fix: DockerSecretsResolver - don't normalize absolute paths like /var/www/html/...

2025-11-24 21:28:25 +01:00
parent 4eb7134853
commit 77abc65cd7
1327 changed files with 91915 additions and 9909 deletions
--- a/deployment/infrastructure/README.md
+++ b/deployment/infrastructure/README.md
@@ -0,0 +1,122 @@
+# Infrastructure Layer
+
+Dieses Verzeichnis enthält die Infrastruktur-Stacks, die dauerhaft laufen und unabhängig von Application-Deployments sind.
+
+## Übersicht
+
+Die Infrastruktur besteht aus drei Core-Komponenten:
+
+1. **Traefik** - Reverse Proxy mit SSL-Zertifikaten
+2. **Gitea** - Git Server mit eigener PostgreSQL-Instanz
+3. **PostgreSQL** - Shared Database für Application-Stacks
+
+## Verzeichnisstruktur
+
+```
+infrastructure/
+├── traefik/              # Reverse Proxy & SSL
+│   ├── docker-compose.yml
+│   ├── secrets/
+│   └── README.md
+├── gitea/                # Git Server
+│   ├── docker-compose.yml
+│   ├── secrets/
+│   └── README.md
+├── postgresql/           # Shared Database
+│   ├── docker-compose.yml
+│   ├── secrets/
+│   └── README.md
+└── README.md (dieses Dokument)
+```
+
+## Deployment-Reihenfolge
+
+**Wichtig:** Die Stacks müssen in dieser Reihenfolge deployt werden:
+
+1. **Traefik** (muss zuerst laufen)
+2. **PostgreSQL** (wird von Application benötigt)
+3. **Gitea** (nutzt Traefik für SSL)
+
+## Quick Start
+
+### Initial Setup
+
+```bash
+# 1. Traefik deployen
+cd traefik
+docker compose up -d
+
+# 2. PostgreSQL deployen
+cd ../postgresql
+docker compose up -d
+
+# 3. Gitea deployen
+cd ../gitea
+docker compose up -d
+```
+
+### Updates
+
+```bash
+# Einzelnen Stack updaten
+cd <stack-name>
+docker compose pull
+docker compose up -d
+
+# Alle Stacks updaten
+./deploy.sh all
+```
+
+## Networks
+
+Die Infrastruktur verwendet folgende Networks:
+
+- **traefik-public** - Wird von Traefik erstellt, für externe Zugriffe
+- **infrastructure** - Für interne Infrastruktur-Kommunikation (Gitea ↔ PostgreSQL)
+- **app-internal** - Wird von PostgreSQL erstellt, für Application-Zugriff
+
+## Secrets
+
+Secrets werden in `secrets/` Verzeichnissen pro Stack gespeichert:
+
+- `traefik/secrets/acme_email.txt` - Let's Encrypt E-Mail
+- `gitea/secrets/postgres_password.txt` - Gitea PostgreSQL Passwort
+- `postgresql/secrets/postgres_password.txt` - Application PostgreSQL Passwort
+
+**Wichtig:** Secrets-Dateien sind gitignored und müssen manuell erstellt werden.
+
+Siehe `SECRETS.md` für Details zur Secrets-Generierung.
+
+## Troubleshooting
+
+### Traefik nicht erreichbar
+
+```bash
+cd traefik
+docker compose logs -f
+docker compose ps
+```
+
+### PostgreSQL-Verbindungsprobleme
+
+```bash
+cd postgresql
+docker compose logs postgres
+docker network inspect app-internal
+```
+
+### Gitea nicht erreichbar
+
+```bash
+cd gitea
+docker compose logs -f gitea
+docker compose ps
+```
+
+## Weitere Dokumentation
+
+- [Traefik Stack](traefik/README.md)
+- [Gitea Stack](gitea/README.md)
+- [PostgreSQL Stack](postgresql/README.md)
+- [Secrets Management](SECRETS.md)
+
--- a/deployment/infrastructure/SECRETS.md
+++ b/deployment/infrastructure/SECRETS.md
@@ -0,0 +1,122 @@
+# Secrets Management
+
+Anleitung zur Verwaltung von Secrets für die Infrastruktur-Stacks.
