fix: Gitea Traefik routing and connection pool optimization

- Remove middleware reference from Gitea Traefik labels (caused routing issues)
- Optimize Gitea connection pool settings (MAX_IDLE_CONNS=30, authentication_timeout=180s)
- Add explicit service reference in Traefik labels
- Fix intermittent 504 timeouts by improving PostgreSQL connection handling

Fixes Gitea unreachability via git.michaelschiemer.de

deployment/ansible/scripts/add-registry-password-to-vault.sh

@@ -0,0 +1,119 @@
+#!/bin/bash
+# Script to extract registry password from server and add it to vault
+
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+ANSIBLE_DIR="$(cd "$SCRIPT_DIR/.." && pwd)"
+VAULT_FILE="$ANSIBLE_DIR/secrets/production.vault.yml"
+VAULT_PASS_FILE="$ANSIBLE_DIR/secrets/.vault_pass"
+
+# Check if vault file exists
+if [ ! -f "$VAULT_FILE" ]; then
+    echo "❌ Vault file not found: $VAULT_FILE"
+    exit 1
+fi
+
+# Check if vault password file exists
+if [ ! -f "$VAULT_PASS_FILE" ]; then
+    echo "❌ Vault password file not found: $VAULT_PASS_FILE"
+    echo "Please create it or use --ask-vault-pass"
+    exit 1
+fi
+
+echo "📋 Extracting registry password from server..."
+echo ""
+
+# Read inventory file to get server connection details
+INVENTORY_FILE="$ANSIBLE_DIR/inventory/production.yml"
+if [ ! -f "$INVENTORY_FILE" ]; then
+    echo "❌ Inventory file not found: $INVENTORY_FILE"
+    exit 1
+fi
+
+# Extract server hostname
+SERVER_HOST=$(grep -E '^[[:space:]]*ansible_host:' "$INVENTORY_FILE" | awk '{print $2}' | head -1)
+DEPLOY_USER=$(grep -E '^[[:space:]]*ansible_user:' "$INVENTORY_FILE" | awk '{print $2}' | head -1 || echo "deploy")
+
+if [ -z "$SERVER_HOST" ]; then
+    echo "❌ Could not determine server hostname from inventory"
+    exit 1
+fi
+
+echo "Server: $SERVER_HOST"
+echo "User: $DEPLOY_USER"
+echo ""
+
+# Try to extract password from registry .env file on server
+REGISTRY_ENV_PATH="/home/$DEPLOY_USER/deployment/stacks/registry/.env"
+
+echo "Attempting to extract password from: $REGISTRY_ENV_PATH"
+echo ""
+
+# Use SSH to read the password (assuming SSH key is configured)
+REGISTRY_PASSWORD=$(ssh "${DEPLOY_USER}@${SERVER_HOST}" "grep '^REGISTRY_AUTH_HTPASSWD_REALM=' $REGISTRY_ENV_PATH 2>/dev/null | cut -d'=' -f2- | head -1" 2>/dev/null || echo "")
+
+if [ -z "$REGISTRY_PASSWORD" ]; then
+    echo "⚠️  Could not extract password from server .env file"
+    echo ""
+    echo "Generating new registry password..."
+    REGISTRY_PASSWORD=$(openssl rand -base64 32 | tr -d "=+/" | cut -c1-32)
+    echo "Generated password: ${REGISTRY_PASSWORD:0:8}..."
+    echo ""
+    echo "⚠️  Note: This is a NEW password. If the registry is already deployed,"
+    echo "   you may need to update the registry .env file on the server."
+else
+    # Extract username from htpasswd format (username:password)
+    # The format is usually: username:$apr1$salt$hash
+    # We need to extract just the password part
+    echo "✅ Found password in registry .env file"
+    echo "   (Password format: htpasswd hash)"
+    echo ""
+    echo "⚠️  Note: The password in .env is in htpasswd format."
+    echo "   We need the plain password to add to vault."
+    echo ""
+    read -p "Enter the plain registry password (or press Enter to generate new): " REGISTRY_PASSWORD_INPUT
+    
+    if [ -n "$REGISTRY_PASSWORD_INPUT" ]; then
+        REGISTRY_PASSWORD="$REGISTRY_PASSWORD_INPUT"
+    else
+        echo "Generating new registry password..."
+        REGISTRY_PASSWORD=$(openssl rand -base64 32 | tr -d "=+/" | cut -c1-32)
+        echo "Generated password: ${REGISTRY_PASSWORD:0:8}..."
+    fi
+fi
+
+echo ""
+echo "Adding password to vault file..."
+echo ""
+
+# Check if vault_docker_registry_password already exists
+if ansible-vault view "$VAULT_FILE" --vault-password-file "$VAULT_PASS_FILE" 2>/dev/null | grep -q "vault_docker_registry_password:"; then
+    echo "⚠️  vault_docker_registry_password already exists in vault"
+    read -p "Replace it? (y/N): " REPLACE
+    if [ "$REPLACE" != "y" ] && [ "$REPLACE" != "Y" ]; then
+        echo "Aborted."
+        exit 0
+    fi
+    
+    # Replace existing password
+    ansible-vault view "$VAULT_FILE" --vault-password-file "$VAULT_PASS_FILE" | \
+        sed "s/^vault_docker_registry_password:.*/vault_docker_registry_password: \"$REGISTRY_PASSWORD\"/" | \
+        ansible-vault encrypt --vault-password-file "$VAULT_PASS_FILE" --output "$VAULT_FILE" -
+else
+    # Add new password
+    ansible-vault view "$VAULT_FILE" --vault-password-file "$VAULT_PASS_FILE" | \
+        sed "/^vault_/a vault_docker_registry_password: \"$REGISTRY_PASSWORD\"" | \
+        ansible-vault encrypt --vault-password-file "$VAULT_PASS_FILE" --output "$VAULT_FILE" -
+fi
+
+echo ""
+echo "✅ Password added to vault file!"
+echo ""
+echo "Next steps:"
+echo "1. Verify the password is set:"
+echo "   ansible-vault view $VAULT_FILE --vault-password-file $VAULT_PASS_FILE | grep vault_docker_registry_password"
+echo ""
+echo "2. Re-run the playbook:"
+echo "   ansible-playbook -i inventory/production.yml playbooks/setup-infrastructure.yml --vault-password-file $VAULT_PASS_FILE"
+

