chore: Update deployment configuration and documentation

- Update Gitea configuration (remove DEFAULT_ACTIONS_URL) - Fix deployment documentation - Update Ansible playbooks - Clean up deprecated files - Add new deployment scripts and templates
2025-10-31 21:11:11 +01:00
parent cf4748f8db
commit 16d586ecdf
92 changed files with 4601 additions and 10524 deletions
--- a/deployment/ansible/playbooks/setup-infrastructure.yml
+++ b/deployment/ansible/playbooks/setup-infrastructure.yml
@@ -5,10 +5,17 @@
  gather_facts: yes

  vars:
-    stacks_base_path: "~/deployment/stacks"
-    wait_timeout: 60
+    # All deployment variables are now defined in group_vars/production.yml
+    # Variables can be overridden via -e flag if needed

  tasks:
+    - name: Debug - Show variables
+      debug:
+        msg:
+          - "stacks_base_path: {{ stacks_base_path | default('NOT SET') }}"
+          - "deploy_user_home: {{ deploy_user_home | default('NOT SET') }}"
+      when: false  # Only enable for debugging
+
    - name: Check if deployment stacks directory exists
      stat:
        path: "{{ stacks_base_path }}"
@@ -83,22 +90,42 @@
    # 3. Deploy Docker Registry (Private Registry)
    - name: Ensure Registry auth directory exists
      file:
-        path: "{{ stacks_base_path }}/registry/auth"
+        path: "{{ registry_auth_path }}"
        state: directory
        mode: '0755'
      become: yes

+    - name: Optionally load registry credentials from vault
+      include_vars:
+        file: "{{ playbook_dir }}/../secrets/production.vault.yml"
+      no_log: yes
+      ignore_errors: yes
+      delegate_to: localhost
+      become: no
+
+    - name: Set registry credentials from vault or defaults
+      set_fact:
+        registry_username: "{{ vault_docker_registry_username | default(docker_registry_username_default) }}"
+        registry_password: "{{ vault_docker_registry_password | default(docker_registry_password_default) }}"
+      no_log: true
+
+    - name: Fail if registry password is not set
+      fail:
+        msg: "Registry password must be set in vault or docker_registry_password_default"
+      when: registry_password is not defined or registry_password == ""
+
    - name: Create Registry htpasswd file if missing
      shell: |
-        if [ ! -f {{ stacks_base_path }}/registry/auth/htpasswd ]; then
-          docker run --rm --entrypoint htpasswd httpd:2 -Bbn admin registry-secure-password-2025 > {{ stacks_base_path }}/registry/auth/htpasswd
-          chmod 644 {{ stacks_base_path }}/registry/auth/htpasswd
+        if [ ! -f {{ registry_auth_path }}/htpasswd ]; then
+          docker run --rm --entrypoint htpasswd httpd:2 -Bbn {{ registry_username }} {{ registry_password }} > {{ registry_auth_path }}/htpasswd
+          chmod 644 {{ registry_auth_path }}/htpasswd
        fi
      args:
        executable: /bin/bash
      become: yes
      changed_when: true
      register: registry_auth_created
+      no_log: true

    - name: Deploy Docker Registry stack
      community.docker.docker_compose_v2:
@@ -126,19 +153,95 @@
    - name: Verify Registry is accessible
      uri:
        url: "http://127.0.0.1:5000/v2/_catalog"
-        user: admin
-        password: registry-secure-password-2025
+        user: "{{ registry_username }}"
+        password: "{{ registry_password }}"
        status_code: 200
        timeout: 5
      register: registry_check
      ignore_errors: yes
      changed_when: false
+      no_log: true

    - name: Display Registry status
      debug:
        msg: "Registry accessibility: {{ 'SUCCESS' if registry_check.status == 200 else 'FAILED - may need manual check' }}"