+
+## Übersicht
+
+Secrets werden als Dateien in `secrets/` Verzeichnissen pro Stack gespeichert und via Docker Secrets in Container eingebunden.
+
+## Secrets-Struktur
+
+```
+infrastructure/
+├── traefik/secrets/
+│   └── acme_email.txt
+├── gitea/secrets/
+│   ├── postgres_password.txt
+│   └── redis_password.txt
+└── postgresql/secrets/
+    └── postgres_password.txt
+```
+
+## Secrets-Generierung
+
+### Passwort-Generierung
+
+```bash
+# Sichere Passwort-Generierung (32 Bytes, Base64)
+openssl rand -base64 32 > secrets/password.txt
+chmod 600 secrets/password.txt
+```
+
+### E-Mail für Let's Encrypt
+
+```bash
+# Traefik ACME E-Mail
+echo "your-email@example.com" > traefik/secrets/acme_email.txt
+chmod 600 traefik/secrets/acme_email.txt
+```
+
+## Setup pro Stack
+
+### Traefik
+
+```bash
+cd traefik
+echo "your-email@example.com" > secrets/acme_email.txt
+chmod 600 secrets/acme_email.txt
+```
+
+### Gitea
+
+```bash
+cd gitea
+openssl rand -base64 32 > secrets/postgres_password.txt
+openssl rand -base64 32 > secrets/redis_password.txt
+chmod 600 secrets/*.txt
+```
+
+### PostgreSQL
+
+```bash
+cd postgresql
+openssl rand -base64 32 > secrets/postgres_password.txt
+chmod 600 secrets/postgres_password.txt
+```
+
+## Sicherheitsrichtlinien
+
+1. **Nie committen:** Secrets-Dateien sind gitignored
+2. **Sichere Berechtigungen:** Immer `chmod 600` für Secrets-Dateien
+3. **Rotation:** Passwörter regelmäßig rotieren (empfohlen: alle 90 Tage)
+4. **Backup:** Secrets sicher aufbewahren (verschlüsselt)
+
+## Secrets-Rotation
+
+### Passwort ändern
+
+1. Neues Passwort generieren
+2. Passwort in Secrets-Datei aktualisieren
+3. Stack neu starten: `docker compose restart`
+4. Services aktualisieren, die das Passwort nutzen
+
+**Beispiel (PostgreSQL):**
+```bash
+# Neues Passwort generieren
+openssl rand -base64 32 > secrets/postgres_password.txt.new
+
+# Passwort in Datenbank ändern
+docker compose exec postgres psql -U postgres -c "ALTER USER postgres WITH PASSWORD '$(cat secrets/postgres_password.txt.new)';"
+
+# Secrets-Datei aktualisieren
+mv secrets/postgres_password.txt.new secrets/postgres_password.txt
+
+# Stack neu starten
+docker compose restart
+```
+
+## Backup von Secrets
+
+**Wichtig:** Secrets müssen sicher gesichert werden!
