From 7b5dc0692c520a5c657c0a41375bc5805607ecb1 Mon Sep 17 00:00:00 2001
From: frrist <forrest@storacha.network>
Date: Tue, 17 Mar 2026 15:41:40 -0700
Subject: [PATCH] feat: support deployments with postgres or minio

---
 .../deployment-types/multi-instance/main.tf   | 14 ++-
 .../multi-instance/tofu.tfvars.template       | 85 ++++++++++++++++++-
 .../multi-instance/variables.tf               | 69 +++++++++++++++
 .../deployment-types/single-instance/main.tf  | 12 ++-
 .../single-instance/tofu.tfvars.template      | 59 +++++++++++++
 .../single-instance/variables.tf              | 64 ++++++++++++++
 .../files/docker-compose.yml.tpl              | 42 +++++++++
 .../piri-instance/files/piri.service.tpl      | 21 ++++-
 .../full-node/modules/piri-instance/main.tf   | 51 +++++++++--
 .../piri-instance/scripts/user-data.sh.tpl    | 52 ++++++++++++
 .../modules/piri-instance/variables.tf        | 64 ++++++++++++++
 11 files changed, 518 insertions(+), 15 deletions(-)
 create mode 100644 deploy/full-node/modules/piri-instance/files/docker-compose.yml.tpl

diff --git a/deploy/full-node/deployment-types/multi-instance/main.tf b/deploy/full-node/deployment-types/multi-instance/main.tf
index f30eef8d..11295ed6 100644
--- a/deploy/full-node/deployment-types/multi-instance/main.tf
+++ b/deploy/full-node/deployment-types/multi-instance/main.tf
@@ -30,7 +30,7 @@ data "aws_route53_zone" "primary" {
 
 module "piri_instances" {
   source = "../../modules/piri-instance"
-  
+
   for_each = var.instances
 
   name                      = each.key
@@ -46,7 +46,7 @@ module "piri_instances" {
   protect_volume            = var.environment == "production" || var.environment == "prod" || var.environment == "forge-prod"
   domain_name               = "${var.environment}.${each.value.subdomain}.${var.root_domain}"
   route53_zone_id           = data.aws_route53_zone.primary.zone_id
-  
+
   install_method          = coalesce(lookup(each.value, "install_method", null), var.default_install_method)
   install_source          = coalesce(lookup(each.value, "install_source", null), var.default_install_source)
   network                 = var.network
@@ -57,6 +57,16 @@ module "piri_instances" {
   operator_email          = each.value.operator_email
   use_letsencrypt_staging = var.environment != "production" && var.environment != "prod" && var.environment != "forge-prod"
 
+  # Backend configuration (instance can override defaults)
+  storage_backend     = coalesce(lookup(each.value, "storage_backend", null), var.default_storage_backend)
+  database_backend    = coalesce(lookup(each.value, "database_backend", null), var.default_database_backend)
+  minio_root_user     = var.minio_root_user
+  minio_root_password = coalesce(lookup(each.value, "minio_root_password", null), var.minio_root_password)
+  minio_bucket_prefix = var.minio_bucket_prefix
+  postgres_user       = var.postgres_user
+  postgres_password   = coalesce(lookup(each.value, "postgres_password", null), var.postgres_password)
+  postgres_database   = var.postgres_database
+
   tags = {
     Owner = var.owner
     Team  = var.team
diff --git a/deploy/full-node/deployment-types/multi-instance/tofu.tfvars.template b/deploy/full-node/deployment-types/multi-instance/tofu.tfvars.template
index ea6a5128..1e044508 100644
--- a/deploy/full-node/deployment-types/multi-instance/tofu.tfvars.template
+++ b/deploy/full-node/deployment-types/multi-instance/tofu.tfvars.template
@@ -148,6 +148,48 @@ network = "warm-staging"
 # Default: "v0.0.12" - uncomment to override
 # default_install_source = "v0.0.12"
 
