ci: setup CI/CD pipeline with Gitea Actions and secrets configuration

deployment/ansible/playbooks/setup-production-secrets.yml

@@ -0,0 +1,92 @@
+---
+- name: Setup Production Secrets
+  hosts: production
+  gather_facts: yes
+  become: yes
+
+  vars:
+    vault_file: "{{ playbook_dir }}/../secrets/production.vault.yml"
+
+  pre_tasks:
+    - name: Verify vault file exists
+      stat:
+        path: "{{ vault_file }}"
+      register: vault_stat
+      delegate_to: localhost
+      become: no
+
+    - name: Fail if vault file missing
+      fail:
+        msg: "Vault file not found at {{ vault_file }}"
+      when: not vault_stat.stat.exists
+
+  tasks:
+    - name: Detect Docker Swarm mode
+      shell: docker info -f '{{ "{{" }}.Swarm.LocalNodeState{{ "}}" }}'
+      register: swarm_state
+      changed_when: false
+
+    - name: Set fact if swarm is active
+      set_fact:
+        swarm_active: "{{ swarm_state.stdout | lower == 'active' }}"
+
+    - name: Load encrypted secrets
+      include_vars:
+        file: "{{ vault_file }}"
+      no_log: yes
+
+    - name: Ensure secrets directory exists
+      file:
+        path: "{{ secrets_path }}"
+        state: directory
+        owner: "{{ ansible_user }}"
+        group: "{{ ansible_user }}"
+        mode: '0700'
+
+    - name: Create .env.production file
+      template:
+        src: "{{ playbook_dir }}/../templates/.env.production.j2"
+        dest: "{{ secrets_path }}/.env.production"
+        owner: "{{ ansible_user }}"
+        group: "{{ ansible_user }}"
+        mode: '0600'
+      no_log: yes
+
+    - name: Create Docker secrets from vault (disabled for compose-only deployment)
+      docker_secret:
+        name: "{{ item.name }}"
+        data: "{{ item.value }}"
+        state: present
+      loop:
+        - name: db_password
+          value: "{{ vault_db_password }}"
+        - name: redis_password
+          value: "{{ vault_redis_password }}"
+        - name: app_key
+          value: "{{ vault_app_key }}"
+        - name: jwt_secret
+          value: "{{ vault_jwt_secret }}"
+        - name: mail_password
+          value: "{{ vault_mail_password }}"
+      no_log: yes
+      when: false
+
+    - name: Set secure permissions on secrets directory
+      file:
+        path: "{{ secrets_path }}"
+        state: directory
+        owner: "{{ ansible_user }}"
+        group: "{{ ansible_user }}"
+        mode: '0700'
+        recurse: yes
+
+    - name: Verify Docker secrets (skipped)
+      command: docker secret ls --format '{{ "{{" }}.Name{{ "}}" }}'
+      register: docker_secrets
+      changed_when: false
+      when: false
+
+    - name: Display deployed Docker secrets (skipped)
+      debug:
+        msg: "Deployed secrets: {{ docker_secrets.stdout_lines | default([]) }}"
+      when: false