chore: sync staging workspace

deployment/ansible/README.md

@@ -6,21 +6,35 @@ This directory contains Ansible playbooks and configuration for deploying the Cu
 
 ```
 deployment/ansible/
-├── ansible.cfg                 # Ansible configuration
+├── ansible.cfg                   # Ansible configuration
 ├── inventory/
-│   └── production.yml         # Production server inventory
+│   ├── production.yml         # Production server inventory
+│   └── local.yml              # Local testing inventory
 ├── playbooks/
-│   ├── setup-production-secrets.yml  # Deploy secrets
 │   ├── deploy-update.yml            # Deploy application updates
 │   ├── rollback.yml                 # Rollback deployments
+│   ├── setup-infrastructure.yml     # Provision core stacks
+│   ├── setup-production-secrets.yml # Deploy secrets
 │   ├── setup-wireguard.yml          # Setup WireGuard VPN server
 │   ├── add-wireguard-client.yml     # Add WireGuard client
+│   ├── sync-code.yml                # Git-based code sync
 │   └── README-WIREGUARD.md          # WireGuard documentation
+├── scripts/                     # Helper scripts for secrets & credentials
+├── roles/                       # Reusable roles (e.g. application stack)
 ├── secrets/
 │   ├── .gitignore                   # Prevent committing secrets
 │   └── production.vault.yml.example # Example vault file
 └── templates/
-    └── .env.production.j2           # Environment file template
+    ├── application.env.j2          # Application stack environment
+    ├── gitea-app.ini.j2            # Gitea configuration
+    ├── minio.env.j2                # MinIO environment
+    ├── monitoring.env.j2           # Monitoring stack environment
+    ├── wireguard-client.conf.j2    # WireGuard client config
+    └── wireguard-server.conf.j2    # WireGuard server config
+
+## Roles
+
+Stack-spezifische Aufgaben liegen in `roles/` (z. B. `application`, `traefik`, `registry`). Playbooks wie `setup-infrastructure.yml` importieren diese Rollen direkt. Die Application-Rolle kann mit Variablen wie `application_sync_files=false` oder `application_compose_recreate="always"` konfiguriert werden (siehe `playbooks/deploy-update.yml` als Beispiel).
 
 ## Prerequisites
 
@@ -37,6 +51,7 @@ deployment/ansible/
    - Create `.vault_pass` file in `secrets/` directory
    - Add vault password to this file (one line)
    - File is gitignored for security
+   - 📖 **Detaillierte Dokumentation:** [docs/guides/vault-password.md](../docs/guides/vault-password.md)
 
 ## Setup Instructions
 
@@ -66,6 +81,8 @@ echo "your-vault-password-here" > secrets/.vault_pass
 chmod 600 secrets/.vault_pass
 ```
 
+**📖 Für detaillierte Informationen:** Siehe [docs/guides/vault-password.md](../docs/guides/vault-password.md)
+
 ### 3. Configure SSH Key
 
 ```bash
@@ -265,11 +282,12 @@ docker login registry.michaelschiemer.de
 # SSH to production server
 ssh -i ~/.ssh/production deploy@94.16.110.151
 
-# Check Docker service logs
-docker service logs app_app
+# Check Docker Compose service logs
+docker compose -f {{ app_stack_path }}/docker-compose.yml logs app
+docker compose -f {{ app_stack_path }}/docker-compose.yml logs nginx
 
 # Check stack status
-docker stack ps app
+docker compose -f {{ app_stack_path }}/docker-compose.yml ps
 ```
 
 ## CI/CD Integration
@@ -283,19 +301,19 @@ Vault password is stored as Gitea Actions secret: `ANSIBLE_VAULT_PASSWORD`
 
 ## Inventory Variables
 
-All deployment variables are defined in `inventory/production.yml`:
+All zentralen Variablen werden in `group_vars/production.yml` gepflegt und können bei Bedarf im Inventory überschrieben werden. Häufig verwendete Werte:
 
-| Variable | Description | Default |
-|----------|-------------|---------|
-| `docker_registry` | Docker registry URL | registry.michaelschiemer.de |
-| `app_name` | Application name | framework |
-| `app_domain` | Production domain | michaelschiemer.de |
-| `stack_name` | Docker stack name | app |
-| `compose_file` | Docker Compose file path | /home/deploy/docker-compose.prod.yml |
-| `secrets_path` | Secrets directory | /home/deploy/secrets |
-| `backups_path` | Backups directory | /home/deploy/backups |
-| `max_rollback_versions` | Backup retention | 5 |
-| `health_check_url` | Health check endpoint | https://michaelschiemer.de/health |
+| Variable | Beschreibung | Standardwert |
+|----------|--------------|--------------|
+| `deploy_user_home` | Home-Verzeichnis des Deploy-Users | `/home/deploy` |
+| `stacks_base_path` | Basispfad für Docker Compose Stacks | `/home/deploy/deployment/stacks` |
+| `app_stack_path` | Pfad zum Application Stack | `/home/deploy/deployment/stacks/application` |
+| `backups_path` | Ablageort für Deployment-Backups | `/home/deploy/deployment/backups` |
+| `docker_registry` | Interner Registry-Endpunkt (lokal) | `localhost:5000` |
+| `docker_registry_external` | Externer Registry-Endpunkt | `registry.michaelschiemer.de` |
+| `app_domain` | Produktions-Domain | `michaelschiemer.de` |
+| `health_check_url` | Health-Check Endpoint | `https://michaelschiemer.de/health` |
+| `max_rollback_versions` | Anzahl vorgehaltener Backups | `5` |
 
 ## Backup Management