+# ===========================================================================
+# STORAGE BACKEND CONFIGURATION (DEFAULTS)
+# ===========================================================================
+# By default, Piri uses filesystem storage and SQLite database.
+# For native deployments, you can configure MinIO and/or PostgreSQL
+# backends running on the same EC2 instance via Docker Compose.
+# Each instance gets its own MinIO/PostgreSQL containers.
+
+# Default blob storage backend: "filesystem" (default) or "minio"
+# Default: "filesystem" - uncomment to use MinIO
+# default_storage_backend = "minio"
+
+# Default database backend: "sqlite" (default) or "postgres"
+# Default: "sqlite" - uncomment to use PostgreSQL
+# default_database_backend = "postgres"
+
+# MinIO configuration (required when storage_backend = "minio")
+# -------------------------------------------
+# MinIO root user (shared across all instances)
+# Default: "minioadmin" - uncomment to override
+# minio_root_user = "minioadmin"
+
+# MinIO root password (required when using MinIO)
+# minio_root_password = "your-secure-minio-password"
+
+# Prefix for MinIO buckets
+# Default: "piri-" - uncomment to override
+# minio_bucket_prefix = "piri-"
+
+# PostgreSQL configuration (required when database_backend = "postgres")
+# -------------------------------------------
+# PostgreSQL user (shared across all instances)
+# Default: "piri" - uncomment to override
+# postgres_user = "piri"
+
+# PostgreSQL password (required when using PostgreSQL)
+# postgres_password = "your-secure-postgres-password"
+
+# PostgreSQL database name
+# Default: "piri" - uncomment to override
+# postgres_database = "piri"
+
 # ===========================================================================
 # INSTANCE DEFINITIONS
 # ===========================================================================
@@ -163,6 +205,10 @@ network = "warm-staging"
 #   - install_source: Override version/branch to install
 #   - service_pem_content: Service private key (only if use_secrets_manager = false)
 #   - wallet_hex_content: Wallet private key (only if use_secrets_manager = false)
+#   - storage_backend: Override default storage backend ("filesystem" or "minio")
+#   - database_backend: Override default database backend ("sqlite" or "postgres")
+#   - minio_root_password: Override MinIO password for this instance
+#   - postgres_password: Override PostgreSQL password for this instance
 
 instances = {
   # Example: Basic node using all defaults
@@ -198,14 +244,49 @@ instances = {
 #   node1 = {
 #     subdomain      = "node1"
 #     operator_email = "operator1@example.com"
-#     
+#
 #     # When use_secrets_manager = false, these are REQUIRED:
 #     service_pem_content = <<EOF
 # -----BEGIN PRIVATE KEY-----
 # YOUR_SERVICE_PRIVATE_KEY_HERE
 # -----END PRIVATE KEY-----
 # EOF
-#     
+#
 #     wallet_hex_content = "YOUR_WALLET_PRIVATE_KEY_HEX_HERE"
 #   }
 # }
+
+# ===========================================================================
+# INSTANCE DEFINITIONS WITH NATIVE BACKENDS (MinIO + PostgreSQL)
+# ===========================================================================
+# Example: Multi-instance deployment with MinIO and PostgreSQL backends
+# Each instance runs its own MinIO/PostgreSQL containers via Docker Compose
+
+# default_storage_backend  = "minio"
+# default_database_backend = "postgres"
+# minio_root_password      = "shared-minio-password"
+# postgres_password        = "shared-postgres-password"
+#
+# instances = {
+#   # Node using default backends (MinIO + PostgreSQL)
+#   node1 = {
+#     subdomain      = "node1"
+#     operator_email = "operator1@example.com"
+#   }
+#
+#   # Node with custom passwords for its backends
+#   node2 = {
+#     subdomain           = "node2"
+#     operator_email      = "operator2@example.com"
+#     minio_root_password = "node2-minio-password"
+#     postgres_password   = "node2-postgres-password"
+#   }
+#
+#   # Node using filesystem + SQLite (override backends)
+#   node3 = {
+#     subdomain        = "node3"
+#     operator_email   = "operator3@example.com"
+#     storage_backend  = "filesystem"
+#     database_backend = "sqlite"
+#   }
+# }
diff --git a/deploy/full-node/deployment-types/multi-instance/variables.tf b/deploy/full-node/deployment-types/multi-instance/variables.tf
index d7a8ae24..1275bce0 100644
--- a/deploy/full-node/deployment-types/multi-instance/variables.tf
+++ b/deploy/full-node/deployment-types/multi-instance/variables.tf
@@ -89,6 +89,70 @@ variable "use_secrets_manager" {
   default     = true
 }
 