+
+```bash
+# Secrets verschlüsselt sichern (z.B. mit GPG)
+tar czf secrets-backup.tar.gz infrastructure/*/secrets/
+gpg -c secrets-backup.tar.gz
+rm secrets-backup.tar.gz
+
+# Oder mit Ansible Vault
+ansible-vault encrypt secrets-backup.tar.gz
+```
+
+## Wiederherstellung
+
+```bash
+# Secrets aus Backup wiederherstellen
+gpg -d secrets-backup.tar.gz.gpg | tar xzf -
+# Oder
+ansible-vault decrypt secrets-backup.tar.gz
+tar xzf secrets-backup.tar.gz
+chmod 600 infrastructure/*/secrets/*
+```
+
--- a/deployment/infrastructure/deploy.sh
+++ b/deployment/infrastructure/deploy.sh
@@ -0,0 +1,136 @@
+#!/bin/bash
+# ==============================================================================
+# Infrastructure Deployment Script
+# ==============================================================================
+# Deploys individual infrastructure stacks (traefik, gitea, postgresql)
+# Usage: ./deploy.sh <stack-name> [all]
+# ==============================================================================
+
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+cd "$SCRIPT_DIR"
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m' # No Color
+
+# Function to print colored output
+print_info() {
+    echo -e "${BLUE}ℹ${NC} $1"
+}
+
+print_success() {
+    echo -e "${GREEN}✅${NC} $1"
+}
+
+print_warning() {
+    echo -e "${YELLOW}⚠️${NC} $1"
+}
+
+print_error() {
+    echo -e "${RED}❌${NC} $1"
+}
+
+# Function to deploy a stack
+deploy_stack() {
+    local stack_name=$1
+    local stack_dir="$SCRIPT_DIR/$stack_name"
+    
+    if [ ! -d "$stack_dir" ]; then
+        print_error "Stack '$stack_name' not found in $stack_dir"
+        return 1
+    fi
+    
+    print_info "Deploying stack: $stack_name"
+    cd "$stack_dir"
+    
+    # Check if secrets exist
+    if [ -d "secrets" ]; then
+        local missing_secrets=()
+        for secret_file in secrets/*.txt; do
+            if [ ! -f "$secret_file" ]; then
+                missing_secrets+=("$secret_file")
+            fi
+        done
+        
+        if [ ${#missing_secrets[@]} -gt 0 ]; then
+            print_warning "Some secrets are missing. Please create them first."
+            print_info "See SECRETS.md for instructions."
+            return 1
+        fi
+    fi
+    
+    # Pull latest images
+    print_info "Pulling latest images..."
+    docker compose pull || print_warning "Failed to pull images, continuing..."
+    
+    # Deploy stack
+    print_info "Starting stack..."
+    docker compose up -d
+    
+    # Wait for services to be healthy
+    print_info "Waiting for services to be healthy..."
+    sleep 5
+    
+    # Check service status
+    print_info "Checking service status..."
+    docker compose ps
+    
+    print_success "Stack '$stack_name' deployed successfully"
+}
+
+# Function to create required networks
+create_networks() {
+    print_info "Creating required networks..."
+    
+    # Create infrastructure network if it doesn't exist
+    if ! docker network ls | grep -q "infrastructure"; then
+        print_info "Creating infrastructure network..."
+        docker network create infrastructure
+        print_success "Infrastructure network created"
+    else
+        print_info "Infrastructure network already exists"
+    fi
+    
+    # traefik-public network will be created by Traefik stack
+    # app-internal network will be created by PostgreSQL stack
+}
+
+# Main execution
+main() {
+    local stack_name=$1
+    
+    if [ -z "$stack_name" ]; then
+        print_error "Usage: $0 <stack-name> [all]"
+        print_info "Available stacks: traefik, gitea, postgresql"
+        print_info "Use 'all' to deploy all stacks in correct order"
+        exit 1
+    fi
+    
+    if [ "$stack_name" = "all" ]; then
+        print_info "Deploying all infrastructure stacks..."
+        create_networks
+        
+        # Deploy in correct order
+        deploy_stack "traefik"
+        sleep 5
+        
+        deploy_stack "postgresql"
+        sleep 5
+        
+        deploy_stack "gitea"
+        
+        print_success "All infrastructure stacks deployed successfully"
+    else
+        create_networks
+        deploy_stack "$stack_name"
+    fi
+}
+
+# Run main function
+main "$@"
+
--- a/deployment/infrastructure/gitea/README.md
+++ b/deployment/infrastructure/gitea/README.md
@@ -0,0 +1,105 @@
+# Gitea Stack
+
+Self-hosted Git Server mit PostgreSQL Backend und Redis Cache.
