSWORD` from the secret. If you change those passwords later, alter the roles in SQL — re-init won't re-run on an existing volume. - Store all generated passwords in **Bitwarden**. `AUTHENTIK_DB_PASSWORD` / `OCIS_DB_PASSWORD` must match what you later give Authentik and OCIS. - **Backups:** Longhorn snapshots + backs these volumes up to Hetzner Object Storage (S3) — see `../longhorn/README.md`. Block snapshots of a live DB are crash-consistent at best, so also run `pg_dump`/`mongodump` CronJobs (added next) into a Longhorn PVC; restore from those logical dumps, not the raw data dirs. - Single replica each — fine for one node. HA/replicas are a later concern.