+# =============================================================================
+# Storage Backend Configuration (defaults)
+# =============================================================================
+
+variable "default_storage_backend" {
+  description = "Default blob storage backend: 'filesystem' (default) or 'minio'"
+  type        = string
+  default     = "filesystem"
+  validation {
+    condition     = contains(["filesystem", "minio"], var.default_storage_backend)
+    error_message = "default_storage_backend must be 'filesystem' or 'minio'"
+  }
+}
+
+variable "default_database_backend" {
+  description = "Default database backend: 'sqlite' (default) or 'postgres'"
+  type        = string
+  default     = "sqlite"
+  validation {
+    condition     = contains(["sqlite", "postgres"], var.default_database_backend)
+    error_message = "default_database_backend must be 'sqlite' or 'postgres'"
+  }
+}
+
+# MinIO configuration (when storage_backend = "minio")
+variable "minio_root_user" {
+  description = "MinIO root user"
+  type        = string
+  default     = "minioadmin"
+}
+
+variable "minio_root_password" {
+  description = "MinIO root password (required when storage_backend = 'minio')"
+  type        = string
+  sensitive   = true
+  default     = ""
+}
+
+variable "minio_bucket_prefix" {
+  description = "Prefix for MinIO buckets"
+  type        = string
+  default     = "piri-"
+}
+
+# PostgreSQL configuration (when database_backend = "postgres")
+variable "postgres_user" {
+  description = "PostgreSQL user"
+  type        = string
+  default     = "piri"
+}
+
+variable "postgres_password" {
+  description = "PostgreSQL password (required when database_backend = 'postgres')"
+  type        = string
+  sensitive   = true
+  default     = ""
+}
+
+variable "postgres_database" {
+  description = "PostgreSQL database name"
+  type        = string
+  default     = "piri"
+}
+
 # Instance Definitions
 variable "instances" {
   description = "Map of instances to create"
@@ -101,5 +165,10 @@ variable "instances" {
     ebs_volume_size     = optional(number)
     install_method      = optional(string)
     install_source      = optional(string)
+    # Backend overrides (optional)
+    storage_backend     = optional(string)
+    database_backend    = optional(string)
+    minio_root_password = optional(string)
+    postgres_password   = optional(string)
   }))
 }
\ No newline at end of file
diff --git a/deploy/full-node/deployment-types/single-instance/main.tf b/deploy/full-node/deployment-types/single-instance/main.tf
index 3458bd78..6c4881f3 100644
--- a/deploy/full-node/deployment-types/single-instance/main.tf
+++ b/deploy/full-node/deployment-types/single-instance/main.tf
@@ -44,7 +44,7 @@ module "piri_instance" {
   protect_volume            = var.environment == "production" || var.environment == "prod" || var.environment == "forge-prod"
   domain_name               = "${var.environment}.${var.app}.${var.root_domain}"
   route53_zone_id           = data.aws_route53_zone.primary.zone_id
-  
+
   install_method          = var.install_method
   install_source          = var.install_source
   network                 = var.network
@@ -55,6 +55,16 @@ module "piri_instance" {
   operator_email          = var.operator_email
   use_letsencrypt_staging = var.environment != "production" && var.environment != "prod" && var.environment != "forge-prod"
 
+  # Backend configuration
+  storage_backend     = var.storage_backend
+  database_backend    = var.database_backend
+  minio_root_user     = var.minio_root_user
+  minio_root_password = var.minio_root_password
+  minio_bucket_prefix = var.minio_bucket_prefix
+  postgres_user       = var.postgres_user
+  postgres_password   = var.postgres_password
+  postgres_database   = var.postgres_database
+
   tags = {
     Owner = var.owner
     Team  = var.team
diff --git a/deploy/full-node/deployment-types/single-instance/tofu.tfvars.template b/deploy/full-node/deployment-types/single-instance/tofu.tfvars.template
index 858cded0..33ac1162 100644
--- a/deploy/full-node/deployment-types/single-instance/tofu.tfvars.template
+++ b/deploy/full-node/deployment-types/single-instance/tofu.tfvars.template
@@ -193,6 +193,47 @@ EOF
 # [REQUIRED if use_secrets_manager = false] Wallet private key in hex format
 wallet_hex_content = "YOUR_WALLET_PRIVATE_KEY_HEX_HERE"
 
