Database Decommissioning Checlist
Purpose
This checklist is to ensure that all aspectssteps are taken to ensure that deleting a service database does not cause any disruption in other parts of a new service are provisioned properly, completely, and in the correct order to prevent potential failures elsewhere in the system.infrastructure.
Steps
- Determine any potential impact to any other services; see things to look out for below
IsAre any services dependent on thisservicedatabase,going to be running on app-01directly ora different host?indirectly?- Is
itthegoingdatabasetobackedutilizeup?SSO auth? - Is
it going to needthere adatabase?specificServiceborgfilesrepofolder in /mnt/data/services on app-01? Is it going to need any other secrets?Doesfor thisservice need to be monitored?Does this service's data need to be backed up?Exposed to the public internet?Send pings to HealthChecks?Utilizing a mailserver or ntfy to send notifications?database?
Determine the most feasible deployment methodDocker containernixOS module (preferred for reproducibility and programmatic configuration)
CheckEnsure onthis repology.orgdatabase's toentry verifyis ifdeleted for borgmatic, otherwise the nixOSauto modulebackup isservice upwill toerror date with upstream before choosing to use the nixOS moduleout
IfEnsure that theservicedatabase'susessecretsaaredatabasedeleted everywhereTypically,DeleteIdatabasecreatesecretsdatabasesfromwhoseBitwardennamesSecretsareManager after 1 year in thesameeventasthattheaccessserviceisnameneedede.g.again- Delete
forgejo,entries of the databasenamefromisanyforgejohost_vars Create and store database secrets under Bitwarden Secrets Manager, using the following naming convention:webservices.<service name>.db_passCreate a new branchfiles inProjects/ansiblestaging using the naming conventiondatabases.<service name>Add an entry under the appropriate database server'shost_varsfile. Run the appropriate playbook to auto-provision that databasere-provisioning
forIf this service needs a folder in the filesystem, create that respective folder under /mnt/data/services and create a symlink to it from /srv such that the symlink's location is /srv/<service name>If this service is being provisioned using DockerFollow Docker service provisioning procedure to create a docker-compose file and appropriate config and .env files
If this service is being provisioned using a nixOS moduleWrite wrapper module as neededAdd the database secrets to the SOPS config. This will be used for both database access and borgmatic backupsAdd a SOPS secrets config block to the host config running the service and pass to the module to prevent the secret being exposed in the store
If this service needs to send pings to HealthChecksCreate a ping in the HealthChecks serviceConfigure the service to contact the specific endpoint provisioned with the check
If this service needs to send notifications using ntfyCreate a channel if needed and set permissionsCreate a token with the appropriate permissions, save it to SOPS if neededConfigure the service with the token
If this service needs to send email notificationsConfigure the email server and run a test using the SMTP relay credentials
If this service has metrics that need to be scrapedSet a port that the grafana-alloy collector can pollAdd an alloy configuration under the service's module
If this service needs to be monitored for uptimeDetermine if this service has a specific health/up monitoring endpointAdd a check for uptime-kuma but do not engage yet
Test service on a separate testing VM if neededWhen the service is ready to deploy, push tostagingTest that the nixOS config builds and starts successfully, or the docker-compose project starts normallyEnable uptime-kuma service monitor