358 Commits

This Branch

This Branch

All Branches

Author	SHA1	Message	Date
Michael Schiemer	bf25f088c0	fix: Correct Jinja2 logic for merging insecure registry config ... - Fix dictionary update logic in set_fact - Use list operations before updating dictionary - Ensures proper JSON structure for Docker daemon.json	2025-11-08 16:06:08 +01:00
Michael Schiemer	dbf7f6e002	fix: Replace shell script with Ansible modules for Docker daemon config ... - Replace Python heredoc in shell script with native Ansible modules - Use slurp to read existing daemon.json - Use set_fact and copy modules to update configuration - Fixes YAML parsing error with heredoc syntax - More idempotent and Ansible-native approach	2025-11-08 16:05:53 +01:00
Michael Schiemer	76ec4cf28d	fix: Configure Docker insecure registry and add GIT_BRANCH ... - Add Docker daemon configuration to use HTTP for git.michaelschiemer.de:5000 registry - Configure insecure-registries in /etc/docker/daemon.json - Add GIT_BRANCH environment variable (staging for staging, main for production) - Set default GIT_REPOSITORY_URL if not provided - Fixes 'http: server gave HTTP response to HTTPS client' error - Fixes missing GIT_BRANCH variable warnings	2025-11-08 16:01:44 +01:00
Michael Schiemer	bfd91fcb61	fix: Add Git variables and improve bool check for image pull ... - Add Git repository variables (GIT_REPOSITORY_URL, GIT_TOKEN, GIT_USERNAME, GIT_PASSWORD) to environment - Load Git variables from vault or defaults - Add Git variables to .env file creation - Improve registry_accessible check with 'is defined' guard - Fixes missing GIT_* environment variable warnings in docker compose	2025-11-08 15:58:09 +01:00
Michael Schiemer	43c36d2687	fix: Fix bool comparison and .env file permissions ... - Change registry_accessible to string comparison ('true'/'false') instead of bool - Fix 'argument of type bool is not iterable' error in when conditions - Set correct owner/group for .env file (ansible_user instead of root) - Fixes 'permission denied' error when docker compose reads .env file	2025-11-08 15:53:50 +01:00
Michael Schiemer	c1331ae7a7	fix: Add .env file check and environment variables for docker compose ... - Fix 'argument of type bool is not iterable' error in image pull task - Check if .env file exists before docker compose up - Create minimal .env file if it doesn't exist with required variables - Load secrets from vault file if available - Set database and MinIO variables from vault or defaults - Pass environment variables to docker compose command - Fixes missing MINIO_ROOT_USER, DB_USERNAME, DB_PASSWORD, SECRETS_DIR errors	2025-11-08 15:49:22 +01:00
Michael Schiemer	333dc04404	fix: Improve registry check and image pull error handling ... - Add registry_accessible flag to safely check registry status - Fix 'argument of type bool is not iterable' error in when conditions - Only pull image if registry is accessible - Add ignore_errors to image pull task to prevent failures - Improves handling of registry connectivity issues	2025-11-08 15:44:50 +01:00
Michael Schiemer	cf8fea322c	fix: Resolve recursive loops and fix registry URL in deploy-image.yml ... - Fix recursive loop in app_name variable - Set app_name and deploy_image using set_fact tasks - Replace application_stack_dest with application_code_dest (consistent with other playbooks) - Change registry URL from HTTP to HTTPS - Add validate_certs: no for registry accessibility check - Fixes 'Recursive loop detected' error in image deployment	2025-11-08 15:41:11 +01:00
Michael Schiemer	48e5179bac	fix: Correct deployment order - deploy image before composer install ... - Move deploy-image.yml before install-composer-dependencies.yml - Containers must be running before composer can install dependencies - Fixes 'container not running' error in composer install step - Applied to both staging and production workflows	2025-11-08 15:35:50 +01:00
Michael Schiemer	38af81e2db	fix: Don't start containers in install-composer-dependencies playbook ... - Remove container start logic - containers should be started by deploy-image.yml - Add clear error message if container is not running - Provides helpful instructions for manual container start if needed	2025-11-08 15:35:22 +01:00
Michael Schiemer	ae592c21c7	fix: Add container status check and better error handling ... - Check if container is running before executing composer - Start container if not running - Display detailed error output for debugging - Fixes composer install failures when container is not running	2025-11-08 15:31:06 +01:00
Michael Schiemer	f0a412a221	fix: Use application code directory for docker-compose files ... - Change from stacks path to application code directory (/home/deploy/michaelschiemer/current) - docker-compose files are in the application root, not in deployment/stacks - Fixes 'no such file or directory' error for docker-compose.base.yml	2025-11-08 15:26:42 +01:00