+
+## Features
+
+- Gitea Git Server
+- PostgreSQL 16 als Datenbank-Backend
+- Redis 7 für Cache und Sessions
+- Traefik Integration für SSL
+- Persistent Volumes für Daten
+
+## Voraussetzungen
+
+- Traefik Stack muss laufen (für SSL)
+- Infrastructure Network muss existieren
+- DNS-Eintrag für `git.michaelschiemer.de`
+
+## Setup
+
+### 1. Infrastructure Network erstellen
+
+```bash
+docker network create infrastructure
+```
+
+### 2. Secrets erstellen
+
+```bash
+# PostgreSQL Passwort für Gitea
+openssl rand -base64 32 > secrets/postgres_password.txt
+chmod 600 secrets/postgres_password.txt
+
+# Redis Passwort
+openssl rand -base64 32 > secrets/redis_password.txt
+chmod 600 secrets/redis_password.txt
+```
+
+### 3. Stack deployen
+
+```bash
+docker compose up -d
+```
+
+### 4. Initial Setup
+
+Nach dem ersten Start:
+1. Öffne https://git.michaelschiemer.de
+2. Führe das Initial Setup durch
+3. Erstelle Admin-User
+
+## Networks
+
+**traefik-public:**
+- Externes Network (von Traefik erstellt)
+- Für externe Zugriffe via Traefik
+
+**infrastructure:**
+- Externes Network (muss vorher erstellt werden)
+- Für interne Kommunikation zwischen Gitea, PostgreSQL und Redis
+
+## Volumes
+
+- `gitea-data` - Gitea-Daten (Repositories, Konfiguration)
+- `gitea-postgres-data` - PostgreSQL-Daten für Gitea
+- `gitea-redis-data` - Redis-Daten für Gitea
+
+## Konfiguration
+
+Gitea-Konfiguration wird in `/data/gitea/conf/app.ini` gespeichert.
+
+Für Änderungen:
+```bash
+docker compose exec gitea vi /data/gitea/conf/app.ini
+docker compose restart gitea
+```
+
+## Troubleshooting
+
+### Gitea startet nicht
+
+```bash
+# Logs prüfen
+docker compose logs -f gitea
+
+# PostgreSQL-Verbindung prüfen
+docker compose exec postgres pg_isready -U gitea
+```
+
+### SSL-Zertifikat wird nicht erstellt
+
+1. Prüfe Traefik-Logs
+2. Prüfe DNS-Eintrag für `git.michaelschiemer.de`
+3. Prüfe Traefik Labels
+
+### Redis-Verbindungsprobleme
+
+```bash
+# Redis-Logs prüfen
+docker compose logs redis
+
+# Redis-Verbindung testen
+docker compose exec redis redis-cli -a $(cat secrets/redis_password.txt) ping
+```
+
--- a/deployment/infrastructure/gitea/docker-compose.yml
+++ b/deployment/infrastructure/gitea/docker-compose.yml
@@ -0,0 +1,120 @@
+services:
+  gitea:
+    image: gitea/gitea:latest
+    container_name: gitea
+    restart: unless-stopped
+    depends_on:
+      postgres:
+        condition: service_healthy
+      redis:
+        condition: service_started
+    networks:
+      - traefik-public
+      - infrastructure
+    environment:
+      - TZ=Europe/Berlin
+      - USER_UID=1000
+      - USER_GID=1000
+      - POSTGRES_PASSWORD_FILE=/run/secrets/postgres_password
+    volumes:
+      - gitea-data:/data
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    secrets:
+      - postgres_password
+    labels:
+      - "traefik.enable=true"
+      
+      # HTTP Router configuration
+      - "traefik.http.routers.gitea.rule=Host(`git.michaelschiemer.de`)"
+      - "traefik.http.routers.gitea.entrypoints=websecure"
+      - "traefik.http.routers.gitea.tls=true"
+      - "traefik.http.routers.gitea.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.gitea.priority=100"
+      
+      # Service configuration
+      - "traefik.http.services.gitea.loadbalancer.server.port=3000"
+      
+      # X-Forwarded-Proto header
+      - "traefik.http.middlewares.gitea-headers.headers.customrequestheaders.X-Forwarded-Proto=https"
+      - "traefik.http.routers.gitea.middlewares=gitea-headers@docker"