deployment/ansible/scripts/init-secrets.sh

@@ -8,6 +8,17 @@ SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 ANSIBLE_DIR="$(dirname "$SCRIPT_DIR")"
 SECRETS_DIR="$ANSIBLE_DIR/secrets"
 
+# Helper function to generate random passwords
+generate_password() {
+    local length=${1:-32}
+    openssl rand -base64 "$length" | tr -d "=+/" | cut -c1-"$length"
+}
+
+# Generate base64-encoded 32-byte key for APP_KEY
+generate_app_key() {
+    openssl rand -base64 32
+}
+
 echo "🔐 Ansible Secrets Initialization"
 echo "=================================="
 echo ""
@@ -80,11 +91,56 @@ else
     cp "$SECRETS_DIR/production.vault.yml.example" "$SECRETS_DIR/production.vault.yml"
 
     echo ""
-    echo "⚠️  IMPORTANT: You must edit the vault file and replace all 'change-me' values!"
-    echo ""
-    read -p "Press ENTER to edit the vault file now..."
+    echo "Generating secure passwords for all secrets..."
+    
+    # Generate all passwords
+    DB_PASSWORD=$(generate_password 32)
+    DB_ROOT_PASSWORD=$(generate_password 32)
+    REDIS_PASSWORD=$(generate_password 32)
+    APP_KEY=$(generate_app_key)
+    JWT_SECRET=$(generate_password 32)
+    MAIL_PASSWORD=$(generate_password 24)
+    REGISTRY_PASSWORD=$(generate_password 32)
+    ENCRYPTION_KEY=$(generate_password 32)
+    SESSION_SECRET=$(generate_password 32)
+    GRAFANA_PASSWORD=$(generate_password 24)
+    PROMETHEUS_PASSWORD=$(generate_password 24)
+    MINIO_PASSWORD=$(generate_password 32)
 
-    ${EDITOR:-nano} "$SECRETS_DIR/production.vault.yml"
+    # Replace all placeholders with generated passwords
+    sed -i "s|change-me-secure-db-password|$DB_PASSWORD|g" "$SECRETS_DIR/production.vault.yml"
+    sed -i "s|change-me-secure-root-password|$DB_ROOT_PASSWORD|g" "$SECRETS_DIR/production.vault.yml"
+    sed -i "s|change-me-secure-redis-password|$REDIS_PASSWORD|g" "$SECRETS_DIR/production.vault.yml"
+    sed -i "s|change-me-base64-encoded-32-byte-key|$APP_KEY|g" "$SECRETS_DIR/production.vault.yml"
+    sed -i "s|change-me-jwt-signing-secret|$JWT_SECRET|g" "$SECRETS_DIR/production.vault.yml"
+    sed -i "s|change-me-mail-password|$MAIL_PASSWORD|g" "$SECRETS_DIR/production.vault.yml"
+    sed -i "s|change-me-registry-password|$REGISTRY_PASSWORD|g" "$SECRETS_DIR/production.vault.yml"
+    sed -i "s|change-me-encryption-key|$ENCRYPTION_KEY|g" "$SECRETS_DIR/production.vault.yml"
+    sed -i "s|change-me-session-secret|$SESSION_SECRET|g" "$SECRETS_DIR/production.vault.yml"
+    sed -i "s|change-me-secure-grafana-password|$GRAFANA_PASSWORD|g" "$SECRETS_DIR/production.vault.yml"
+    sed -i "s|change-me-secure-prometheus-password|$PROMETHEUS_PASSWORD|g" "$SECRETS_DIR/production.vault.yml"
+    sed -i "s|change-me-secure-minio-password|$MINIO_PASSWORD|g" "$SECRETS_DIR/production.vault.yml"
+
+    # Replace Git Token placeholder with empty string first (will be set to actual token or stay empty)
+    sed -i "s|change-me-gitea-personal-access-token||g" "$SECRETS_DIR/production.vault.yml"
+    
+    echo "✅ All passwords generated and replaced"
+    echo ""
+
+    # Optional: Ask for Git Token
+    read -p "Do you have a Gitea Personal Access Token? (y/N): " -n 1 -r
+    echo
+    GIT_TOKEN_SET=false
+    if [[ $REPLY =~ ^[Yy]$ ]]; then
+        read -sp "Enter Git Token: " GIT_TOKEN
+        echo
+        # Replace empty value with actual token
+        sed -i "s|vault_git_token: \"\"|vault_git_token: \"$GIT_TOKEN\"|g" "$SECRETS_DIR/production.vault.yml"
+        echo "✅ Git Token set"
+        GIT_TOKEN_SET=true
+    else
+        echo "⚠️  Git Token not set. You can add it later with: ansible-vault edit secrets/production.vault.yml"
+    fi
 
