- Add TCP entrypoint 'gitea-ssh' on port 2222 in static config
- Create TCP router configuration for routing SSH traffic to Gitea
- Use Gitea container IP (172.23.0.2) since Traefik runs in host network mode
- Routes git.michaelschiemer.de:2222 through Traefik instead of direct VPN access
- Add docker-compose-direct-access.yml for VPN-only admin access
- Configure Portainer on port 9002 (avoid MinIO conflict)
- Add grafana.ini to disable external plugin update checks
- Bind services to 10.8.0.1 (WireGuard VPN gateway)
This configuration enables direct access to admin services via WireGuard VPN
while removing Traefik routing overhead. Services are bound exclusively to
the VPN gateway IP to prevent public access.
- Add example secret files for `app_key`, `db_user_password`, and `redis_password`.
- Introduce `local.vault.yml.example` for Ansible Vault encryption of local secrets.
- Create migration and setup scripts for transitioning from `.env.local` to secrets files.
- Update `docker-compose.local.yml` to adopt Docker Secrets and `_FILE` pattern for local configurations.
- Add deployment playbooks and enhanced logging configurations for local development.
- Improve WireGuard client IP calculation logic (find next available IP)
- Add local wireguard-clients directory for storing client configs
- Integrate Redis pool into CacheInitializer
- Improve ContainerBootstrapper with better imports and Redis pool
- Add monitoring role tags for better task organization
- Update WireGuard documentation
- Store generated WireGuard client configs locally
- Fix upstream configuration in staging-nginx container
- Verbessere sed-Befehle zur automatischen Korrektur der PHP-FPM Upstream-Definition
- Behebt 502 Bad Gateway Fehler durch korrekte Verbindung zu staging-app:9000
- Create staging stack with separate containers and volumes
- Configure staging.michaelschiemer.de subdomain routing
- Add deploy-staging.yml workflow for auto-deployment
- Extend build-image.yml to support staging branch
- Separate Redis instance and network for staging
- Staging uses staging branch by default
Features:
- Auto-deploy: Push to staging branch → build → deploy to staging
- Separate from production: Different containers, volumes, networks
- Shared Traefik: Uses same SSL certificates (*.michaelschiemer.de)
- Testing environment before production deployment
- Add app-code volume to both nginx and app containers
- App container clones code once into shared volume
- Nginx container uses shared volume (read-only) and waits for code
- Update entrypoint.sh to handle storage-preserving git clone
- Fix nginx configuration to use app:9000 for PHP-FPM
This eliminates duplicate code cloning and ensures both containers
always use the same code version from the shared volume.
- Erstelle Symlink für inventory/group_vars/production.yml
- Ansible lädt group_vars automatisch, wenn sie neben der Inventory-Datei liegen
- Entferne manuelle include_vars Aufrufe (werden später bereinigt)
- Test: Production Deployment Workflow
- docker-dind erhält Zugriff auf traefik-public Netzwerk
- Job-Container können Registry über Container-Namen 'registry:5000' erreichen
- Workflow testet jetzt auch Container-Namen als Registry-URL
- Created Dockerfile.build with Docker CLI, Buildx, Git, Bash
- Updated build-ci-image.sh to build both php-ci and docker-build images
- Updated workflow to use docker-build image (no installation needed)
- Updated runner .env to use docker-build:latest instead of docker:latest
- Replace git.michaelschiemer.de:5000 (HTTP) with registry.michaelschiemer.de (HTTPS)
- Update all Ansible playbooks and configuration files
- Update CI/CD workflows to use HTTPS registry endpoint
- Update Docker Compose files with new registry URL
- Update documentation and scripts
Benefits:
- Secure HTTPS connection (no insecure registry config needed)
- Consistent use of HTTPS endpoint via Traefik
- Better security practices for production deployment
- Remove condition that skipped restart when image already exists
- Ensures container restart even when using same image tag (latest)
- Critical for applying code fixes without rebuilding image
- Update regex to match both localhost and external registry URLs
- Ensure docker-compose uses localhost:5000 for registry access
- Fixes connection refused errors when docker-compose pulls images
- Registry only binds to 127.0.0.1:5000 (not external interface)
- Deployment runs on server, so localhost access is correct
- External access still available via Traefik (registry.michaelschiemer.de)
- Fix infinite loop in docker_registry_username/docker_registry_password variables
- Use _default suffix variables in production.yml to avoid recursion
- Make docker registry login optional (ignore_errors) for cases where auth isn't needed
- Fix line endings in deploy.sh script
