Hi.
Let's go out of order.
The first is the database
Why is it placed on a separate server? This is done, as a rule, when the original server does not pull due to a large number of requests to the database. Are you in this situation now? Yes - move to a separate server. No - leave the servers alone.
VPN - also leave alone. If you need to move the database to a separate server, then sometimes it makes sense to close the external server and leave only the VPN.
Docker - docker on sale? Do you have such a serious resource that you need to raise several VDS per day and you need a docker? When you can still understand the docker on the local - convenience and without garbage. But on sale? Or do you have extra money/resources?
It seems that docker should also be left only on the local and alone.
Secret keys - this should never be stored in a repository at all. Sometimes you can use a compromise - encrypted files. But here you can not be at rest and you should check everything several times.
a minute of entertaining theory:
How does deployment work? (example from life in very general terms for understanding the concept)
The developer sends a push to the git. After that, git throws a notification to the CI&CD service.
The CI&CD service starts its process according to the protocol described in the started thread (service config).
Usually, the order of actions in the CI&CD service is as follows:
- the container with the OS is raised
- the repo is deployed in the container
- all dependencies are pulled up, the environment is configured, the base with seeds is raised.
– migrations are rolled in
– tests are run
Next, the deployment script is launched:
– the repo is uploaded to the server, for example, using rsync or another tool (in this place we use encrypted private keys to access the destination server)
– the update routine is started on the server (for example, roll migrations, update configs, restart services)
At the end, a notification about the status comes. For example, in slack.
Everyone is happy, the developer celebrates the success (or eliminates the results of unsuccessful tests).
PS If you're having these questions, then it looks like you're not a DevOps'or before.
And this is not a subject for resentment or insult, but, on the contrary, a subject for reflection on the complexity of decisions. Now it seems that you want to shoot yourself in the knee, and with a shotgun.

1. > What network should be in prod?
Working on support in one bank (TOP10), each environment (test / preprod / PROD) was in different subnets isolated from each other. The environment implied a connected circuit - front-bus-backend-DB in the same subnet.
Other banks did not bother with subnets. Also, in a large company where I now work, there is also no isolation between systems.
2.1 Why do you need a VPN and all this crap?
2.2 DB in docker... In my opinion, so-so solution. Though looking at that for a DB and what on it loading. We have a product database in general as a separate infrastructure and RAM overdocher servers there.
3. For "deploy", consider the option with artifacts in gitlab. At least that's what I did on my project. I build on one server, and deploy on another. Thus it is not necessary to be engaged in an onanism with copying between servers.

Deployment option from PHP author: https://codeascraft.com/2013/07/01/atomic-deploys-...