fix: prevent Traefik restart loops and improve Docker registry login

Registry Login Fixes:
- Filter out service names (minio, redis) from registry URL extraction
- Only recognize actual registry URLs (with TLD or port)
- Preserve port numbers in registry URLs (e.g. git.michaelschiemer.de:5000)
- Better error messages for failed logins

Traefik Restart Loop Prevention:
- Set traefik_auto_restart default to false in traefik role
- Add traefik_auto_restart, traefik_ssl_restart, gitea_auto_restart to staging vars
- Add guard to fix-gitea-traefik-connection.yml restart task
- Add guard and deprecation warning to update-gitea-traefik-service.yml

This ensures that:
- CI/CD pipelines won't cause Traefik restart loops
- Staging environment uses same safe defaults as production
- Deprecated playbooks fail by default unless explicitly enabled
- Only actual Docker registries are used for login, not service names

deployment/ansible/playbooks/fix-gitea-traefik-connection.yml

@@ -0,0 +1,89 @@
+---
+# Ansible Playbook: Fix Gitea-Traefik Connection Issues
+# Purpose: Ensure Traefik can reliably reach Gitea by restarting both services
+# Usage:
+#   ansible-playbook -i inventory/production.yml playbooks/fix-gitea-traefik-connection.yml \
+#     --vault-password-file secrets/.vault_pass
+
+- name: Fix Gitea-Traefik Connection
+  hosts: production
+  vars:
+    gitea_stack_path: "{{ stacks_base_path }}/gitea"
+    traefik_stack_path: "{{ stacks_base_path }}/traefik"
+    gitea_url: "https://{{ gitea_domain }}"
+
+  tasks:
+    - name: Get current Gitea container IP
+      shell: |
+        docker inspect gitea | grep -A 10 'traefik-public' | grep IPAddress | head -1 | awk '{print $2}' | tr -d '",'
+      register: gitea_ip
+      changed_when: false
+      failed_when: false
+
+    - name: Display Gitea IP
+      debug:
+        msg: "Gitea container IP in traefik-public network: {{ gitea_ip.stdout }}"
+
+    - name: Test direct connection to Gitea from Traefik container
+      shell: |
+        docker compose -f {{ traefik_stack_path }}/docker-compose.yml exec -T traefik wget -qO- http://{{ gitea_ip.stdout }}:3000/api/healthz 2>&1 | head -3
+      register: traefik_gitea_test
+      changed_when: false
+      failed_when: false
+
+    - name: Display Traefik-Gitea connection test result
+      debug:
+        msg: "{{ traefik_gitea_test.stdout }}"
+
+    - name: Restart Gitea container to refresh IP
+      shell: |
+        docker compose -f {{ gitea_stack_path }}/docker-compose.yml restart gitea
+      when: traefik_gitea_test.rc != 0
+
+    - name: Wait for Gitea to be ready
+      uri:
+        url: "{{ gitea_url }}/api/healthz"
+        method: GET
+        status_code: [200]
+        validate_certs: false
+        timeout: 10
+      register: gitea_health
+      until: gitea_health.status == 200
+      retries: 30
+      delay: 2
+      changed_when: false
+      when: traefik_gitea_test.rc != 0
+
+    - name: Restart Traefik to refresh service discovery
+      shell: |
+        docker compose -f {{ traefik_stack_path }}/docker-compose.yml restart traefik
+      when: >
+        traefik_gitea_test.rc != 0
+        and (traefik_auto_restart | default(false) | bool)
+
+    - name: Wait for Traefik to be ready
+      pause:
+        seconds: 10
+      when: traefik_gitea_test.rc != 0
+
+    - name: Test Gitea via Traefik
+      uri:
+        url: "{{ gitea_url }}/api/healthz"
+        method: GET
+        status_code: [200]
+        validate_certs: false
+        timeout: 10
+      register: final_test
+      changed_when: false
+
+    - name: Display result
+      debug:
+        msg: |
+          Gitea-Traefik connection test:
+          - Direct connection: {{ 'OK' if traefik_gitea_test.rc == 0 else 'FAILED' }}
+          - Via Traefik: {{ 'OK' if final_test.status == 200 else 'FAILED' }}
+          
+          {% if traefik_gitea_test.rc != 0 %}
+          Both services have been restarted to refresh connections.
+          {% endif %}
+