     echo ""
     echo "Encrypting vault file..."
@@ -92,6 +148,34 @@ else
         --vault-password-file "$SECRETS_DIR/.vault_pass"
 
     echo "✅ Production vault file created and encrypted"
+    
+    # Save passwords to file (gitignored) for reference
+    PASSWORDS_FILE="$SECRETS_DIR/.vault-passwords.txt"
+    cat > "$PASSWORDS_FILE" <<EOF
+# Generated passwords for production.vault.yml
+# DO NOT COMMIT THIS FILE!
+# Generated: $(date)
+
+vault_db_password: $DB_PASSWORD
+vault_db_root_password: $DB_ROOT_PASSWORD
+vault_redis_password: $REDIS_PASSWORD
+vault_app_key: $APP_KEY
+vault_jwt_secret: $JWT_SECRET
+vault_mail_password: $MAIL_PASSWORD
+vault_docker_registry_password: $REGISTRY_PASSWORD
+vault_encryption_key: $ENCRYPTION_KEY
+vault_session_secret: $SESSION_SECRET
+vault_grafana_admin_password: $GRAFANA_PASSWORD
+vault_prometheus_password: $PROMETHEUS_PASSWORD
+vault_minio_root_password: $MINIO_PASSWORD
+EOF
+    if [ "$GIT_TOKEN_SET" = true ]; then
+        echo "vault_git_token: $GIT_TOKEN" >> "$PASSWORDS_FILE"
+    else
+        echo "vault_git_token: (not set)" >> "$PASSWORDS_FILE"
+    fi
+    chmod 600 "$PASSWORDS_FILE"
+    echo "✅ Passwords saved to $PASSWORDS_FILE (for reference only - DO NOT COMMIT!)"
 fi
 
 echo ""
@@ -116,7 +200,8 @@ EXAMPLE_VALUES=$(ansible-vault view "$SECRETS_DIR/production.vault.yml" \
 
 if [ "$EXAMPLE_VALUES" -gt 0 ]; then
     echo "⚠️  WARNING: Found $EXAMPLE_VALUES 'change-me' placeholder values!"
-    echo "   You must replace these before deploying to production."
+    echo "   These should have been replaced automatically."
+    echo "   You may need to run the script again or edit manually."
     echo ""
     read -p "Do you want to edit the vault file now? (y/N): " -n 1 -r
     echo
@@ -125,7 +210,7 @@ if [ "$EXAMPLE_VALUES" -gt 0 ]; then
             --vault-password-file "$SECRETS_DIR/.vault_pass"
     fi
 else
-    echo "✅ No placeholder values found"
+    echo "✅ No placeholder values found - all secrets are set"
 fi
 
 echo ""

deployment/ansible/scripts/set-git-credentials.sh

@@ -16,7 +16,7 @@ case $choice in
   1)
     read -p "Enter Gitea Personal Access Token: " token
     ansible production -i inventory/production.yml -m lineinfile \
-      -a "path=~/deployment/stacks/application/.env regexp='^GIT_TOKEN=' line='GIT_TOKEN=$token' state=present" 2>&1
+      -a "path=~/deployment/stacks/production/.env regexp='^GIT_TOKEN=' line='GIT_TOKEN=$token' state=present" 2>&1
     echo "✅ GIT_TOKEN set successfully"
     ;;
   2)
@@ -24,9 +24,9 @@ case $choice in
     read -s -p "Enter Gitea Password: " password
     echo ""
     ansible production -i inventory/production.yml -m lineinfile \
-      -a "path=~/deployment/stacks/application/.env regexp='^GIT_USERNAME=' line='GIT_USERNAME=$username' state=present" 2>&1
+      -a "path=~/deployment/stacks/production/.env regexp='^GIT_USERNAME=' line='GIT_USERNAME=$username' state=present" 2>&1
     ansible production -i inventory/production.yml -m lineinfile \
-      -a "path=~/deployment/stacks/application/.env regexp='^GIT_PASSWORD=' line='GIT_PASSWORD=$password' state=present" 2>&1
+      -a "path=~/deployment/stacks/production/.env regexp='^GIT_PASSWORD=' line='GIT_PASSWORD=$password' state=present" 2>&1
     echo "✅ GIT_USERNAME and GIT_PASSWORD set successfully"
     ;;
   *)