fix: Gitea Traefik routing and connection pool optimization

- Remove middleware reference from Gitea Traefik labels (caused routing issues)
- Optimize Gitea connection pool settings (MAX_IDLE_CONNS=30, authentication_timeout=180s)
- Add explicit service reference in Traefik labels
- Fix intermittent 504 timeouts by improving PostgreSQL connection handling

Fixes Gitea unreachability via git.michaelschiemer.de

deployment/stacks/traefik/README.md

@@ -11,10 +11,9 @@ Traefik acts as the central reverse proxy for all services, handling:
 
 ## Services
 
-- **traefik.michaelschiemer.de** - Traefik Dashboard (VPN-only + BasicAuth protected)
-  - ?? **Nur ?ber WireGuard VPN erreichbar** (10.8.0.0/24)
-  - Zus?tzlich durch BasicAuth gesch?tzt
-  - ?ffentlicher Zugriff ist blockiert
+- **traefik.michaelschiemer.de** - Traefik Dashboard (BasicAuth protected)
+  - Protected by BasicAuth authentication
+  - Accessible via HTTPS with Let's Encrypt certificate
 
 ## Local Development
 
@@ -33,7 +32,8 @@ docker compose -f docker-compose.local.yml up -d
 # Check logs
 docker compose -f docker-compose.local.yml logs -f
 