+      - "traefik.http.routers.gitea.service=gitea"
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:3000/api/healthz"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 30s
+
+  postgres:
+    image: postgres:16-alpine
+    container_name: gitea-postgres
+    restart: unless-stopped
+    networks:
+      - infrastructure
+    environment:
+      - TZ=Europe/Berlin
+      - POSTGRES_DB=gitea
+      - POSTGRES_USER=gitea
+      - POSTGRES_PASSWORD_FILE=/run/secrets/postgres_password
+    command: >
+      postgres
+      -c max_connections=300
+      -c authentication_timeout=180
+      -c statement_timeout=30000
+      -c idle_in_transaction_session_timeout=30000
+    volumes:
+      - gitea-postgres-data:/var/lib/postgresql/data
+    secrets:
+      - postgres_password
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U gitea -d gitea"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 30s
+
+  redis:
+    image: redis:7-alpine
+    container_name: gitea-redis
+    restart: unless-stopped
+    networks:
+      - infrastructure
+    environment:
+      - TZ=Europe/Berlin
+    command: >
+      redis-server
+      --appendonly yes
+      --maxmemory 512mb
+      --maxmemory-policy allkeys-lru
+    volumes:
+      - gitea-redis-data:/data
+    healthcheck:
+      test: ["CMD", "redis-cli", "ping"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 10s
+
+networks:
+  traefik-public:
+    external: true
+    name: traefik-public
+  infrastructure:
+    external: true
+    name: infrastructure
+
+volumes:
+  gitea-data:
+    name: gitea-data
+  gitea-postgres-data:
+    name: gitea-postgres-data
+  gitea-redis-data:
+    name: gitea-redis-data
+
+secrets:
+  postgres_password:
+    file: ./secrets/postgres_password.txt
+  redis_password:
+    file: ./secrets/redis_password.txt
+
--- a/deployment/infrastructure/postgresql/README.md
+++ b/deployment/infrastructure/postgresql/README.md
@@ -0,0 +1,114 @@
+# PostgreSQL Stack
+
+Shared PostgreSQL-Datenbank für Application-Stacks (Staging und Production).
+
+## Features
+
+- PostgreSQL 16 für Application-Datenbank
+- Automatische Backups (täglich um 2 Uhr)
+- Backup-Retention (7 Tage)
+- Health Checks
+- Optimierte Performance-Konfiguration
+
+## Voraussetzungen
+
+- Infrastructure Network muss existieren
+- App-Internal Network wird von diesem Stack erstellt
+
+## Setup
+
+### 1. Infrastructure Network erstellen
+
+```bash
+docker network create infrastructure
+```
+
+### 2. Secrets erstellen
+
+```bash
+# PostgreSQL Passwort
+openssl rand -base64 32 > secrets/postgres_password.txt
+chmod 600 secrets/postgres_password.txt
+```
+
+### 3. Stack deployen
+
+```bash
+docker compose up -d
+```
+
+### 4. Datenbanken erstellen
+
+```bash
+# Staging-Datenbank erstellen
+docker compose exec postgres psql -U postgres -c "CREATE DATABASE michaelschiemer_staging;"
+
+# Production-Datenbank existiert bereits (michaelschiemer)
+```
+
+## Networks
+
+**infrastructure:**
+- Externes Network (muss vorher erstellt werden)
+- Für interne Infrastruktur-Kommunikation
+
+**app-internal:**
+- Wird von diesem Stack erstellt
+- Wird von Application-Stacks genutzt
+- Für Application ↔ PostgreSQL Kommunikation
+
+## Volumes
+
+- `postgres-data` - PostgreSQL-Daten (persistent)
+- `postgres-backups` - Automatische Backups
+
+## Datenbanken
+
+- `michaelschiemer` - Production-Datenbank
+- `michaelschiemer_staging` - Staging-Datenbank (muss manuell erstellt werden)
+
+## Backups
+
+Backups werden automatisch täglich um 2 Uhr erstellt und in `/backups` gespeichert.
