fix: Gitea Traefik routing and connection pool optimization

- Remove middleware reference from Gitea Traefik labels (caused routing issues)
- Optimize Gitea connection pool settings (MAX_IDLE_CONNS=30, authentication_timeout=180s)
- Add explicit service reference in Traefik labels
- Fix intermittent 504 timeouts by improving PostgreSQL connection handling

Fixes Gitea unreachability via git.michaelschiemer.de

deployment/ansible/playbooks/setup-infrastructure.yml

@@ -7,6 +7,40 @@
   vars:
     # All deployment variables are now defined in group_vars/production.yml
     # Variables can be overridden via -e flag if needed
+    vault_file: "{{ playbook_dir }}/../secrets/production.vault.yml"
+
+  pre_tasks:
+    - name: Verify vault file exists
+      ansible.builtin.stat:
+        path: "{{ vault_file }}"
+      register: vault_stat
+      delegate_to: localhost
+      become: no
+
+    - name: Load encrypted secrets from vault
+      ansible.builtin.include_vars:
+        file: "{{ vault_file }}"
+      when: vault_stat.stat.exists
+      no_log: yes
+      ignore_errors: yes
+      delegate_to: localhost
+      become: no
+
+    - name: Verify vault secrets were loaded
+      ansible.builtin.debug:
+        msg: |
+          Vault secrets loaded:
+          - vault_db_password: {{ 'SET (length: ' + (vault_db_password | default('') | string | length | string) + ')' if (vault_db_password | default('') | string | trim) != '' else 'NOT SET or EMPTY' }}
+          - vault_redis_password: {{ 'SET' if (vault_redis_password | default('') | string | trim) != '' else 'NOT SET' }}
+          - vault_app_key: {{ 'SET' if (vault_app_key | default('') | string | trim) != '' else 'NOT SET' }}
+          - vault_docker_registry_password: {{ 'SET (length: ' + (vault_docker_registry_password | default('') | string | length | string) + ')' if (vault_docker_registry_password | default('') | string | trim) != '' else 'NOT SET or EMPTY' }}
+      when: vault_stat.stat.exists
+      no_log: yes
+
+    - name: Warn if vault file is missing
+      ansible.builtin.debug:
+        msg: "WARNING: Vault file not found at {{ vault_file }}. Some roles may fail if they require vault secrets."
+      when: not vault_stat.stat.exists
 
   tasks:
     - name: Debug - Show variables
@@ -14,18 +48,58 @@
         msg:
           - "stacks_base_path: {{ stacks_base_path | default('NOT SET') }}"
           - "deploy_user_home: {{ deploy_user_home | default('NOT SET') }}"
-      when: false  # Only enable for debugging
+      when: true  # Debugging enabled
 
     - name: Check if deployment stacks directory exists
       stat:
         path: "{{ stacks_base_path }}"
       register: stacks_dir
 
-    - name: Fail if stacks directory doesn't exist
-      fail:
-        msg: "Deployment stacks directory not found at {{ stacks_base_path }}"
+    - name: Create deployment stacks directory if it doesn't exist
+      file:
+        path: "{{ stacks_base_path }}"
+        state: directory
+        mode: '0755'
+        owner: "{{ ansible_user }}"
+        group: "{{ ansible_user }}"
       when: not stacks_dir.stat.exists
 
+    - name: Ensure rsync is installed (required for synchronize)
+      ansible.builtin.apt:
+        name: rsync
+        state: present
+        update_cache: no
+      become: yes
+
+    - name: Sync infrastructure stacks to server
+      synchronize:
+        src: "{{ playbook_dir }}/../../stacks/"
+        dest: "{{ stacks_base_path }}/"
+        delete: no
+        recursive: yes
+        rsync_opts:
+          - "--chmod=D755,F644"
+          - "--exclude=.git"
+          - "--exclude=*.log"
+          - "--exclude=data/"
+          - "--exclude=volumes/"
+          - "--exclude=acme.json"
+          - "--exclude=*.key"
+          - "--exclude=*.pem"
+
+    - name: Ensure executable permissions on PostgreSQL backup scripts
+      file:
+        path: "{{ item }}"
+        mode: '0755'
+      loop:
+        - "{{ stacks_base_path }}/postgresql-production/scripts/backup-entrypoint.sh"
+        - "{{ stacks_base_path }}/postgresql-production/scripts/backup.sh"
+        - "{{ stacks_base_path }}/postgresql-production/scripts/restore.sh"
+        - "{{ stacks_base_path }}/postgresql-staging/scripts/backup-entrypoint.sh"
+        - "{{ stacks_base_path }}/postgresql-staging/scripts/backup.sh"
+        - "{{ stacks_base_path }}/postgresql-staging/scripts/restore.sh"
+      ignore_errors: yes
+
     - name: Ensure system packages are up to date
       include_role:
         name: system
@@ -49,27 +123,27 @@
       import_role:
         name: traefik
 