Michael Schiemer	dd072ded3c	fix: Use correct path for docker-compose files ... - Change stacks_base_path_default from /home/deploy to /home/deploy/deployment/stacks - Matches actual server directory structure where stacks are located	2025-11-08 15:25:57 +01:00
Michael Schiemer	f7bac92b64	fix: Resolve recursive loop in stacks_base_path variable ... - Use stacks_base_path_default instead of self-reference - Fixes 'Recursive loop detected' error in install-composer-dependencies playbook	2025-11-08 15:19:37 +01:00
Michael Schiemer	eeaf025fed	fix: Define stacks_base_path variable with default value ... - Add stacks_base_path variable with default '/home/deploy' - Fixes 'stacks_base_path is undefined' error in install-composer-dependencies playbook	2025-11-08 15:16:24 +01:00
Michael Schiemer	2e14557b21	fix: Handle case where destination exists but is not a git repo ... - Check if destination directory exists separately from git repo check - Remove directory if it exists but is not a git repository - Prevents 'destination path already exists' error during clone	2025-11-08 15:12:06 +01:00
Michael Schiemer	03f4d90ed0	fix: Remove unsupported owner/group parameters from git module ... - ansible.builtin.git no longer supports owner and group parameters - Set ownership in separate file task after git operations - Fixes 'Unsupported parameters' error	2025-11-08 15:08:52 +01:00
Michael Schiemer	2f98c52300	refactor: Simplify git_repo_url logic ... - Use single set_fact task with ternary operator - Cleaner and more efficient than multiple conditional tasks	2025-11-08 15:04:20 +01:00
Michael Schiemer	163460c22e	fix: Use separate variable git_repo_url to avoid recursive loop ... - Use git_repo_url instead of git_repository_url in tasks - Set git_repo_url based on whether git_repository_url is provided - This completely avoids the recursive loop issue	2025-11-08 15:04:04 +01:00
Michael Schiemer	0ab3b6a799	fix: Set git_repository_url using set_fact to avoid recursive loop ... - Use set_fact task to set git_repository_url instead of vars section - This prevents recursive loop when variable is referenced in tasks	2025-11-08 15:03:09 +01:00
Michael Schiemer	acecc23cec	fix: Resolve recursive loop in git_repository_url variable ... - Change git_repository_url to use git_repository_url_default instead of self-reference - Fixes 'Recursive loop detected in template' error in Ansible playbook	2025-11-08 14:59:16 +01:00
Michael Schiemer	95b53c0ab8	test: Verify workflow with ANSIBLE_VAULT_PASSWORD secret ... - Test commit to verify that workflow can now: - Use php-ci image with Ansible - Use ANSIBLE_VAULT_PASSWORD secret for vault decryption - Successfully deploy to staging	2025-11-08 14:56:35 +01:00
Michael Schiemer	13d627d351	fix: Use php-ci runner for deploy jobs ... - Change deploy-staging and deploy-production to use php-ci runner - php-ci image has Ansible pre-installed, fixing 'ansible-playbook: command not found' error	2025-11-08 14:50:25 +01:00
Michael Schiemer	deddb87dcf	test: Trigger workflow by changing deployment path ... This commit changes a file in deployment/ to trigger the build workflow	2025-11-08 14:46:22 +01:00
Michael Schiemer	f498a13ee1	test: Verify workflow with registry secrets ... - Test commit to verify that workflow can now: - Use php-ci image from docker-dind - Login to registry with configured secrets - Build and push images successfully	2025-11-08 14:44:15 +01:00
Michael Schiemer	efa97f8b5d	fix: Build CI images on production server ... - Add build-ci-image-production.sh script for building CI images on production - Add BUILD_ON_PRODUCTION.md documentation - Fix Dockerfile to handle optional PECL extensions for PHP 8.5 RC This fixes the issue where Gitea workflows fail with: 'Error response from daemon: pull access denied for php-ci'	2025-11-08 14:33:59 +01:00
Michael Schiemer	07e92a8709	fix: Install Ansible in docker-build image instead of runtime	2025-11-08 13:54:01 +01:00
Michael Schiemer	e9e87c9c5e	fix: Replace apt-get with apk for Alpine-based docker-build container	2025-11-08 13:45:18 +01:00
Michael Schiemer	1b9cda6dd3	docs: Add CI image setup documentation	2025-11-08 13:38:46 +01:00
Michael Schiemer	50e58c6ba9	docs: Update deployment status - Gitea repository created, Traefik issues fixed	2025-11-08 13:13:42 +01:00
Michael Schiemer	63799a7655	test: CI/CD pipeline production test	2025-11-08 12:15:36 +01:00
Michael Schiemer	7093693cfb	test: CI/CD pipeline staging test	2025-11-08 11:16:01 +01:00
Michael Schiemer	9e77ac3b42	feat(traefik): Add Gitea service definition for Traefik ... - Add gitea-service.yml with proper timeout configuration - Service definition required for Traefik to route to Gitea - Replaces old gitea.yml file that was removed	2025-11-07 23:24:20 +01:00