+# ===========================================================================
+# STORAGE BACKEND CONFIGURATION
+# ===========================================================================
+# By default, Piri uses filesystem storage and SQLite database.
+# For native deployments, you can configure MinIO and/or PostgreSQL
+# backends running on the same EC2 instance via Docker Compose.
+
+# Blob storage backend: "filesystem" (default) or "minio"
+# Default: "filesystem" - uncomment to use MinIO
+# storage_backend = "minio"
+
+# Database backend: "sqlite" (default) or "postgres"
+# Default: "sqlite" - uncomment to use PostgreSQL
+# database_backend = "postgres"
+
+# MinIO configuration (required when storage_backend = "minio")
+# -------------------------------------------
+# MinIO root user
+# Default: "minioadmin" - uncomment to override
+# minio_root_user = "minioadmin"
+
+# MinIO root password (required when using MinIO)
+# minio_root_password = "your-secure-minio-password"
+
+# Prefix for MinIO buckets
+# Default: "piri-" - uncomment to override
+# minio_bucket_prefix = "piri-"
+
+# PostgreSQL configuration (required when database_backend = "postgres")
+# -------------------------------------------
+# PostgreSQL user
+# Default: "piri" - uncomment to override
+# postgres_user = "piri"
+
+# PostgreSQL password (required when using PostgreSQL)
+# postgres_password = "your-secure-postgres-password"
+
+# PostgreSQL database name
+# Default: "piri" - uncomment to override
+# postgres_database = "piri"
+
 # ===========================================================================
 # EXAMPLE CONFIGURATIONS
 # ===========================================================================
@@ -240,6 +281,24 @@ wallet_hex_content = "YOUR_WALLET_PRIVATE_KEY_HEX_HERE"
 # operator_email      = "dev@example.com"
 # use_secrets_manager = true
 
