Shared PostgreSQL deployment for Makepad-fr applications.
This repository owns the shared PostgreSQL server. Application repositories connect either through the shared overlay network alias or through the configured DB VM host endpoint, depending on their deployment topology. Application repositories should not deploy PostgreSQL directly in canary or production.
compose.yml: base PostgreSQL service definitionenvs/canary/compose.yml: canary Swarm overridesenvs/canary/.env.db: canary PostgreSQL settingsenvs/production/compose.yml: production Swarm overridesenvs/production/.env.db: production PostgreSQL settingsbootstrap/keycloak-new-instances.sql: idempotent SQL bootstrap for the Vif, Makepad, and Vestiaire Keycloak databases
The database joins external overlay networks configured through Compose:
${MAKEPAD_POSTGRES_DB_NETWORK}${MAKEPAD_POSTGRES_LE_PETIT_COIN_DB_NETWORK}
Production also joins the VIF-specific external overlay network:
${MAKEPAD_POSTGRES_VIF_DB_NETWORK}
The manual deploy workflow sources these Compose variables from environment secrets with this mapping:
${MAKEPAD_POSTGRES_DB_NETWORK}<-DEPLOY_CATWLK_DB_NETWORK${MAKEPAD_POSTGRES_LE_PETIT_COIN_DB_NETWORK}<-DEPLOY_LE_PETIT_COIN_DB_NETWORK${MAKEPAD_POSTGRES_VIF_DB_NETWORK}<-DEPLOY_VIF_DB_NETWORKproduction only
Application network topology is owned by the consuming application repositories. New Keycloak instances keep their own DB-facing Docker networks in the Keycloak repository and connect to this PostgreSQL server through the configured DB endpoint.
When using this repository's overlay-network deployment model, application stacks attached to the shared database network should use the stable service alias makepad-postgres. Le Petit Coin stacks attach through their app-specific database network and should use makepad-postgres-le-petit-coin. The production VIF stack attaches through its production-only app-specific database network and should use makepad-postgres-vif. Canary does not attach the VIF network. The current production Keycloak deployment is separate from this stack and uses the DB VM host address instead; that host-based path depends on the standalone DB VM deployment exposing PostgreSQL on the VM host.
Pin the shared PostgreSQL server to the dedicated database node:
docker node update --label-add infra.makepad.postgres=true <db-node>Use the manual GitHub Actions workflow in this repository.
Required environment secrets:
DEPLOY_SSH_HOSTDEPLOY_SSH_PORTDEPLOY_SSH_USERDEPLOY_SSH_PRIVATE_KEYDEPLOY_REMOTE_DIRDEPLOY_STACK_NAMEDEPLOY_CATWLK_DB_NETWORKDEPLOY_LE_PETIT_COIN_DB_NETWORK
Production additionally requires:
DEPLOY_VIF_DB_NETWORKDEPLOY_VIF_DB_PASSWORD
Production can override the VIF database and role names with DEPLOY_VIF_DB_NAME and DEPLOY_VIF_DB_USER; both default to vif.
DEPLOY_SSH_USER must be a non-root deployment account with the Docker permissions needed to create overlay networks and deploy the stack. The workflow rejects DEPLOY_SSH_USER=root.
The workflow deploys only the PostgreSQL stack. If one of the configured database networks does not exist yet, it is created on the manager before deployment.
Create one database and one dedicated user per application.
Vif, Makepad, and Vestiaire use these databases and roles:
| Application | Database | Role |
|---|---|---|
| Vif | keycloak_vif |
keycloak_vif_app |
| Makepad | keycloak_makepad |
keycloak_makepad_app |
| Vestiaire | keycloak_vestiaire |
keycloak_vestiaire_app |
Run the idempotent bootstrap with generated passwords. POSTGRES_ADMIN_URL must be a PostgreSQL superuser connection URI for the target server, usually using the postgres role, because the bootstrap creates roles, sets passwords, creates databases, and assigns database ownership. For example: postgres://postgres@<db-vm-host>:5432/postgres?sslmode=disable.
: "${POSTGRES_ADMIN_URL:?set POSTGRES_ADMIN_URL to a PostgreSQL superuser connection URI}"
: "${KEYCLOAK_VIF_DB_PASSWORD:?set KEYCLOAK_VIF_DB_PASSWORD to a generated password}"
: "${KEYCLOAK_MAKEPAD_DB_PASSWORD:?set KEYCLOAK_MAKEPAD_DB_PASSWORD to a generated password}"
: "${KEYCLOAK_VESTIAIRE_DB_PASSWORD:?set KEYCLOAK_VESTIAIRE_DB_PASSWORD to a generated password}"
psql "$POSTGRES_ADMIN_URL" \
-v keycloak_vif_app_password="$KEYCLOAK_VIF_DB_PASSWORD" \
-v keycloak_makepad_app_password="$KEYCLOAK_MAKEPAD_DB_PASSWORD" \
-v keycloak_vestiaire_app_password="$KEYCLOAK_VESTIAIRE_DB_PASSWORD" \
-f bootstrap/keycloak-new-instances.sqlThe current production Keycloak environments connect with the DB VM host:
postgres://keycloak_vif_app:<secret>@<db-vm-host>:5432/keycloak_vif?sslmode=disable
postgres://keycloak_makepad_app:<secret>@<db-vm-host>:5432/keycloak_makepad?sslmode=disable
postgres://keycloak_vestiaire_app:<secret>@<db-vm-host>:5432/keycloak_vestiaire?sslmode=disable
Stacks deployed through this repository's shared overlay network should use the makepad-postgres alias instead:
postgres://keycloak_vif_app:<secret>@makepad-postgres:5432/keycloak_vif?sslmode=disable
postgres://keycloak_makepad_app:<secret>@makepad-postgres:5432/keycloak_makepad?sslmode=disable
postgres://keycloak_vestiaire_app:<secret>@makepad-postgres:5432/keycloak_vestiaire?sslmode=disable
Le Petit Coin uses the app-specific overlay alias:
postgres://le_petit_coin_canary_app:<secret>@makepad-postgres-le-petit-coin:5432/le_petit_coin_canary?sslmode=disable
postgres://le_petit_coin_app:<secret>@makepad-postgres-le-petit-coin:5432/le_petit_coin?sslmode=disable
The production VIF app uses its app-specific overlay alias and deploy-time provisioned database:
postgres://vif:<secret>@makepad-postgres-vif:5432/vif?sslmode=disable
If production overrides DEPLOY_VIF_DB_NAME or DEPLOY_VIF_DB_USER, use those values in the connection URI.
Run the local static checks before opening a deployment PR:
bash scripts/validate-postgres-config.sh