Michael Schiemer	e8a26d7807	test: CI/CD pipeline staging test - Redis aktiviert, Bad Gateway dokumentiert	2025-11-07 20:54:44 +01:00
Michael Schiemer	c088d08639	test: CI/CD pipeline staging test - Repository Setup automatisiert	2025-11-07 20:17:35 +01:00
Michael Schiemer	07c054b5ff	test: CI/CD pipeline staging test	2025-11-07 19:52:48 +01:00
Michael Schiemer	1963b10749	feat: Integrate Ansible playbooks into CI/CD workflows ... - Add deploy-application-code.yml for Git-based code deployment - Add install-composer-dependencies.yml for dependency installation - Add deploy-image.yml for Docker image deployment - Update build-image.yml to use Ansible playbooks - Update manual-deploy.yml to use Ansible playbooks - Add ANSIBLE_VAULT_PASSWORD secret handling	2025-11-07 18:14:11 +01:00
Michael Schiemer	cf903f2582	fix(traefik): update local dev ports and gitea SSH IP ... - Change Traefik local HTTP port from 8080 to 8081 (conflict with cadvisor) - Change Traefik dashboard port to 8093 (conflicts with cadvisor, Hyperion) - Update Gitea SSH service IP from 172.23.0.2 to 172.23.0.3 - Note: Gitea SSH works directly via Docker port mapping in local dev - Traefik TCP routing only needed for production (host network mode)	2025-11-05 14:51:37 +01:00
Michael Schiemer	95147ff23e	refactor(deployment): Remove WireGuard VPN dependency and restore public service access ... Remove WireGuard integration from production deployment to simplify infrastructure: - Remove docker-compose-direct-access.yml (VPN-bound services) - Remove VPN-only middlewares from Grafana, Prometheus, Portainer - Remove WireGuard middleware definitions from Traefik - Remove WireGuard IPs (10.8.0.0/24) from Traefik forwarded headers All monitoring services now publicly accessible via subdomains: - grafana.michaelschiemer.de (with Grafana native auth) - prometheus.michaelschiemer.de (with Basic Auth) - portainer.michaelschiemer.de (with Portainer native auth) All services use Let's Encrypt SSL certificates via Traefik.	2025-11-05 12:48:25 +01:00
Michael Schiemer	7c52065aae	feat(traefik): add TCP routing for Gitea SSH port 2222 ... - Add TCP entrypoint 'gitea-ssh' on port 2222 in static config - Create TCP router configuration for routing SSH traffic to Gitea - Use Gitea container IP (172.23.0.2) since Traefik runs in host network mode - Routes git.michaelschiemer.de:2222 through Traefik instead of direct VPN access	2025-11-05 12:12:42 +01:00
Michael Schiemer	aeeed293af	feat(monitoring): Add direct VPN access configuration ... - Add docker-compose-direct-access.yml for VPN-only admin access - Configure Portainer on port 9002 (avoid MinIO conflict) - Add grafana.ini to disable external plugin update checks - Bind services to 10.8.0.1 (WireGuard VPN gateway) This configuration enables direct access to admin services via WireGuard VPN while removing Traefik routing overhead. Services are bound exclusively to the VPN gateway IP to prevent public access.	2025-11-05 04:42:17 +01:00
Michael Schiemer	e23c5ce12f	fix(Infrastructure): correct PHP 8.0+ parameter order and interface signatures ... - MinIoClient: Move required parameters before optional ones - Fixes PHP 8.0+ deprecation warning - Required deps (RandomGenerator, HmacService, HttpClient) now before optional ($region, $usePathStyle) - ErrorAggregatorInterface: Align signature with implementation - Changed from ErrorHandlerContext to Throwable + ExceptionContextProvider pattern - Matches existing ErrorAggregator implementation - Maintains flexibility with isDebug flag	2025-11-05 03:51:20 +01:00
Michael Schiemer	f9b8cf9f33	feat: add API Gateway, RapidMail and Shopify integrations, update WireGuard configs, add Redis override and architecture docs	2025-11-04 23:08:17 +01:00
Michael Schiemer	5d6edea3bb	feat(deployment): migrate to external Redis stack ... Architecture Changes: - Remove embedded Redis service from production configuration - Remove port 80/443 direct bindings (Traefik handles routing) - Update queue-worker and scheduler dependencies (Redis now external) - Completes Redis stack migration following PostgreSQL pattern - Resolves port conflict with Traefik reverse proxy Related Files: - deployment/stacks/redis/docker-compose.yml (Redis stack - already deployed) - docker-compose.redis-override.yml (application integration - already created) Migration Benefits: - Architectural consistency with PostgreSQL stack pattern - Better separation of concerns (infrastructure vs application) - Independent Redis lifecycle management - Shared Redis instance via app-internal network - Eliminated port 80 binding conflict Deployment Command: docker compose -f docker-compose.base.yml -f docker-compose.production.yml \ -f docker-compose.postgres-override.yml -f docker-compose.redis-override.yml up -d	2025-11-04 22:31:37 +01:00