+# -------------------------------------------
+# Example 4: Native deployment with MinIO + PostgreSQL
+# -------------------------------------------
+# allowed_account_ids = ["123456789012"]
+# environment         = "staging"
+# instance_type       = "m6a.xlarge"
+# ebs_volume_size     = 200
+# install_method      = "version"
+# install_source      = "v0.0.12"
+# pdp_lotus_endpoint  = "wss://api.calibration.node.glif.io/rpc/v1"
+# network             = "warm-staging"
+# operator_email      = "ops@example.com"
+# use_secrets_manager = true
+# storage_backend     = "minio"
+# database_backend    = "postgres"
+# minio_root_password = "secure-minio-password"
+# postgres_password   = "secure-postgres-password"
+
 # ===========================================================================
 # DEPLOYMENT COMMANDS
 # ===========================================================================
diff --git a/deploy/full-node/deployment-types/single-instance/variables.tf b/deploy/full-node/deployment-types/single-instance/variables.tf
index 3ef735f6..3ee26b9b 100644
--- a/deploy/full-node/deployment-types/single-instance/variables.tf
+++ b/deploy/full-node/deployment-types/single-instance/variables.tf
@@ -114,4 +114,68 @@ variable "wallet_hex_content" {
 variable "operator_email" {
   description = "Email address of the piri operator"
   type        = string
+}
+
+# =============================================================================
+# Storage Backend Configuration
+# =============================================================================
+
+variable "storage_backend" {
+  description = "Blob storage backend: 'filesystem' (default) or 'minio'"
+  type        = string
+  default     = "filesystem"
+  validation {
+    condition     = contains(["filesystem", "minio"], var.storage_backend)
+    error_message = "storage_backend must be 'filesystem' or 'minio'"
+  }
+}
+
+variable "database_backend" {
+  description = "Database backend: 'sqlite' (default) or 'postgres'"
+  type        = string
+  default     = "sqlite"
+  validation {
+    condition     = contains(["sqlite", "postgres"], var.database_backend)
+    error_message = "database_backend must be 'sqlite' or 'postgres'"
+  }
+}
+
+# MinIO configuration (when storage_backend = "minio")
+variable "minio_root_user" {
+  description = "MinIO root user"
+  type        = string
+  default     = "minioadmin"
+}
+
+variable "minio_root_password" {
+  description = "MinIO root password (required when storage_backend = 'minio')"
+  type        = string
+  sensitive   = true
+  default     = ""
+}
+
+variable "minio_bucket_prefix" {
+  description = "Prefix for MinIO buckets"
+  type        = string
+  default     = "piri-"
+}
+
+# PostgreSQL configuration (when database_backend = "postgres")
+variable "postgres_user" {
+  description = "PostgreSQL user"
+  type        = string
+  default     = "piri"
+}
+
+variable "postgres_password" {
+  description = "PostgreSQL password (required when database_backend = 'postgres')"
+  type        = string
+  sensitive   = true
+  default     = ""
+}
+
+variable "postgres_database" {
+  description = "PostgreSQL database name"
+  type        = string
+  default     = "piri"
 }
\ No newline at end of file
diff --git a/deploy/full-node/modules/piri-instance/files/docker-compose.yml.tpl b/deploy/full-node/modules/piri-instance/files/docker-compose.yml.tpl
new file mode 100644
index 00000000..c77b280b
--- /dev/null
+++ b/deploy/full-node/modules/piri-instance/files/docker-compose.yml.tpl
@@ -0,0 +1,42 @@
+# Docker Compose for Piri native backends
+# Auto-generated by Terraform
+
+services:
+%{ if enable_postgres ~}
+  piri-postgres:
+    image: postgres:16-alpine
+    restart: unless-stopped
+    environment:
+      POSTGRES_USER: ${postgres_user}
+      POSTGRES_PASSWORD: ${postgres_password}
+      POSTGRES_DB: ${postgres_database}
+    volumes:
+      - /data/postgres:/var/lib/postgresql/data
+    ports:
+      - "127.0.0.1:5432:5432"
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U ${postgres_user} -d ${postgres_database}"]
+      interval: 5s
+      timeout: 3s
+      retries: 10
+%{ endif ~}
+
+%{ if enable_minio ~}
+  piri-minio:
+    image: minio/minio:latest
+    restart: unless-stopped
+    command: server /data --console-address ":9001"
+    environment:
+      MINIO_ROOT_USER: ${minio_root_user}
+      MINIO_ROOT_PASSWORD: ${minio_root_password}
+    volumes:
+      - /data/minio:/data
+    ports:
+      - "127.0.0.1:9000:9000"
+      - "127.0.0.1:9001:9001"
+    healthcheck:
+      test: ["CMD", "mc", "ready", "local"]
+      interval: 5s
+      timeout: 3s
+      retries: 10
+%{ endif ~}
diff --git a/deploy/full-node/modules/piri-instance/files/piri.service.tpl b/deploy/full-node/modules/piri-instance/files/piri.service.tpl
index 946487fd..67fc0beb 100644
--- a/deploy/full-node/modules/piri-instance/files/piri.service.tpl
+++ b/deploy/full-node/modules/piri-instance/files/piri.service.tpl
@@ -1,6 +1,9 @@
 [Unit]
 Description=Piri Full Server
-After=network.target
+After=network.target%{ if needs_docker } docker.service%{ endif }
+%{ if needs_docker ~}
+Requires=docker.service
+%{ endif ~}
 
 [Service]
 Type=simple
@@ -21,6 +24,20 @@ ExecStartPre=/bin/bash -c '/usr/local/bin/piri init \
   --lotus-endpoint="${lotus_endpoint}" \
   --operator-email="${operator_email}" \
   --public-url="${public_url}" \
+%{ if database_backend == "postgres" ~}
+  --db-type=postgres \
+  --db-postgres-url="${postgres_url}" \
+  --db-postgres-max-open-conns=${postgres_max_open_conns} \
+  --db-postgres-max-idle-conns=${postgres_max_idle_conns} \
+  --db-postgres-conn-max-lifetime=${postgres_conn_max_lifetime} \
+%{ endif ~}
+%{ if storage_backend == "minio" ~}
+  --s3-endpoint="${s3_endpoint}" \
+  --s3-bucket-prefix="${s3_bucket_prefix}" \
+  --s3-access-key-id="${s3_access_key_id}" \
+  --s3-secret-access-key="${s3_secret_access_key}" \
+  --s3-insecure \
+%{ endif ~}
   > /etc/piri/config.toml'
 
 ExecStart=/usr/local/bin/piri serve --config=/etc/piri/config.toml
@@ -29,4 +46,4 @@ Restart=on-failure
 RestartSec=10
 
