Shared-Services Account¶
Central infrastructure shared across all CWIQ.IO environments — source control, secrets, identity, artifact storage, and observability.
Account Reference¶
| Attribute | Value |
|---|---|
| Account ID | 308188966547 |
| CLI Profile | --profile shared-services |
| Region | us-west-2 |
| VPC | cwiq-shared-vpc, 10.0.0.0/16 |
| Availability Zones | us-west-2a, us-west-2b |
| NAT Strategy | HA — 2 NAT Gateways (one per AZ) |
Services¶
GitLab CE (gitlab.shared.cwiq.io)¶
| Attribute | Value |
|---|---|
| Hostname | gitlab-shared-cwiq-io |
| Instance ID | i-01fc38bac84528873 |
| Instance Type | t3.xlarge (4 vCPU, 16 GB) |
| Subnet | 10.0.10.64/26 (iac-tools-1b) |
| Access | Public via AWS ALB (shared-gitlab-alb) |
| Container version | 18.9.0-ce.0 |
| Port | 80 (HTTP behind ALB; ALB terminates TLS) |
| Storage | 50 GB root, 250 GB /data (backed up daily), 100 GB /var/lib/containerd |
| S3 | cwiq-shared-gitlab-storage, cwiq-shared-gitlab-registry, cwiq-shared-gitlab-runner-cache |
| Docker network | cwiq-network |
monitoring_whitelist
GitLab's monitoring_whitelist must include 10.0.0.0/8 for ALB health checks to pass. Missing this causes the ALB target to show unhealthy even when GitLab is running.
Upgrade path history (required stops): 17.8 → 17.11 → 18.0 → 18.2 → 18.5 → 18.8 → 18.9
Container entrypoint: versions ≥17.11 use /assets/init-container (not /assets/wrapper).
Vault (vault.shared.cwiq.io)¶
| Attribute | Value |
|---|---|
| Stack | HashiCorp Vault (Docker), auto-unseal via AWS KMS |
| Access | Tailscale-only (vault-shared-cwiq-io) |
| Port | 8200 (HTTPS) |
| Container user | UID 100 |
| SSL | cert-server managed, privkey.pem owned by UID 100 |
Health check: curl -sk https://vault.shared.cwiq.io/v1/sys/health
Nexus (nexus.shared.cwiq.io)¶
| Attribute | Value |
|---|---|
| Instance Type | t3.large |
| Access | Tailscale (humans) + VPC peering (EKS runner pods) |
| Docker push port | 8443 (HTTPS) |
| Docker pull port | 8444 (HTTPS, group repo with proxy cache) |
| Storage | /data for blob store (250 GB) |
Nexus serves Docker images, RPM packages, PyPI packages, and npm packages. See Nexus Overview.
Authentik SSO (sso.shared.cwiq.io)¶
| Attribute | Value |
|---|---|
| Version | 2025.10.3 |
| Architecture | HA — 2 instances behind NLB |
| IPs | 10.0.11.28 (us-west-2a), 10.0.11.226 (us-west-2b) |
| Instance Type | t3.medium each |
| Storage | PostgreSQL RDS (no Redis since v2025.10) |
Token validity format
access_token_validity is a CharField with key=value format (e.g., "hours=24"). Never use datetime.timedelta() — it causes a redirect loop. Modify via ak shell Django ORM.
Ansible Server (ansible-shared-cwiq-io)¶
| Attribute | Value |
|---|---|
| SSH | ssh ansible@ansible-shared-cwiq-io |
| Playbook directory | /data/ansible/cwiq-ansible-playbooks/ (the only allowed directory) |
| Activate environment | ansible-helper (cd + venv + Vault auth) |
Ansible server must stay on main branch
The ansible server must always be on the main branch. Never git checkout a feature branch on the ansible server. Test on local workstation, merge to main, then git pull on the ansible server.
Observability Stack¶
| Service | Hostname | Tailscale | VPC IP | Port |
|---|---|---|---|---|
| Prometheus + AlertManager | prometheus-shared-cwiq-io |
— | 10.0.15.9 |
9090 (query), 9009 (remote write), 9093 (alertmanager) |
| Loki | loki-shared-cwiq-io |
— | 10.0.15.157 |
3100 |
| Grafana | grafana-shared-cwiq-io |
— | 10.0.15.186 |
3000 |
All three are accessible via HTTPS through nginx on Tailscale. Cross-VPC access (e.g., from dev servers) uses Tailscale MagicDNS hostnames (dashes notation). See Tailscale MagicDNS.
SonarQube (sonarqube.shared.cwiq.io)¶
| Attribute | Value |
|---|---|
| Version | 26.3-community |
| Instance Type | t3.large |
| VPC IP | 10.0.10.8 |
| Stack | SonarQube + PostgreSQL 16 + Nginx (Docker Compose) |
| CI access | http://10.0.10.8:9000 (VPC private IP, EKS pods via peering) |
| Sysctl | vm.max_map_count=262144 required (Elasticsearch requirement) |
| Vault | secret/sonarqube/admin, secret/sonarqube/svc-orchestrator |
DefectDojo (defectdojo.shared.cwiq.io)¶
| Attribute | Value |
|---|---|
| Instance Type | t3.medium |
| VPC IP | 10.0.10.30 |
| Tailscale | 100.122.76.92 |
| Instance ID | i-093fd7defc7237d97 |
| Stack | Django + PostgreSQL 16 + Redis 7 + Celery + Nginx |
| CI/CD HTTP | http://defectdojo.shared.cwiq.io:8080 (private IP, via VPC peering) |
| Browser HTTPS | https://defectdojo.shared.cwiq.io (Tailscale) |
| Vault | secret/defectdojo/admin, secret/defectdojo/svc-orchestrator |
Icinga (icinga.shared.cwiq.io)¶
Icinga2 master node managing health checks across all servers. Satellite nodes in dev environment. Check_by_ssh uses container UID 5665; SSH keys mounted at /var/lib/icinga2/.ssh/ (not /var/lib/nagios/.ssh/).
Tailscale Subnet Router¶
EC2 t3.micro in subnet 10.0.12.0/26. Advertises 10.0.0.0/16 to the Tailscale mesh. SNAT mode — traffic from Tailscale clients appears as 10.0.12.x to shared-services resources. Source/destination check disabled on the instance.
Deployment Method¶
All shared-services configuration is managed by Ansible:
ssh ansible@ansible-shared-cwiq-io
ansible-helper # activates venv + Vault credentials
git pull
ansible-playbook cwiq-orchestrator/playbooks/deploy-infrastructure.yml -v
CI/CD pipelines only deploy to DEV. All non-DEV environments (including shared-services) are managed exclusively through Ansible. See IaC Principles.
Related Pages¶
- Server Inventory — Full server list with IPs
- Dev Account — Application workloads
- ALB Patterns — GitLab ALB details
- Tailscale SSH Access — How to SSH to these servers