chore: remove test trigger file

deployment/SETUP-GUIDE.md

@@ -22,7 +22,8 @@ This guide walks through the complete setup of production deployment from scratc
 **Development Machine:**
 - ✅ Docker & Docker Compose installed
 - ✅ Ansible installed (`pip install ansible`)
-- ✅ SSH key for production server
+- ✅ SSH key for production server (`~/.ssh/production`)
+- ✅ Git SSH key configured (see Phase 0)
 - ✅ Access to Gitea admin panel
 
 **Production Server (94.16.110.151):**
@@ -33,6 +34,83 @@ This guide walks through the complete setup of production deployment from scratc
 
 ---
 
+## Phase 0: Git Repository SSH Access Setup (Development Machine)
+
+### Step 0.1: Generate Git SSH Key
+
+Create a separate SSH key specifically for Git operations (different from the production server SSH key):
+
+```bash
+# Generate SSH key for Git
+ssh-keygen -t ed25519 -f ~/.ssh/git_michaelschiemer -C "git@michaelschiemer.de" -N ""
+
+# Set correct permissions
+chmod 600 ~/.ssh/git_michaelschiemer
+chmod 644 ~/.ssh/git_michaelschiemer.pub
+```
+
+### Step 0.2: Configure SSH Config
+
+Add Git SSH configuration to `~/.ssh/config`:
+
+```bash
+# Edit SSH config
+nano ~/.ssh/config
+```
+
+Add the following configuration:
+
+```
+Host git.michaelschiemer.de
+    HostName git.michaelschiemer.de
+    Port 2222
+    User git
+    IdentityFile ~/.ssh/git_michaelschiemer
+    StrictHostKeyChecking no
+    UserKnownHostsFile /dev/null
+```
+
+### Step 0.3: Add Public Key to Gitea
+
+1. Display your public key:
+   ```bash
+   cat ~/.ssh/git_michaelschiemer.pub
+   ```
+
+2. Copy the output (starts with `ssh-ed25519 ...`)
+
+3. In Gitea:
+   - Go to **Settings** → **SSH / GPG Keys**
+   - Click **Add Key**
+   - Paste the public key
+   - Click **Add Key**
+
+4. Verify the connection:
+   ```bash
+   ssh -T git@git.michaelschiemer.de
+   ```
+
+   Expected output: `Hi there! You've successfully authenticated...`
+
+### Step 0.4: Update Git Remote (if needed)
+
+If your `origin` remote uses HTTPS, switch it to SSH:
+
+```bash
+# Check current remote URL
+git remote -v
+
+# Update to SSH
+git remote set-url origin git@git.michaelschiemer.de:michael/michaelschiemer.git
+
+# Test push (should work without password prompt)
+git push origin main
+```
+
+**Note**: This SSH key is separate from the production server SSH key (`~/.ssh/production`). The production key is used for Ansible/server access, while the Git key is only for repository operations.
+
+---
+
 ## Phase 1: Gitea Runner Setup (Development Machine)
 
 ### Step 1.1: Get Gitea Registration Token
@@ -233,99 +311,107 @@ ansible-vault view production.vault.yml \
 
 ## Phase 3: Production Server Initial Setup
 
-### Step 3.1: Deploy Infrastructure Stacks
+### Prerequisites
 
-**On Production Server (SSH as deploy user):**
+Before running Phase 3, ensure:
+- ✅ SSH access to production server configured (`~/.ssh/production`)
+- ✅ Repository cloned on production server at `~/deployment/stacks` (or adjust `stacks_base_path` in playbook)
+- ✅ Ansible installed on your development machine: `pip install ansible`
+- ✅ Ansible collections installed: `ansible-galaxy collection install community.docker`
+
+### Step 3.1: Clone Repository on Production Server (if not already done)
+
+**On Production Server:**
 
 ```bash
 # SSH to production server
 ssh deploy@94.16.110.151
 
-# Navigate to stacks directory
-cd ~/deployment/stacks
-
-# Deploy stacks in order
-
-# 1. Traefik (Reverse Proxy & SSL)
-cd traefik
-docker compose up -d
-docker compose logs -f
-# Wait for "Configuration loaded" message
-# Ctrl+C to exit logs
-
-# 2. PostgreSQL (Database)
-cd ../postgresql
-docker compose up -d
-docker compose logs -f
-# Wait for "database system is ready to accept connections"
-# Ctrl+C to exit logs
-
-# 3. Docker Registry (Private Registry)
-cd ../registry
-docker compose up -d
-docker compose logs -f
-# Wait for "listening on [::]:5000"
-# Ctrl+C to exit logs
-
-# 4. Gitea (Git Server + MySQL + Redis)
-cd ../gitea
-docker compose up -d
-docker compose logs -f
-# Wait for "Listen: http://0.0.0.0:3000"
-# Ctrl+C to exit logs
-
-# 5. Monitoring (Portainer + Grafana + Prometheus)
-cd ../monitoring
-docker compose up -d
-docker compose logs -f
-# Wait for all services to start
-# Ctrl+C to exit logs
-
-# Verify all stacks are running
-docker ps
+# Clone repository (if not already present)
+mkdir -p ~/deployment
+cd ~/deployment
+git clone git@git.michaelschiemer.de:michael/michaelschiemer.git . || git clone https://git.michaelschiemer.de/michael/michaelschiemer.git .
 ```
 