-    # 4. Deploy Gitea (CRITICAL - Git Server + MySQL + Redis)
+    # 4. Deploy MinIO (Object Storage)
+    - name: Optionally load MinIO secrets from vault
+      include_vars:
+        file: "{{ playbook_dir }}/../secrets/production.vault.yml"
+      no_log: yes
+      ignore_errors: yes
+      delegate_to: localhost
+      become: no
+
+    - name: Set MinIO root password from vault or generate
+      set_fact:
+        minio_password: "{{ vault_minio_root_password | default(lookup('password', '/dev/null length=32 chars=ascii_letters,digits,punctuation')) }}"
+      no_log: yes
+
+    - name: Set MinIO root user from vault or use default
+      set_fact:
+        minio_user: "{{ vault_minio_root_user | default('minioadmin') }}"
+
+    - name: Ensure MinIO stack directory exists
+      file:
+        path: "{{ stacks_base_path }}/minio"
+        state: directory
+        mode: '0755'
+
+    - name: Create MinIO stack .env file
+      template:
+        src: "{{ playbook_dir }}/../templates/minio.env.j2"
+        dest: "{{ stacks_base_path }}/minio/.env"
+        owner: "{{ ansible_user }}"
+        group: "{{ ansible_user }}"
+        mode: '0600'
+      vars:
+        minio_root_user: "{{ minio_user }}"
+        minio_root_password: "{{ minio_password }}"
+        minio_api_domain: "{{ minio_api_domain }}"
+        minio_console_domain: "{{ minio_console_domain }}"
+      no_log: yes
+
+    - name: Deploy MinIO stack
+      community.docker.docker_compose_v2:
+        project_src: "{{ stacks_base_path }}/minio"
+        state: present
+        pull: always
+      register: minio_output
+
+    - name: Wait for MinIO to be ready
+      wait_for:
+        timeout: "{{ wait_timeout }}"
+      when: minio_output.changed
+
+    - name: Check MinIO logs for readiness
+      shell: docker compose logs minio 2>&1 | grep -Ei "(API:|WebUI:|MinIO Object Storage Server)" || true
+      args:
+        chdir: "{{ stacks_base_path }}/minio"
+      register: minio_logs
+      until: minio_logs.stdout != ""
+      retries: 6
+      delay: 10
+      changed_when: false
+      ignore_errors: yes
+
+    - name: Verify MinIO health endpoint
+      uri:
+        url: "http://127.0.0.1:9000/minio/health/live"
+        method: GET
+        status_code: [200, 404, 502, 503]
+        timeout: 5
+      register: minio_health_check
+      ignore_errors: yes
+      changed_when: false
+
+    - name: Display MinIO status
+      debug:
+        msg: "MinIO health check: {{ 'SUCCESS' if minio_health_check.status == 200 else 'FAILED - Status: ' + (minio_health_check.status|string) }}"
+
+    # 5. Deploy Gitea (CRITICAL - Git Server + MySQL + Redis)
    - name: Deploy Gitea stack
      community.docker.docker_compose_v2:
        project_src: "{{ stacks_base_path }}/gitea"
@@ -162,7 +265,7 @@
      changed_when: false
      ignore_errors: yes

-    # 5. Deploy Monitoring (Portainer + Grafana + Prometheus)
+    # 6. Deploy Monitoring (Portainer + Grafana + Prometheus)
    - name: Optionally load monitoring secrets from vault
      include_vars:
        file: "{{ playbook_dir }}/../secrets/production.vault.yml"
@@ -229,7 +332,7 @@

    - name: Verify Gitea accessibility via HTTPS
      uri:
-        url: https://git.michaelschiemer.de
+        url: "https://{{ gitea_domain }}"
        method: GET
        validate_certs: no
        status_code: 200
@@ -241,7 +344,7 @@
      debug:
        msg: "Gitea HTTPS check: {{ 'SUCCESS' if gitea_http_check.status == 200 else 'FAILED - Status: ' + (gitea_http_check.status|string) }}"

-    # 6. Deploy Application Stack
+    # 7. Deploy Application Stack
    - name: Optionally load application secrets from vault
      include_vars:
        file: "{{ playbook_dir }}/../secrets/production.vault.yml"
@@ -320,10 +423,10 @@
        mode: '0600'
      vars:
        db_password: "{{ app_db_password }}"
-        db_user: "{{ db_user | default('postgres') }}"
-        db_name: "{{ db_name | default('michaelschiemer') }}"
+        db_user: "{{ db_user | default(db_user_default) }}"
+        db_name: "{{ db_name | default(db_name_default) }}"
        redis_password: "{{ app_redis_password }}"
-        app_domain: "{{ app_domain | default('michaelschiemer.de') }}"
+        app_domain: "{{ app_domain }}"
      no_log: yes

    - name: Deploy Application stack
@@ -391,7 +494,7 @@

    - name: Verify application accessibility via HTTPS
      uri:
-        url: "https://{{ app_domain | default('michaelschiemer.de') }}/health"
+        url: "{{ health_check_url }}"
        method: GET
        validate_certs: no
        status_code: [200, 404, 502, 503]
@@ -412,13 +515,14 @@
          - "Traefik: {{ 'Deployed' if traefik_output.changed else 'Already running' }}"
          - "PostgreSQL: {{ 'Deployed' if postgres_output.changed else 'Already running' }}"
          - "Docker Registry: {{ 'Deployed' if registry_output.changed else 'Already running' }}"
+          - "MinIO: {{ 'Deployed' if minio_output.changed else 'Already running' }}"
          - "Gitea: {{ 'Deployed' if gitea_output.changed else 'Already running' }}"
          - "Monitoring: {{ 'Deployed' if monitoring_output.changed else 'Already running' }}"
          - "Application: {{ 'Deployed' if application_output.changed else 'Already running' }}"
          - ""
          - "Next Steps:"
-          - "1. Access Gitea at: https://git.michaelschiemer.de"
+          - "1. Access Gitea at: https://{{ gitea_domain }}"
          - "2. Complete Gitea setup wizard if first-time deployment"
          - "3. Navigate to Admin > Actions > Runners to get registration token"
          - "4. Continue with Phase 1 - Gitea Runner Setup"
-          - "5. Access Application at: https://{{ app_domain | default('michaelschiemer.de') }}"
+          - "5. Access Application at: https://{{ app_domain }}"