-    # 2. Deploy PostgreSQL (Database)
-    - name: Deploy PostgreSQL stack
+    # 2. Deploy PostgreSQL Production (Database)
+    - name: Deploy PostgreSQL Production stack
       import_role:
-        name: postgresql
+        name: postgresql-production
 
-    # 3. Deploy Docker Registry (Private Registry)
+    # 3. Deploy Redis (Cache & Session Store)
+    - name: Deploy Redis stack
+      import_role:
+        name: redis
+
+    # 4. Deploy Docker Registry (Private Registry)
     - name: Deploy Docker Registry stack
       import_role:
         name: registry
 
-    # 4. Deploy DNS (CoreDNS for WireGuard clients)
-    - name: Deploy DNS stack
-      import_role:
-        name: dns
-
     # 5. Deploy MinIO (Object Storage)
     - name: Deploy MinIO stack
       import_role:
         name: minio
 
-    # 6. Deploy Gitea (CRITICAL - Git Server + MySQL + Redis)
+    # 6. Deploy Gitea (CRITICAL - Git Server + MySQL)
     - name: Deploy Gitea stack
       import_role:
         name: gitea
@@ -79,6 +153,24 @@
       import_role:
         name: monitoring
 
+    # 8. Deploy Production Stack
+    - name: Deploy Production Stack
+      import_role:
+        name: application
+      vars:
+        application_stack_src: "{{ playbook_dir | default(role_path + '/..') }}/../../stacks/production"
+        application_stack_dest: "{{ app_stack_path | default(stacks_base_path + '/production') }}"
+        application_compose_suffix: "production.yml"
+        application_service_name: "php"
+        application_env_template: "{{ role_path }}/../../templates/application.env.j2"
+        app_env: "production"
+        # Explicitly pass vault variables to the role
+        vault_docker_registry_password: "{{ vault_docker_registry_password | default('') }}"
+        app_domain: "michaelschiemer.de"
+        app_debug: "false"
+        db_name: "{{ db_name_default }}"
+        db_host: "{{ db_host_default }}"
+
     # Verification
     - name: List all running containers
       command: >
@@ -103,8 +195,8 @@
       debug:
         msg: "Gitea HTTPS check: {{ 'SUCCESS' if gitea_http_check.status == 200 else 'FAILED - Status: ' + (gitea_http_check.status|string) }}"
 
-    # 8. Deploy Application Stack
-    - name: Deploy Application Stack
+    # 8. Deploy Production Stack
+    - name: Deploy Production Stack
       import_role:
         name: application
 
@@ -133,14 +225,14 @@
       debug:
         msg:
           - "=== Infrastructure Deployment Complete ==="
-          - "Traefik: {{ 'Deployed' if traefik_stack_changed else 'Already running' }}"
-          - "PostgreSQL: {{ 'Deployed' if postgresql_stack_changed else 'Already running' }}"
-          - "Docker Registry: {{ 'Deployed' if registry_stack_changed else 'Already running' }}"
-          - "DNS: {{ 'Deployed' if dns_stack_changed else 'Already running' }}"
-          - "MinIO: {{ 'Deployed' if minio_stack_changed else 'Already running' }}"
-          - "Gitea: {{ 'Deployed' if gitea_stack_changed else 'Already running' }}"
-          - "Monitoring: {{ 'Deployed' if monitoring_stack_changed else 'Already running' }}"
-          - "Application: {{ 'Deployed' if application_stack_changed else 'Already running' }}"
+          - "Traefik: {{ 'Deployed' if traefik_stack_changed is defined and traefik_stack_changed else 'Already running' }}"
+          - "PostgreSQL: {{ 'Deployed' if postgresql_stack_changed is defined and postgresql_stack_changed else 'Already running' }}"
+          - "Redis: {{ 'Deployed' if redis_stack_changed is defined and redis_stack_changed else 'Already running' }}"
+          - "Docker Registry: {{ 'Deployed' if registry_stack_changed is defined and registry_stack_changed else 'Already running' }}"
+          - "MinIO: {{ 'Deployed' if minio_stack_changed is defined and minio_stack_changed else 'Already running' }}"
+          - "Gitea: {{ 'Deployed' if gitea_stack_changed is defined and gitea_stack_changed else 'Already running' }}"
+          - "Monitoring: {{ 'Deployed' if monitoring_stack_changed is defined and monitoring_stack_changed else 'Already running' }}"
+          - "Application: {{ 'Deployed' if application_stack_changed is defined and application_stack_changed else 'Already running' }}"
           - ""
           - "Next Steps:"
           - "1. Access Gitea at: https://{{ gitea_domain }}"