feat: update deployment configuration and encrypted env loader

- Update Ansible playbooks and roles for application deployment
- Add new Gitea/Traefik troubleshooting playbooks
- Update Docker Compose configurations (base, local, staging, production)
- Enhance EncryptedEnvLoader with improved error handling
- Add deployment scripts (autossh setup, migration, secret testing)
- Update CI/CD workflows and documentation
- Add Semaphore stack configuration

deployment/ansible/playbooks/setup-production-secrets.yml

@@ -35,45 +35,37 @@
         file: "{{ vault_file }}"
       no_log: yes
 
-    - name: Ensure secrets directory exists
+    - name: Ensure secrets directory exists for Docker Compose secrets
       file:
-        path: "{{ secrets_path }}"
+        path: "{{ app_stack_path }}/secrets"
         state: directory
         owner: "{{ ansible_user }}"
         group: "{{ ansible_user }}"
         mode: '0700'
 
-    - name: Create .env.production file
-      template:
-        src: "{{ playbook_dir }}/../templates/.env.production.j2"
-        dest: "{{ secrets_path }}/.env.production"
+    - name: Create Docker Compose secret files from vault
+      copy:
+        content: "{{ item.value }}"
+        dest: "{{ app_stack_path }}/secrets/{{ item.name }}.txt"
         owner: "{{ ansible_user }}"
         group: "{{ ansible_user }}"
         mode: '0600'
-      no_log: yes
-
-    - name: Create Docker secrets from vault (disabled for compose-only deployment)
-      docker_secret:
-        name: "{{ item.name }}"
-        data: "{{ item.value }}"
-        state: present
       loop:
-        - name: db_password
+        - name: db_user_password
           value: "{{ vault_db_password }}"
         - name: redis_password
           value: "{{ vault_redis_password }}"
         - name: app_key
           value: "{{ vault_app_key }}"
-        - name: jwt_secret
-          value: "{{ vault_jwt_secret }}"
-        - name: mail_password
-          value: "{{ vault_mail_password }}"
+        - name: vault_encryption_key
+          value: "{{ vault_encryption_key | default(vault_app_key) }}"
+        - name: git_token
+          value: "{{ vault_git_token | default('') }}"
       no_log: yes
-      when: false
 
     - name: Set secure permissions on secrets directory
       file:
-        path: "{{ secrets_path }}"
+        path: "{{ app_stack_path }}/secrets"
         state: directory
         owner: "{{ ansible_user }}"
         group: "{{ ansible_user }}"