+
+**Manuelles Backup:**
+```bash
+docker compose exec postgres-backup sh -c "PGPASSWORD=\$(cat /run/secrets/postgres_password) pg_dump -h postgres -U postgres -d michaelschiemer -F c -f /backups/manual_backup_$(date +%Y%m%d_%H%M%S).dump"
+```
+
+**Backup wiederherstellen:**
+```bash
+docker compose exec -T postgres psql -U postgres -d michaelschiemer < backup_file.sql
+```
+
+## Troubleshooting
+
+### PostgreSQL startet nicht
+
+```bash
+# Logs prüfen
+docker compose logs -f postgres
+
+# Volume-Berechtigungen prüfen
+docker compose exec postgres ls -la /var/lib/postgresql/data
+```
+
+### Verbindungsprobleme von Application
+
+1. Prüfe, ob Application im `app-internal` Network ist
+2. Prüfe PostgreSQL-Logs
+3. Prüfe Network-Verbindung:
+   ```bash
+   docker network inspect app-internal
+   ```
+
+### Backup-Probleme
+
+```bash
+# Backup-Logs prüfen
+docker compose logs -f postgres-backup
+
+# Backup-Verzeichnis prüfen
+docker compose exec postgres-backup ls -la /backups
+```
+
--- a/deployment/infrastructure/postgresql/docker-compose.yml
+++ b/deployment/infrastructure/postgresql/docker-compose.yml
@@ -0,0 +1,105 @@
+services:
+  postgres:
+    image: postgres:16-alpine
+    container_name: postgres
+    restart: unless-stopped
+    networks:
+      - infrastructure
+      - app-internal
+    environment:
+      - TZ=Europe/Berlin
+      - POSTGRES_DB=michaelschiemer
+      - POSTGRES_USER=postgres
+      - POSTGRES_PASSWORD_FILE=/run/secrets/postgres_password
+      - PGDATA=/var/lib/postgresql/data/pgdata
+    volumes:
+      - postgres-data:/var/lib/postgresql/data
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    secrets:
+      - postgres_password
+    command: >
+      postgres
+      -c max_connections=200
+      -c shared_buffers=256MB
+      -c effective_cache_size=1GB
+      -c maintenance_work_mem=64MB
+      -c checkpoint_completion_target=0.9
+      -c wal_buffers=16MB
+      -c default_statistics_target=100
+      -c random_page_cost=1.1
+      -c effective_io_concurrency=200
+      -c work_mem=4MB
+      -c min_wal_size=1GB
+      -c max_wal_size=4GB
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U postgres -d michaelschiemer"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 40s
+    shm_size: 256mb
+    deploy:
+      resources:
+        limits:
+          memory: 2G
+        reservations:
+          memory: 512M
+
+  # Automated Backup Service
+  postgres-backup:
+    image: postgres:16-alpine
+    container_name: postgres-backup
+    restart: unless-stopped
+    networks:
+      - app-internal
+    environment:
+      - TZ=Europe/Berlin
+      - POSTGRES_HOST=postgres
+      - POSTGRES_DB=michaelschiemer
+      - POSTGRES_USER=postgres
+      - POSTGRES_PASSWORD_FILE=/run/secrets/postgres_password
+      - BACKUP_RETENTION_DAYS=7
+      - BACKUP_SCHEDULE=0 2 * * *
+    volumes:
+      - postgres-backups:/backups
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    entrypoint: >
+      sh -c "
+      echo 'Starting PostgreSQL backup service...'