 [Install]
-WantedBy=multi-user.target
\ No newline at end of file
+WantedBy=multi-user.target
diff --git a/deploy/full-node/modules/piri-instance/main.tf b/deploy/full-node/modules/piri-instance/main.tf
index 1472754e..883ff878 100644
--- a/deploy/full-node/modules/piri-instance/main.tf
+++ b/deploy/full-node/modules/piri-instance/main.tf
@@ -3,15 +3,45 @@ locals {
     server_name = var.domain_name
   })
 
+  # Determine if Docker is needed for native backends
+  needs_docker = var.storage_backend == "minio" || var.database_backend == "postgres"
+
   systemd_service_content = templatefile("${path.module}/files/piri.service.tpl", {
-    network        = var.network
-    lotus_endpoint = var.pdp_lotus_endpoint
-    operator_email = var.operator_email
-    public_url     = "https://${var.domain_name}"
+    network          = var.network
+    lotus_endpoint   = var.pdp_lotus_endpoint
+    operator_email   = var.operator_email
+    public_url       = "https://${var.domain_name}"
+    needs_docker     = local.needs_docker
+    storage_backend  = var.storage_backend
+    database_backend = var.database_backend
+    # PostgreSQL CLI flags
+    postgres_url               = "postgres://${var.postgres_user}:${var.postgres_password}@localhost:5432/${var.postgres_database}?sslmode=disable"
+    postgres_max_open_conns    = 10
+    postgres_max_idle_conns    = 5
+    postgres_conn_max_lifetime = "30m"
+    # S3/MinIO CLI flags
+    s3_endpoint          = "localhost:9000"
+    s3_bucket_prefix     = var.minio_bucket_prefix
+    s3_access_key_id     = var.minio_root_user
+    s3_secret_access_key = var.minio_root_password
   })
-  
+
   install_from_release_script = file("${path.module}/scripts/install-from-release.sh")
   install_from_branch_script  = file("${path.module}/scripts/install-from-branch.sh")
+
+  # Docker Compose content
+  docker_compose = local.needs_docker ? templatefile(
+    "${path.module}/files/docker-compose.yml.tpl",
+    {
+      enable_postgres     = var.database_backend == "postgres"
+      enable_minio        = var.storage_backend == "minio"
+      postgres_user       = var.postgres_user
+      postgres_password   = var.postgres_password
+      postgres_database   = var.postgres_database
+      minio_root_user     = var.minio_root_user
+      minio_root_password = var.minio_root_password
+    }
+  ) : ""
 }
 
 data "aws_ami" "ubuntu" {
@@ -55,6 +85,11 @@ resource "aws_instance" "piri" {
     install_from_release_script = local.install_from_release_script
     install_from_branch_script  = local.install_from_branch_script
     use_letsencrypt_staging     = var.use_letsencrypt_staging
+    # Backend configuration
+    storage_backend  = var.storage_backend
+    database_backend = var.database_backend
+    needs_docker     = local.needs_docker
+    docker_compose   = local.docker_compose
   })
 
   tags = merge(
@@ -70,7 +105,7 @@ resource "aws_instance" "piri" {
     # Force replacement when user_data changes (includes install_source changes)
     create_before_destroy = true
   }
-  
+
   # Force replacement when user_data changes
   user_data_replace_on_change = true
 
@@ -95,7 +130,7 @@ resource "aws_ebs_volume" "piri_data" {
   )
 
   lifecycle {
-    ignore_changes = [size]  # Allow manual resizing outside of Terraform
+    ignore_changes = [size] # Allow manual resizing outside of Terraform
   }
 }
 
@@ -118,7 +153,7 @@ resource "aws_ebs_volume" "piri_data_protected" {
 
   lifecycle {
     prevent_destroy = true
-    ignore_changes  = [size]  # Allow manual resizing outside of Terraform
+    ignore_changes  = [size] # Allow manual resizing outside of Terraform
   }
 }
 
diff --git a/deploy/full-node/modules/piri-instance/scripts/user-data.sh.tpl b/deploy/full-node/modules/piri-instance/scripts/user-data.sh.tpl
index 6c94b98f..12245d71 100644
--- a/deploy/full-node/modules/piri-instance/scripts/user-data.sh.tpl
+++ b/deploy/full-node/modules/piri-instance/scripts/user-data.sh.tpl
@@ -15,6 +15,22 @@ echo "=== Updating system packages ==="
 apt-get update
 apt-get upgrade -y
 