Michael Schiemer	7246e89448	fix(deployment): add CHOWN and DAC_OVERRIDE capabilities to Redis for AOF persistence ... The Redis container was failing with 'Permission denied' when trying to create the appendonlydir for AOF (Append-Only File) persistence. The error occurred because: 1. Redis runs as root to read Docker Secrets from /run/secrets/redis_password 2. The /data volume is owned by UID 999 (default redis user) 3. cap_drop: ALL removed the CHOWN capability needed to create subdirectories 4. AOF persistence requires creating appendonlydir in /data with proper ownership Solution: - Added CHOWN capability: Allows Redis to create directories with correct ownership - Added DAC_OVERRIDE capability: Allows writing to volume owned by different user - Maintains all other security restrictions (no-new-privileges, minimal capabilities) This fixes the continuous restart loop that persisted through commits: - 5f7ebd9: Fixed healthcheck variable syntax - 700fe81: Fixed entrypoint script variables - bfe6a96: Changed healthcheck to read secret directly The real issue was not the healthcheck but the permission error that prevented Redis from starting in the first place. Refs: Redis container logs showed: 'Can't open or create append-only dir appendonlydir: Permission denied'	2025-11-04 21:29:32 +01:00
Michael Schiemer	bfe6a966b5	fix(deployment): Redis health check reads password directly from Docker Secret ... The health check now reads the password directly from /run/secrets/redis_password instead of relying on an environment variable, which is not available in the health check context. This resolves the 'container application-redis-1 is unhealthy' error.	2025-11-04 21:16:25 +01:00
Michael Schiemer	3ed2685e74	feat: add comprehensive framework features and deployment improvements ... Major additions: - Storage abstraction layer with filesystem and in-memory implementations - Gitea API integration with MCP tools for repository management - Console dialog mode with interactive command execution - WireGuard VPN DNS fix implementation and documentation - HTTP client streaming response support - Router generic result type - Parameter type validator for framework core Framework enhancements: - Console command registry improvements - Console dialog components - Method signature analyzer updates - Route mapper refinements - MCP server and tool mapper updates - Queue job chain and dependency commands - Discovery tokenizer improvements Infrastructure: - Deployment architecture documentation - Ansible playbook updates for WireGuard client regeneration - Production environment configuration updates - Docker Compose local configuration updates - Remove obsolete docker-compose.yml (replaced by environment-specific configs) Documentation: - PERMISSIONS.md for access control guidelines - WireGuard DNS fix implementation details - Console dialog mode usage guide - Deployment architecture overview Testing: - Multi-purpose attribute tests - Gitea Actions integration tests (typed and untyped)	2025-11-04 20:39:48 +01:00
Michael Schiemer	700fe8118b	fix(deployment): complete Redis health check fix - update entrypoint script variable syntax ... Previous fix (5f7ebd9) only updated health check line but missed entrypoint script. The entrypoint script was still using $$REDIS_PASSWORD (Docker Compose escaping) instead of $REDIS_PASSWORD (shell variable syntax). Changes: - Line 180: export REDIS_PASSWORD=$(cat ...) - now uses single $ - Line 182: if [ -n "$REDIS_PASSWORD" ] - now uses single $ - Line 190: --requirepass "$REDIS_PASSWORD" - now uses single $ Technical explanation: The command: block is a multi-line shell script passed to /bin/sh -c. Within this shell script context, we use normal shell variable syntax with single $ for variable references. The export statement makes REDIS_PASSWORD available to both the Redis process and the health check command. This completes the fix for: "container application-redis-1 is unhealthy" Related: 5f7ebd9 (health check fix), b1e3a00 (fallback strategy)	2025-11-04 19:24:06 +01:00
Michael Schiemer	5f7ebd9133	fix(deployment): correct Redis health check variable syntax for environment variable access ... - Changed health check from $$REDIS_PASSWORD to $REDIS_PASSWORD - Double dollar sign is Docker Compose variable escaping (wrong context) - Single dollar sign correctly references environment variable exported by entrypoint - Health check runs in container shell where REDIS_PASSWORD is available - Fixes 'container application-redis-1 is unhealthy' deployment failure	2025-11-04 18:33:03 +01:00
Michael Schiemer	b8cfabeed0	Trigger workflow to build missing Docker image for deployment ... Added comment to force Gitea workflow execution and build Docker image for deployment fix #12.	2025-11-04 18:16:58 +01:00