feat: update deployment configuration and encrypted env loader

- Update Ansible playbooks and roles for application deployment
- Add new Gitea/Traefik troubleshooting playbooks
- Update Docker Compose configurations (base, local, staging, production)
- Enhance EncryptedEnvLoader with improved error handling
- Add deployment scripts (autossh setup, migration, secret testing)
- Update CI/CD workflows and documentation
- Add Semaphore stack configuration

deployment/ansible/templates/application.env.j2

@@ -11,7 +11,9 @@ APP_DOMAIN={{ app_domain }}
 APP_ENV={{ app_env | default('production') }}
 APP_DEBUG={{ app_debug | default('false') }}
 APP_NAME={{ app_display_name | default(app_name | default('Framework') | replace('-', ' ') | title) }}
-APP_KEY={{ app_key }}
+# Use Docker Secrets via *_FILE pattern (Framework supports this automatically)
+# APP_KEY is loaded from /run/secrets/app_key via APP_KEY_FILE
+APP_KEY_FILE=/run/secrets/app_key
 APP_TIMEZONE={{ app_timezone | default(timezone | default('Europe/Berlin')) }}
 APP_LOCALE={{ app_locale | default('de') }}
 APP_URL=https://{{ app_domain }}
@@ -25,18 +27,22 @@ DB_HOST={{ db_host | default('postgres') }}
 DB_PORT={{ db_port | default('5432') }}
 DB_DATABASE={{ db_name | default(db_name_default) }}
 DB_USERNAME={{ db_user | default(db_user_default) }}
-DB_PASSWORD={{ db_password }}
+# Use Docker Secrets via *_FILE pattern (Framework supports this automatically)
+# DB_PASSWORD is loaded from /run/secrets/db_user_password via DB_PASSWORD_FILE
+DB_PASSWORD_FILE=/run/secrets/db_user_password
 DB_CHARSET={{ db_charset | default('utf8') }}
 # Legacy variables (kept for backward compatibility)
 DB_NAME={{ db_name | default(db_name_default) }}
 DB_USER={{ db_user | default(db_user_default) }}
-DB_PASS={{ db_password }}
+# DB_PASS is loaded from Docker Secret via DB_PASSWORD_FILE
 
 # Redis Configuration
 # Redis runs in this stack
 REDIS_HOST={{ redis_host | default('redis') }}
 REDIS_PORT={{ redis_port | default('6379') }}
-REDIS_PASSWORD={{ redis_password }}
+# Use Docker Secrets via *_FILE pattern (Framework supports this automatically)
+# REDIS_PASSWORD is loaded from /run/secrets/redis_password via REDIS_PASSWORD_FILE
+REDIS_PASSWORD_FILE=/run/secrets/redis_password
 
 # Security Configuration
 SECURITY_ALLOWED_HOSTS={{ security_allowed_hosts | default('localhost,' ~ app_domain ~ ',www.' ~ app_domain) }}
@@ -59,11 +65,17 @@ QUEUE_WORKER_TRIES={{ queue_worker_tries | default('3') }}
 QUEUE_WORKER_TIMEOUT={{ queue_worker_timeout | default('60') }}
 
 # Vault / Encryption
-VAULT_ENCRYPTION_KEY={{ encryption_key }}
+# Use Docker Secrets via *_FILE pattern (Framework supports this automatically)
+# VAULT_ENCRYPTION_KEY is loaded from /run/secrets/vault_encryption_key via VAULT_ENCRYPTION_KEY_FILE
+VAULT_ENCRYPTION_KEY_FILE=/run/secrets/vault_encryption_key
+# APP_KEY is loaded from /run/secrets/app_key via APP_KEY_FILE
+APP_KEY_FILE=/run/secrets/app_key
 
 # Git Repository Configuration (optional - if set, container will clone/pull code on start)
 GIT_REPOSITORY_URL={{ git_repository_url | default('') }}
 GIT_BRANCH={{ git_branch | default('main') }}
-GIT_TOKEN={{ git_token | default('') }}
+# Use Docker Secrets via *_FILE pattern (Framework supports this automatically)
+# GIT_TOKEN is loaded from /run/secrets/git_token via GIT_TOKEN_FILE
+GIT_TOKEN_FILE=/run/secrets/git_token
 GIT_USERNAME={{ git_username | default('') }}
 GIT_PASSWORD={{ git_password | default('') }}

deployment/ansible/templates/wireguard-client.conf.j2

@@ -8,8 +8,10 @@ PrivateKey = {{ client_private_key.stdout }}
 # Client IP address in VPN network
 Address = {{ client_ip }}/24
 
-# DNS server (VPN internal resolver)
+{% if wireguard_dns_servers | length > 0 %}
+# DNS servers provided via Ansible (optional)
 DNS = {{ wireguard_dns_servers | join(', ') }}
+{% endif %}
 
 [Peer]
 # Server public key