+%{ if needs_docker ~}
+# =============================================================================
+# Install Docker for native backends
+# =============================================================================
+echo "=== Installing Docker ==="
+apt-get install -y ca-certificates curl gnupg
+install -m 0755 -d /etc/apt/keyrings
+curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
+chmod a+r /etc/apt/keyrings/docker.gpg
+echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
+apt-get update
+apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin
+systemctl enable docker
+systemctl start docker
+%{ endif ~}
+
 # Create piri user
 echo "=== Creating piri user ==="
 useradd -m -s /bin/bash piri
@@ -66,6 +82,42 @@ chown -R piri:piri /etc/piri
 chown -R piri:piri /data/piri
 chown -R piri:piri /tmp/piri
 
+%{ if needs_docker ~}
+# =============================================================================
+# Setup Docker Compose for backend services
+# =============================================================================
+echo "=== Setting up backend services ==="
+
+# Create directories for container data
+mkdir -p /data/postgres /data/minio
+
+# Deploy docker-compose.yml
+cat > /etc/piri/docker-compose.yml <<'DOCKEREOF'
+${docker_compose}
+DOCKEREOF
+
+# Start containers
+cd /etc/piri
+docker compose up -d
+
+# Wait for services to be healthy
+echo "=== Waiting for backend services ==="
+%{ if database_backend == "postgres" ~}
+echo "Waiting for PostgreSQL..."
+until docker compose exec -T piri-postgres pg_isready -U piri -d piri 2>/dev/null; do
+  sleep 2
+done
+echo "PostgreSQL is ready"
+%{ endif ~}
+%{ if storage_backend == "minio" ~}
+echo "Waiting for MinIO..."
+until curl -sf http://localhost:9000/minio/health/live >/dev/null 2>&1; do
+  sleep 2
+done
+echo "MinIO is ready"
+%{ endif ~}
+%{ endif ~}
+
 # Install nginx
 echo "=== Installing nginx ==="
 apt-get install -y nginx
diff --git a/deploy/full-node/modules/piri-instance/variables.tf b/deploy/full-node/modules/piri-instance/variables.tf
index 55881774..c05f35b7 100644
--- a/deploy/full-node/modules/piri-instance/variables.tf
+++ b/deploy/full-node/modules/piri-instance/variables.tf
@@ -128,4 +128,68 @@ variable "tags" {
   description = "Additional tags to apply to all resources"
   type        = map(string)
   default     = {}
+}
+
+# =============================================================================
+# Storage Backend Configuration
+# =============================================================================
+
+variable "storage_backend" {
+  description = "Blob storage backend: 'filesystem' (default) or 'minio'"
+  type        = string
+  default     = "filesystem"
+  validation {
+    condition     = contains(["filesystem", "minio"], var.storage_backend)
+    error_message = "storage_backend must be 'filesystem' or 'minio'"
+  }
+}
+
+variable "database_backend" {
+  description = "Database backend: 'sqlite' (default) or 'postgres'"
+  type        = string
+  default     = "sqlite"
+  validation {
+    condition     = contains(["sqlite", "postgres"], var.database_backend)
+    error_message = "database_backend must be 'sqlite' or 'postgres'"
+  }
+}
+
+# MinIO configuration (when storage_backend = "minio")
+variable "minio_root_user" {
+  description = "MinIO root user"
+  type        = string
+  default     = "minioadmin"
+}
+
+variable "minio_root_password" {
+  description = "MinIO root password (required when storage_backend = 'minio')"
+  type        = string
+  sensitive   = true
+  default     = ""
+}
+
+variable "minio_bucket_prefix" {
+  description = "Prefix for MinIO buckets"
+  type        = string
+  default     = "piri-"
+}
+
+# PostgreSQL configuration (when database_backend = "postgres")
+variable "postgres_user" {
+  description = "PostgreSQL user"
+  type        = string
+  default     = "piri"
+}
+
+variable "postgres_password" {
+  description = "PostgreSQL password (required when database_backend = 'postgres')"
+  type        = string
+  sensitive   = true
+  default     = ""
+}
+
+variable "postgres_database" {
+  description = "PostgreSQL database name"
+  type        = string
+  default     = "piri"
 }
\ No newline at end of file