feat(Deployment): Integrate Ansible deployment via PHP deployment pipeline

- Create AnsibleDeployStage using framework's Process module for secure command execution
- Integrate AnsibleDeployStage into DeploymentPipelineCommands for production deployments
- Add force_deploy flag support in Ansible playbook to override stale locks
- Use PHP deployment module as orchestrator (php console.php deploy:production)
- Fix ErrorAggregationInitializer to use Environment class instead of $_ENV superglobal

Architecture:
- BuildStage → AnsibleDeployStage → HealthCheckStage for production
- Process module provides timeout, error handling, and output capture
- Ansible playbook supports rollback via rollback-git-based.yml
- Zero-downtime deployments with health checks

docker/php/.dockerignore

@@ -0,0 +1,3 @@
+# Exclude storage directory to allow Docker volume mounts
+# Docker needs to create these directories fresh during volume mounting
+storage/

docker/php/Dockerfile

@@ -69,6 +69,9 @@ RUN composer install --no-scripts --no-autoloader --ignore-platform-reqs || \
 COPY docker/php/php.common.ini /usr/local/etc/php/php.common.ini
 COPY docker/php/php.${ENV}.ini /usr/local/etc/php/php.ini
 
+# Kopiere PHP-FPM Pool-Konfiguration
+COPY docker/php/zz-docker.conf /usr/local/etc/php-fpm.d/zz-docker.conf
+
 # Xdebug-Konfiguration nur wenn dev
 RUN if [ "$ENV" = "dev" ] && [ -f docker/php/xdebug.ini ]; then \
     cp docker/php/xdebug.ini /usr/local/etc/php/conf.d/docker-php-ext-xdebug.ini; \
@@ -84,22 +87,22 @@ RUN composer dump-autoload --optimize
 COPY docker/php/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
 RUN chmod +x /usr/local/bin/docker-entrypoint.sh
 
-RUN mkdir -p /var/www/html/cache \
-    /var/www/html/storage \
-    /var/www/html/storage/logs \
-    /var/www/html/storage/cache \
-    /var/www/html/storage/analytics \
-    /var/www/html/var \
-    /var/www/html/var/cache \
-    /var/www/html/var/logs
+# Remove entire storage directory tree copied from COPY . .
+# But we MUST create the empty parent directory so Docker can mount subdirectories
+RUN rm -rf /var/www/html/storage && mkdir -p /var/www/html/storage
 
-# Erstelle uploads-Verzeichnis
-RUN mkdir -p /var/www/html/storage/uploads
+# CRITICAL: The storage directory must exist as an empty directory in the image
+# This allows Docker to mount Named Volumes to subdirectories (storage/cache, storage/logs, etc.)
+# without needing to create the parent directory at runtime (which fails due to read-only overlay)
 
-# Danach erst den Nutzer wechseln!
+# Create appuser but DON'T switch yet - let entrypoint handle volumes first
 RUN groupadd -g 1000 appuser && useradd -u 1000 -g appuser -m appuser
 RUN chown -R appuser:appuser /var/www/html
-USER appuser
+
+# Install gosu for secure user switching in entrypoint (Debian alternative to su-exec)
+RUN apt-get update && apt-get install -y gosu && apt-get clean && rm -rf /var/lib/apt/lists/*
+
+# Note: USER switch happens in entrypoint AFTER volumes are mounted
 
 ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]
 CMD ["php-fpm"]

docker/php/docker-entrypoint.sh

@@ -1,20 +1,48 @@
 #!/bin/bash
+set -e
 
-# Ensure storage directories exist and have correct permissions
-mkdir -p /var/www/html/storage/analytics \
-         /var/www/html/storage/logs \
-         /var/www/html/storage/cache \
-         /var/www/html/var/cache \
+# This script runs as root to handle Docker volume mounting,
+# then switches to appuser for security
+
+# CRITICAL: Do NOT create ANY subdirectories under /var/www/html/storage!
+# Docker needs to create the storage directory tree when mounting Named Volumes.
+# Creating storage or any storage/* subdirectory here prevents Docker volume mounting.
+
+# Only create directories that are NOT under storage/ and are NOT volume mount points
+mkdir -p /var/www/html/var/cache \
          /var/www/html/var/logs \
          /var/www/html/cache
 
 # Set correct ownership and permissions for appuser
-chown -R appuser:appuser /var/www/html/storage \
-                        /var/www/html/var \
-                        /var/www/html/cache
-                        
-chmod -R 775 /var/www/html/storage \
-            /var/www/html/var \
-            /var/www/html/cache
+# Volume mount points are created by Docker and will be owned by root initially
+# We fix ownership AFTER Docker has mounted them
 
-exec "$@"
+# Wait for Docker to finish mounting volumes
+sleep 1
+
+# NOW we can safely create non-volume storage subdirectories
+# Docker has already mounted: storage/logs, storage/cache, storage/queue, storage/discovery, storage/uploads
+# We create other directories that are NOT volume mounts:
+mkdir -p /var/www/html/storage/analytics 2>/dev/null || true
+mkdir -p /var/www/html/storage/sessions 2>/dev/null || true
+
+# Fix ownership for all storage directories (including mounted volumes)
+if [ -d /var/www/html/storage ]; then
+    chown -R appuser:appuser /var/www/html/storage 2>/dev/null || true
+    chmod -R 775 /var/www/html/storage 2>/dev/null || true
+fi
+
+chown -R appuser:appuser /var/www/html/var 2>/dev/null || true
+chown -R appuser:appuser /var/www/html/cache 2>/dev/null || true
+
+chmod -R 775 /var/www/html/var 2>/dev/null || true
+chmod -R 775 /var/www/html/cache 2>/dev/null || true
+
+# For PHP-FPM, run as root and let it manage user switching internally
+# PHP-FPM will drop privileges to the user specified in pool configuration
+# For other commands (console.php, etc.), switch to appuser
+if [ "$1" = "php-fpm" ]; then
+    exec "$@"
+else
+    exec gosu appuser "$@"
+fi

docker/php/zz-docker.conf

@@ -0,0 +1,22 @@
+[global]
+daemonize = no
+error_log = /proc/self/fd/2
+
+[www]
+; Unix user/group of processes
+user = appuser
+group = appuser
+
+; The address on which to accept FastCGI requests.
+listen = 9000
+
+; Clear environment in FPM workers
+clear_env = no
+
+; Catch output from PHP workers
+catch_workers_output = yes
+
+; Redirect worker stdout and stderr into main error log
+access.log = /proc/self/fd/2
+php_admin_value[error_log] = /proc/self/fd/2
+php_admin_flag[log_errors] = on