-# Access dashboard at http://localhost:8080/dashboard/
+# Access dashboard at http://localhost:8093/dashboard/
+# Note: Dashboard is served on the API port (8093) when api.insecure=true
 ```
 
 ### Local Development Configuration
@@ -41,11 +41,12 @@ docker compose -f docker-compose.local.yml logs -f
 The local configuration (`docker-compose.local.yml` and `traefik.local.yml`) differs from production:
 
 - **Bridge network** instead of `host` mode (avoids port conflicts)
-- **Port mappings**: `8080:80` only (HTTP-only for local development)
+- **Port mappings**: `8081:80` (HTTP) and `8093:8080` (API/Dashboard)
    - Note: HTTPS not needed locally - avoids port conflicts with web container (8443:443)
 - **HTTP-only** (no ACME/Let's Encrypt) for local development
-- **Dashboard**: Accessible at `http://localhost:8080/dashboard/` (HTTP, no authentication)
-   - Also available: `http://localhost:8080/api/rawdata` and `http://localhost:8080/api/http/routers`
+- **Dashboard**: Accessible at `http://localhost:8093/dashboard/` (HTTP, no authentication)
+   - Also available: `http://localhost:8093/api/rawdata` and `http://localhost:8093/api/http/routers`
+   - Note: Dashboard is served on the API port (8093) when `api.insecure=true` in `traefik.local.yml`
 - **No `acme.json`** required
 - **Console logging** (human-readable) instead of JSON file logs
 
@@ -53,18 +54,18 @@ The local configuration (`docker-compose.local.yml` and `traefik.local.yml`) dif
 
 | Feature | Local (`docker-compose.local.yml`) | Production (`docker-compose.yml`) |
 |---------|-----------------------------------|----------------------------------|
-| Network Mode | Bridge | Host |
-| Ports | 8080:80 (HTTP only) | Direct binding (80, 443) |
+| Network Mode | Bridge | Bridge |
+| Ports | 8081:80, 8093:8080 (HTTP only) | 80:80, 443:443, 2222:2222 |
 | SSL/TLS | HTTP-only | HTTPS with Let's Encrypt |
-| Dashboard | `http://localhost:8080/dashboard/` | `https://traefik.michaelschiemer.de` |
-| Authentication | None (local dev) | VPN + BasicAuth |
+| Dashboard | `http://localhost:8093/dashboard/` | `https://traefik.michaelschiemer.de` |
+| Authentication | None (local dev) | BasicAuth |
 | Logging | Console (human-readable) | JSON files |
 | ACME | Disabled | Enabled |
 
 ### Troubleshooting Local Development
 
 **Container restarts in loop:**
-- Check if port 8080 is already in use: `netstat -tlnp | grep ':8080' || ss -tlnp | grep ':8080'`
+- Check if ports 8081 or 8093 are already in use: `netstat -tlnp | grep -E ':(8081|8093)' || ss -tlnp | grep -E ':(8081|8093)'`
 - Verify Docker network exists: `docker network ls | grep traefik-public`
 - Check logs: `docker compose -f docker-compose.local.yml logs -f traefik`
 

deployment/stacks/traefik/docker-compose.local.yml

@@ -3,7 +3,7 @@
 #
 # This configuration is optimized for local development:
 # - Bridge network instead of host mode
-# - Port mapping: 8080:80 (HTTP only - HTTPS not needed for local dev)
+# - Port mappings: 8081:80 (HTTP) and 8093:8080 (API/Dashboard)
 #   Note: 8443:443 is used by the web container, and we don't need HTTPS for Traefik locally
 # - No ACME/Let's Encrypt (HTTP-only)
 # - Simplified healthcheck
@@ -24,6 +24,9 @@ services:
       - "8093:8080" # Traefik API entrypoint (for api.insecure=true dashboard)
     environment:
       - TZ=Europe/Berlin
+    command:
+      # Load static configuration file
+      - "--configFile=/traefik.yml"
     volumes:
       # Docker socket for service discovery
       - /var/run/docker.sock:/var/run/docker.sock:ro
@@ -42,10 +45,8 @@ services:
       # For now, we'll try without labels and see if api.insecure=true works directly.
       - "traefik.enable=true"
     healthcheck:
-      # Use wget or curl to check Traefik ping endpoint
-      # The ping endpoint is configured in traefik.local.yml on the 'web' entrypoint
-      # Try ping endpoint first, if that fails, try API endpoint
-      test: ["CMD-SHELL", "wget --quiet --spider http://localhost:80/ping || wget --quiet --spider http://localhost:80/api/rawdata || exit 1"]
+      # Use Traefik's built-in healthcheck command (works in minimal image)
+      test: ["CMD", "traefik", "healthcheck", "--ping"]
       interval: 30s
       timeout: 10s
       retries: 3

deployment/stacks/traefik/dynamic/gitea-router.yml

@@ -0,0 +1,17 @@
+# Gitea Router Configuration
+# Router definition for Gitea using File Provider
+
+http:
+  routers:
+    gitea:
+      rule: Host(`git.michaelschiemer.de`)
+      entryPoints:
+        - websecure
+      service: gitea
+      tls:
+        certResolver: letsencrypt
+      middlewares:
+        - security-headers-global
+        - gzip-compression
+      priority: 100
+

deployment/stacks/traefik/dynamic/gitea-ssh.yml

@@ -1,5 +1,7 @@
 # TCP Router Configuration for Gitea SSH
 # Routes SSH traffic on port 2222 to Gitea container
+# Note: Gitea SSH is handled via port mapping in docker-compose.yml
+# This file is kept for reference but may not be needed
 
 tcp:
   routers:
@@ -13,8 +15,5 @@ tcp:
     gitea-ssh-service:
       loadBalancer:
         servers:
-          # Gitea container SSH service
-          # Note: Using container IP from gitea_gitea-internal network
-          # Traefik runs in host network mode, so we need the actual container IP
-          # IP address: 172.23.0.3 (gitea_gitea-internal network)
-          - address: "172.23.0.3:22"
+          # Use container name in bridge network mode
+          - address: "gitea:22"

deployment/stacks/traefik/dynamic/gitea.yml

@@ -1,20 +0,0 @@
-# Gitea configuration is now handled via Docker labels in docker-compose.yml
-# This file is kept for reference but is not used
-# Traefik will automatically discover Gitea via Docker labels and use the container IP
-# when running in host network mode
-#
-# http:
-#   routers:
-#     gitea:
-#       rule: Host(`git.michaelschiemer.de`)
-#       entrypoints:
-#         - websecure
-#       service: gitea
-#       tls:
-#         certResolver: letsencrypt
-#       priority: 100
-#   services:
-#     gitea:
-#       loadBalancer:
-#         servers:
-#           - url: http://gitea:3000

deployment/stacks/traefik/dynamic/middlewares.yml

@@ -43,14 +43,6 @@ http:
         average: 200
         burst: 100
         period: 1s
-
-    # IP whitelist for admin services (example)
-    # Uncomment and adjust for production
-    # admin-whitelist:
-    #   ipWhiteList:
-    #     sourceRange:
-    #       - "127.0.0.1/32"
-    #       - "10.0.0.0/8"
     
     # Chain multiple middlewares
     default-chain:
@@ -65,4 +57,3 @@ http:
           - security-headers-global
           - gzip-compression
           - rate-limit-strict
-          # - admin-whitelist  # Uncomment for IP whitelisting