fix: Gitea Traefik routing and connection pool optimization

- Remove middleware reference from Gitea Traefik labels (caused routing issues)
- Optimize Gitea connection pool settings (MAX_IDLE_CONNS=30, authentication_timeout=180s)
- Add explicit service reference in Traefik labels
- Fix intermittent 504 timeouts by improving PostgreSQL connection handling

Fixes Gitea unreachability via git.michaelschiemer.de

scripts/ci/delete-all-workflow-runs.sh

@@ -0,0 +1,169 @@
+#!/bin/bash
+# Script to delete all workflow runs from Gitea repository
+# Usage: ./scripts/delete-all-workflow-runs.sh [GITEA_TOKEN]
+
+set -euo pipefail
+
+# Colors
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m' # No Color
+
+GITEA_URL="${GITEA_URL:-https://git.michaelschiemer.de}"
+REPO_OWNER="${REPO_OWNER:-michael}"
+REPO_NAME="${REPO_NAME:-michaelschiemer}"
+
+# Try to get token from parameter, env var, CI_TOKEN, or Ansible vault
+if [ -n "${1:-}" ]; then
+    GITEA_TOKEN="$1"
+elif [ -n "${GITEA_TOKEN:-}" ]; then
+    # Token already set
+    :
+elif [ -n "${CI_TOKEN:-}" ]; then
+    GITEA_TOKEN="$CI_TOKEN"
+else
+    # Try to extract from Ansible vault
+    SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+    PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
+    VAULT_FILE="$PROJECT_ROOT/deployment/ansible/secrets/production.vault.yml"
+    VAULT_PASS="$PROJECT_ROOT/deployment/ansible/.vault_pass"
+    
+    if [ -f "$VAULT_FILE" ] && command -v ansible-playbook >/dev/null 2>&1; then
+        echo -e "${BLUE}Trying to extract CI_TOKEN from Ansible vault...${NC}"
+        if [ -f "$VAULT_PASS" ]; then
+            TOKEN=$(cd "$PROJECT_ROOT" && ansible localhost -m debug -a "var=vault_git_token" -e "@deployment/ansible/secrets/production.vault.yml" --vault-password-file "$VAULT_PASS" 2>/dev/null | grep -oP "vault_git_token.*\"\K[^\"]+" | head -1 || echo "")
+        else
+            TOKEN=$(cd "$PROJECT_ROOT" && ansible localhost -m debug -a "var=vault_git_token" -e "@deployment/ansible/secrets/production.vault.yml" --ask-vault-pass <<< "" 2>/dev/null | grep -oP "vault_git_token.*\"\K[^\"]+" | head -1 || echo "")
+        fi
+        
+        if [ -n "$TOKEN" ] && [ "$TOKEN" != "null" ] && [ "$TOKEN" != "undefined" ]; then
+            GITEA_TOKEN="$TOKEN"
+            echo -e "${GREEN}? Token extracted from Ansible vault${NC}"
+        fi
+    fi
+fi
+
+echo -e "${BLUE}=== Gitea Workflow Runs Deletion ===${NC}"
+echo ""
+
+# Check if token is provided
+if [ -z "$GITEA_TOKEN" ]; then
+    echo -e "${YELLOW}??  GITEA_TOKEN nicht gesetzt${NC}"
+    echo ""
+    echo "Bitte generiere einen Gitea Access Token:"
+    echo "1. Gehe zu: ${GITEA_URL}/user/settings/applications"
+    echo "2. Klicke 'Generate New Token'"
+    echo "3. Name: z.B. 'delete-workflow-runs'"
+    echo "4. Scopes: 'write:repository' (mindestens)"
+    echo "5. Kopiere den Token"
+    echo ""
+    echo "Dann f?hre aus:"
+    echo "  export GITEA_TOKEN='dein-token'"
+    echo "  ./scripts/delete-all-workflow-runs.sh"
+    echo ""
+    exit 1
+fi
+
+# Function to get all workflow runs
+get_workflow_runs() {
+    local page="${1:-1}"
+    local per_page="${2:-100}"
+    
+    curl -s \
+        -H "Authorization: token ${GITEA_TOKEN}" \
+        -H "Accept: application/json" \
+        "${GITEA_URL}/api/v1/repos/${REPO_OWNER}/${REPO_NAME}/actions/runs?page=${page}&limit=${per_page}"
+}
+
+# Function to delete a workflow run
+delete_workflow_run() {
+    local run_id=$1
+    
+    local response=$(curl -s -w "\n%{http_code}" \
+        -X DELETE \
+        -H "Authorization: token ${GITEA_TOKEN}" \
+        "${GITEA_URL}/api/v1/repos/${REPO_OWNER}/${REPO_NAME}/actions/runs/${run_id}")
+    
+    local http_code=$(echo "$response" | tail -n1)
+    local body=$(echo "$response" | sed '$d')
+    
+    if [ "$http_code" = "204" ] || [ "$http_code" = "200" ]; then
+        return 0
+    else
+        echo -e "${RED}? FAILED (HTTP $http_code)${NC}"
+        echo "Response: $body"
+        return 1
+    fi
+}
+
+echo "Repository: ${REPO_OWNER}/${REPO_NAME}"
+echo "Gitea URL: ${GITEA_URL}"
+echo ""
+
+# Fetch all workflow runs
+echo -e "${BLUE}Fetching workflow runs...${NC}"
+all_runs=""
+page=1
+total_deleted=0
+
+while true; do
+    echo -n "Loading page ${page}... "
+    runs_data=$(get_workflow_runs "$page" 100)
+    
+    # Check if we got any runs
+    if ! echo "$runs_data" | grep -q "\"workflow_runs\""; then
+        echo "no more runs"
+        break
+    fi
+    
+    # Extract run IDs using jq if available, otherwise use grep/sed
+    if command -v jq >/dev/null 2>&1; then
+        run_ids=$(echo "$runs_data" | jq -r '.workflow_runs[]?.id // empty' 2>/dev/null || echo "")
+        total_count=$(echo "$runs_data" | jq -r '.total_count // 0' 2>/dev/null || echo "0")
+    else
+        # Fallback: extract IDs with grep/sed
+        run_ids=$(echo "$runs_data" | grep -o '"id":[0-9]*' | grep -o '[0-9]*' || echo "")
+        total_count=$(echo "$runs_data" | grep -o '"total_count":[0-9]*' | grep -o '[0-9]*' | head -1 || echo "0")
+    fi
+    
+    if [ -z "$run_ids" ]; then
+        echo "no runs found"
+        break
+    fi
+    
+    run_count=$(echo "$run_ids" | wc -l)
+    echo "${run_count} runs found"
+    
+    # Delete each run
+    for run_id in $run_ids; do
+        if [ -n "$run_id" ] && [ "$run_id" != "null" ]; then
+            echo -n "  Deleting run ${run_id}... "
+            if delete_workflow_run "$run_id"; then
+                echo -e "${GREEN}?${NC}"
+                total_deleted=$((total_deleted + 1))
+            else
+                echo -e "${RED}?${NC}"
+            fi
+        fi
+    done
+    
+    # Check if there are more pages
+    if command -v jq >/dev/null 2>&1; then
+        has_more=$(echo "$runs_data" | jq -r 'if .workflow_runs | length > 0 then true else false end' 2>/dev/null || echo "false")
+    else
+        has_more=$(echo "$runs_data" | grep -q '"workflow_runs"' && echo "true" || echo "false")
+    fi
+    
+    if [ "$has_more" != "true" ] || [ "$run_count" -eq 0 ]; then
+        break
+    fi
+    
+    page=$((page + 1))
+done
+
+echo ""
+echo -e "${GREEN}=== Deletion Complete ===${NC}"
+echo -e "Total runs deleted: ${total_deleted}"
+echo ""

