Add automated .env file creation for monitoring stack via Ansible

- Add Jinja2 template for monitoring stack .env file
- Add Ansible tasks to generate passwords and create .env automatically
- Update vault example with monitoring credentials
- Remove manual deploy.sh script (using Ansible instead)
- Add app-internal network creation task

deployment/ansible/playbooks/setup-infrastructure.yml

@@ -19,13 +19,19 @@
         msg: "Deployment stacks directory not found at {{ stacks_base_path }}"
       when: not stacks_dir.stat.exists
 
-    # Create external network required by all stacks
+    # Create external networks required by all stacks
     - name: Create traefik-public network
       community.docker.docker_network:
         name: traefik-public
         driver: bridge
         state: present
 
+    - name: Create app-internal network
+      community.docker.docker_network:
+        name: app-internal
+        driver: bridge
+        state: present
+
     # 1. Deploy Traefik (Reverse Proxy & SSL)
     - name: Deploy Traefik stack
       community.docker.docker_compose_v2:
@@ -157,6 +163,48 @@
       ignore_errors: yes
 
     # 5. Deploy Monitoring (Portainer + Grafana + Prometheus)
+    - name: Optionally load monitoring secrets from vault
+      include_vars:
+        file: "{{ playbook_dir }}/../secrets/production.vault.yml"
+      no_log: yes
+      ignore_errors: yes
+      delegate_to: localhost
+      become: no
+
+    - name: Set Grafana admin password from vault or generate
+      set_fact:
+        grafana_admin_password: "{{ vault_grafana_admin_password | default(lookup('password', '/dev/null length=25 chars=ascii_letters,digits')) }}"
+
+    - name: Set Prometheus password from vault or generate
+      set_fact:
+        prometheus_password: "{{ vault_prometheus_password | default(lookup('password', '/dev/null length=25 chars=ascii_letters,digits')) }}"
+
+    - name: Generate Prometheus BasicAuth hash
+      shell: |
+        docker run --rm httpd:alpine htpasswd -nbB admin "{{ prometheus_password }}" 2>/dev/null | cut -d ":" -f 2
+      register: prometheus_auth_hash
+      changed_when: false
+      no_log: yes
+
+    - name: Set Prometheus BasicAuth string
+      set_fact:
+        prometheus_auth: "admin:{{ prometheus_auth_hash.stdout }}"
+
+    - name: Ensure monitoring stack directory exists
+      file:
+        path: "{{ stacks_base_path }}/monitoring"
+        state: directory
+        mode: '0755'
+
+    - name: Create monitoring stack .env file
+      template:
+        src: "{{ playbook_dir }}/../templates/monitoring.env.j2"
+        dest: "{{ stacks_base_path }}/monitoring/.env"
+        owner: "{{ ansible_user }}"
+        group: "{{ ansible_user }}"
+        mode: '0600'
+      no_log: yes
+
     - name: Deploy Monitoring stack
       community.docker.docker_compose_v2:
         project_src: "{{ stacks_base_path }}/monitoring"

deployment/ansible/secrets/production.vault.yml.example

@@ -24,3 +24,7 @@ vault_docker_registry_password: "change-me-registry-password"
 # Optional: Additional Secrets
 vault_encryption_key: "change-me-encryption-key"
 vault_session_secret: "change-me-session-secret"
+
+# Monitoring Stack Credentials
+vault_grafana_admin_password: "change-me-secure-grafana-password"
+vault_prometheus_password: "change-me-secure-prometheus-password"

deployment/ansible/templates/monitoring.env.j2

@@ -0,0 +1,20 @@
+# Monitoring Stack Environment Configuration
+# Generated by Ansible - DO NOT EDIT MANUALLY
+
+# Domain Configuration
+DOMAIN={{ app_domain | default('michaelschiemer.de') }}
+
+# Grafana Configuration
+GRAFANA_ADMIN_USER={{ grafana_admin_user | default('admin') }}
+GRAFANA_ADMIN_PASSWORD={{ grafana_admin_password }}
+
+# Grafana Plugins (comma-separated)
+# Common useful plugins:
+# - grafana-clock-panel
+# - grafana-piechart-panel
+# - grafana-worldmap-panel
+GRAFANA_PLUGINS={{ grafana_plugins | default('') }}
+
+# Prometheus BasicAuth
+# Format: username:hashed_password
+PROMETHEUS_AUTH={{ prometheus_auth }}