+      while true; do
+        echo \"\$(date): Running backup...\"
+        PGPASSWORD=\$$(cat /run/secrets/postgres_password) pg_dump -h \$$POSTGRES_HOST -U \$$POSTGRES_USER -d \$$POSTGRES_DB -F c -f /backups/backup_\$$(date +%Y%m%d_%H%M%S).dump
+        echo \"\$(date): Backup completed\"
+        # Cleanup old backups
+        find /backups -name 'backup_*.dump' -mtime +\$$BACKUP_RETENTION_DAYS -delete
+        echo \"\$(date): Cleanup completed\"
+        # Wait until next scheduled time
+        sleep 86400
+      done
+      "
+    secrets:
+      - postgres_password
+    depends_on:
+      postgres:
+        condition: service_healthy
+
+networks:
+  infrastructure:
+    external: true
+    name: infrastructure
+  app-internal:
+    external: true
+    name: app-internal
+
+volumes:
+  postgres-data:
+    name: postgres-data
+  postgres-backups:
+    name: postgres-backups
+
+secrets:
+  postgres_password:
+    file: ./secrets/postgres_password.txt
+
--- a/deployment/infrastructure/traefik/README.md
+++ b/deployment/infrastructure/traefik/README.md
@@ -0,0 +1,79 @@
+# Traefik Stack
+
+Reverse Proxy mit automatischer SSL-Zertifikat-Verwaltung via Let's Encrypt.
+
+## Features
+
+- Traefik v3.0 als Reverse Proxy
+- Automatische SSL-Zertifikate via Let's Encrypt
+- Docker Provider für automatische Service-Erkennung
+- Dashboard mit BasicAuth-Schutz
+- HTTP zu HTTPS Redirect
+- Erhöhte Timeouts für langsame Backends
+
+## Voraussetzungen
+
+- Docker und Docker Compose installiert
+- Ports 80, 443 und 2222 verfügbar
+- DNS-Einträge für Domains konfiguriert
+
+## Setup
+
+### 1. Secrets erstellen
+
+```bash
+# ACME E-Mail für Let's Encrypt
+echo "your-email@example.com" > secrets/acme_email.txt
+chmod 600 secrets/acme_email.txt
+```
+
+### 2. Stack deployen
+
+```bash
+docker compose up -d
+```
+
+### 3. Verifikation
+
+```bash
+# Container-Status prüfen
+docker compose ps
+
+# Logs anzeigen
+docker compose logs -f
+
+# Dashboard erreichbar unter: https://traefik.michaelschiemer.de
+```
+
+## Networks
+
+**traefik-public:**
+- Wird von diesem Stack erstellt
+- Wird von anderen Stacks (Gitea, Application) genutzt
+- Für externe Zugriffe
+
+## Volumes
+
+- `traefik-certs` - SSL-Zertifikate (persistent)
+- `traefik-logs` - Traefik-Logs
+
+## Troubleshooting
+
+### SSL-Zertifikate werden nicht erstellt
+
+1. Prüfe, ob Port 80 erreichbar ist (für ACME Challenge)
+2. Prüfe DNS-Einträge
+3. Prüfe Logs: `docker compose logs traefik`
+
+### Service wird nicht erkannt
+
+1. Prüfe, ob Service im `traefik-public` Network ist
+2. Prüfe Traefik Labels im Service
+3. Prüfe Logs: `docker compose logs traefik`
+
+### Dashboard nicht erreichbar
+
+1. Prüfe DNS-Eintrag für `traefik.michaelschiemer.de`
+2. Prüfe BasicAuth-Konfiguration
+3. Prüfe Logs: `docker compose logs traefik`
+
--- a/deployment/infrastructure/traefik/docker-compose.yml
+++ b/deployment/infrastructure/traefik/docker-compose.yml
@@ -0,0 +1,71 @@
+services:
+  traefik:
+    image: traefik:latest
+    container_name: traefik
+    restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    ports:
+      - "80:80"
+      - "443:443"
+      - "2222:2222"  # Gitea SSH
+    networks:
+      - traefik-public