scripts/ci/extract-ci-token.yml

@@ -0,0 +1,11 @@
+---
+- hosts: localhost
+  connection: local
+  gather_facts: no
+  vars_files:
+    - deployment/ansible/secrets/production.vault.yml
+  tasks:
+    - name: Extract CI_TOKEN
+      debug:
+        msg: "{{ vault_git_token }}"
+      no_log: false

scripts/ci/get-ci-token-from-vault.sh

@@ -0,0 +1,44 @@
+#!/bin/bash
+# Script to extract CI_TOKEN (vault_git_token) from Ansible Vault
+# Usage: ./scripts/get-ci-token-from-vault.sh
+
+set -e
+
+VAULT_FILE="deployment/ansible/secrets/production.vault.yml"
+VAULT_PASS_FILE="deployment/ansible/.vault_pass"
+
+# Check if vault file exists
+if [ ! -f "$VAULT_FILE" ]; then
+    echo "Error: Vault file not found at $VAULT_FILE"
+    exit 1
+fi
+
+# Try to extract token
+if [ -f "$VAULT_PASS_FILE" ]; then
+    # Use vault password file
+    TOKEN=$(ansible-vault view "$VAULT_FILE" --vault-password-file "$VAULT_PASS_FILE" 2>/dev/null | grep "vault_git_token:" | cut -d'"' -f2 || echo "")
+elif command -v ansible-playbook >/dev/null 2>&1; then
+    # Try with ansible-playbook
+    TOKEN=$(cd deployment/ansible && ansible-playbook -i localhost, -c local /dev/stdin --vault-password-file .vault_pass 2>/dev/null <<EOF || echo ""
+---
+- hosts: localhost
+  gather_facts: no
+  vars_files:
+    - secrets/production.vault.yml
+  tasks:
+    - debug:
+        var: vault_git_token
+EOF
+)
+    TOKEN=$(echo "$TOKEN" | grep -oP "vault_git_token.*:\s*\K[^\s]+" || echo "")
+else
+    echo "Error: Cannot extract token. Please provide vault password manually or set GITEA_TOKEN directly."
+    exit 1
+fi
+
+if [ -n "$TOKEN" ] && [ "$TOKEN" != "null" ] && [ "$TOKEN" != "undefined" ]; then
+    echo "$TOKEN"
+else
+    echo "Error: Could not extract token from vault"
+    exit 1
+fi