-### Step 3.2: Configure Gitea
-
-1. Access Gitea: https://git.michaelschiemer.de
-2. Complete initial setup wizard:
-   - Database: Use MySQL from stack
-   - Admin account: Create admin user
-   - Repository root: `/data/git/repositories`
-   - Enable Actions in admin settings
-
-### Step 3.3: Create Docker Registry User
-
-```bash
-# SSH to production server
-ssh deploy@94.16.110.151
-
-# Create registry htpasswd entry
-cd ~/deployment/stacks/registry
-docker compose exec registry htpasswd -Bbn admin your-registry-password >> auth/htpasswd
-
-# Test login
-docker login git.michaelschiemer.de:5000
-# Username: admin
-# Password: your-registry-password
-```
-
-### Step 3.4: Setup SSH Keys for Ansible
+### Step 3.2: Deploy Infrastructure Stacks with Ansible
 
 **On Development Machine:**
 
 ```bash
-# Generate SSH key if not exists
-ssh-keygen -t ed25519 -f ~/.ssh/production -C "ansible-deploy"
+# Navigate to Ansible directory
+cd deployment/ansible
 
-# Copy public key to production server
-ssh-copy-id -i ~/.ssh/production.pub deploy@94.16.110.151
+# Run infrastructure deployment playbook
+ansible-playbook playbooks/setup-infrastructure.yml \
+  -i inventory/production.yml
 
-# Test SSH connection
-ssh -i ~/.ssh/production deploy@94.16.110.151 "echo 'SSH works!'"
+# The playbook will:
+# 1. Create required Docker networks (traefik-public, app-internal)
+# 2. Deploy Traefik (Reverse Proxy & SSL)
+# 3. Deploy PostgreSQL (Database)
+# 4. Deploy Docker Registry (Private Registry)
+# 5. Deploy Gitea (Git Server + PostgreSQL)
+# 6. Deploy Monitoring (Portainer + Grafana + Prometheus)
+# 7. Wait for all services to be healthy
+# 8. Verify accessibility
 ```
 
-**✅ Checkpoint**: All infrastructure stacks running, SSH access configured
+**Expected output:**
+- ✅ All stacks deployed successfully
+- ✅ All services healthy
+- ✅ Gitea accessible at https://git.michaelschiemer.de
+
+**Note:** If monitoring passwords need to be stored in Vault (recommended for production), add them to `secrets/production.vault.yml`:
+- `vault_grafana_admin_password`
+- `vault_prometheus_password`
+
+Then run the playbook with vault:
+```bash
+ansible-playbook playbooks/setup-infrastructure.yml \
+  -i inventory/production.yml \
+  --vault-password-file secrets/.vault_pass
+```
+
+### Step 3.3: Configure Gitea (Manual Step)
+
+1. Access Gitea: https://git.michaelschiemer.de
+2. Complete initial setup wizard (first-time only):
+   - **Database Type**: PostgreSQL
+   - **Database Host**: `postgres:5432`
+   - **Database User**: `gitea`
+   - **Database Password**: `gitea_password` (or check `deployment/stacks/gitea/docker-compose.yml`)
+   - **Database Name**: `gitea`
+   - **Admin Account**: Create your admin user
+   - **Repository Root**: `/data/git/repositories` (default)
+3. **Enable Actions** (required for Phase 1):
+   - Go to **Site Administration** → **Actions**
+   - Enable **Enable Actions** checkbox
+   - Save settings
+
+### Step 3.4: Verify Docker Registry
+
+The Ansible playbook automatically creates registry authentication. To retrieve credentials:
+
+```bash
+# SSH to production server
+ssh deploy@94.16.110.151
+
+# View registry htpasswd (contains username:password hash)
+cat ~/deployment/stacks/registry/auth/htpasswd
+
+# The default username is 'admin'
+# Password hash can be used to login, or create new user:
+cd ~/deployment/stacks/registry
+docker compose exec registry htpasswd -Bbn <username> <password> >> auth/htpasswd
+docker compose restart registry
+
+# Test login
+docker login registry.michaelschiemer.de
+# Or if using port:
+docker login git.michaelschiemer.de:5000
+```
+
+**✅ Checkpoint**: All infrastructure stacks running, Gitea accessible, Actions enabled
 
 ---