+    environment:
+      - TZ=Europe/Berlin
+    entrypoint: /entrypoint-custom.sh
+    volumes:
+      # Docker socket for service discovery
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      # SSL certificates
+      - traefik-certs:/letsencrypt
+      # Logs
+      - traefik-logs:/logs
+      # Custom entrypoint script
+      - ./entrypoint.sh:/entrypoint-custom.sh:ro
+    secrets:
+      - acme_email
+    labels:
+      # Enable Traefik for itself
+      - "traefik.enable=true"
+      
+      # Dashboard - BasicAuth protected
+      - "traefik.http.routers.traefik-dashboard.rule=Host(`traefik.michaelschiemer.de`)"
+      - "traefik.http.routers.traefik-dashboard.entrypoints=websecure"
+      - "traefik.http.routers.traefik-dashboard.tls=true"
+      - "traefik.http.routers.traefik-dashboard.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.traefik-dashboard.service=api@internal"
+      - "traefik.http.routers.traefik-dashboard.middlewares=traefik-auth"
+      
+      # BasicAuth for dashboard (password: admin)
+      - "traefik.http.middlewares.traefik-auth.basicauth.users=admin:$$apr1$$Of2wG3O5$$y8X1vEoIp9vpvx64mIalk/"
+      
+      # Global HTTP to HTTPS redirect (excludes ACME challenge)
+      - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`) && !PathPrefix(`/.well-known/acme-challenge`)"
+      - "traefik.http.routers.http-catchall.entrypoints=web"
+      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
+      - "traefik.http.routers.http-catchall.priority=1"
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.permanent=true"
+    healthcheck:
+      test: ["CMD", "traefik", "healthcheck", "--ping"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 10s
+
+networks:
+  traefik-public:
+    external: true
+    name: traefik-public
+
+volumes:
+  traefik-certs:
+    name: traefik-certs
+  traefik-logs:
+    name: traefik-logs
+
+secrets:
+  acme_email:
+    file: ./secrets/acme_email.txt
+
--- a/deployment/infrastructure/traefik/entrypoint.sh
+++ b/deployment/infrastructure/traefik/entrypoint.sh
@@ -0,0 +1,31 @@
+#!/bin/sh
+set -e
+
+# Read ACME email from secret file
+if [ -f /run/secrets/acme_email ]; then
+  ACME_EMAIL=$(cat /run/secrets/acme_email | tr -d '\n\r')
+else
+  echo "ERROR: ACME email secret not found at /run/secrets/acme_email" >&2
+  exit 1
+fi
+
+# Execute Traefik with the email from secret
+exec /entrypoint.sh \
+  --providers.docker=true \
+  --providers.docker.exposedbydefault=false \
+  --providers.docker.network=traefik-public \
+  --providers.docker.endpoint=unix:///var/run/docker.sock \
+  --entrypoints.web.address=:80 \
+  --entrypoints.websecure.address=:443 \
+  --certificatesresolvers.letsencrypt.acme.email="${ACME_EMAIL}" \
+  --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json \
+  --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web \
+  --entrypoints.websecure.transport.respondingTimeouts.readTimeout=300s \
+  --entrypoints.websecure.transport.respondingTimeouts.writeTimeout=300s \
+  --entrypoints.websecure.transport.respondingTimeouts.idleTimeout=360s \
+  --api.dashboard=true \
+  --api.insecure=false \
+  --log.level=INFO \
+  --accesslog=true \
+  "$@"
+