michaelschiemer/deployment/ansible/playbooks/fix-gitea-ssl-routing.yml

---
# Fix Gitea SSL and Routing Issues
# Prüft SSL-Zertifikat, Service Discovery und behebt Routing-Probleme
- name: Fix Gitea SSL and Routing
  hosts: production
  gather_facts: yes
  become: no
  vars:
    gitea_stack_path: "{{ stacks_base_path }}/gitea"
    traefik_stack_path: "{{ stacks_base_path }}/traefik"
    gitea_url: "https://{{ gitea_domain }}"
    gitea_url_http: "http://{{ gitea_domain }}"

  tasks:
    - name: Check Gitea container status
      ansible.builtin.shell: |
        cd {{ gitea_stack_path }}
        docker compose ps gitea
      register: gitea_status
      changed_when: false

    - name: Check Traefik container status
      ansible.builtin.shell: |
        cd {{ traefik_stack_path }}
        docker compose ps traefik
      register: traefik_status
      changed_when: false

    - name: Check if Gitea is in traefik-public network
      ansible.builtin.shell: |
        docker network inspect traefik-public --format '{{ '{{' }}range .Containers{{ '}}' }}{{ '{{' }}.Name{{ '}}' }} {{ '{{' }}end{{ '}}' }}' 2>/dev/null | grep -q gitea && echo "YES" || echo "NO"
      register: gitea_in_network
      changed_when: false

    - name: Test direct connection from Traefik to Gitea (by service name)
      ansible.builtin.shell: |
        cd {{ traefik_stack_path }}
        docker compose exec -T traefik wget -qO- --timeout=5 http://gitea:3000/api/healthz 2>&1 || echo "CONNECTION_FAILED"
      register: traefik_gitea_direct
      changed_when: false
      failed_when: false

    - name: Check Traefik logs for SSL/ACME errors
      ansible.builtin.shell: |
        cd {{ traefik_stack_path }}
        docker compose logs traefik --tail=100 2>&1 | grep -iE "acme|certificate|git\.michaelschiemer\.de|ssl|tls" | tail -20 || echo "No SSL/ACME errors found"
      register: traefik_ssl_errors
      changed_when: false
      failed_when: false

    - name: Check if SSL certificate exists for git.michaelschiemer.de
      ansible.builtin.shell: |
        cd {{ traefik_stack_path }}
        docker compose exec -T traefik cat /acme.json 2>/dev/null | grep -q "git.michaelschiemer.de" && echo "YES" || echo "NO"
      register: ssl_cert_exists
      changed_when: false
      failed_when: false

    - name: Test Gitea via HTTP (port 80, should redirect or show error)
      ansible.builtin.uri:
        url: "{{ gitea_url_http }}/api/healthz"
        method: GET
        status_code: [200, 301, 302, 404, 502, 503, 504]
        validate_certs: false
        timeout: 10
      register: gitea_http_test
      changed_when: false
      failed_when: false

    - name: Test Gitea via HTTPS
      ansible.builtin.uri:
        url: "{{ gitea_url }}/api/healthz"
        method: GET
        status_code: [200, 301, 302, 404, 502, 503, 504]
        validate_certs: false
        timeout: 10
      register: gitea_https_test
      changed_when: false
      failed_when: false

    - name: Display diagnostic information
      ansible.builtin.debug:
        msg: |
          ================================================================================
          GITEA SSL/ROUTING DIAGNOSE:
          ================================================================================
          
          Container Status:
          - Gitea: {{ gitea_status.stdout | regex_replace('.*(Up|Down|Restarting).*', '\\1') | default('UNKNOWN') }}
          - Traefik: {{ traefik_status.stdout | regex_replace('.*(Up|Down|Restarting).*', '\\1') | default('UNKNOWN') }}
          
          Network:
          - Gitea in traefik-public: {% if gitea_in_network.stdout == 'YES' %}✅{% else %}❌{% endif %}
          - Traefik → Gitea (direct): {% if 'CONNECTION_FAILED' not in traefik_gitea_direct.stdout %}✅{% else %}❌{% endif %}
          
          SSL/Certificate:
          - Certificate in acme.json: {% if ssl_cert_exists.stdout == 'YES' %}✅{% else %}❌{% endif %}
          
          Connectivity:
          - HTTP (port 80): Status {{ gitea_http_test.status | default('TIMEOUT') }}
          - HTTPS (port 443): Status {{ gitea_https_test.status | default('TIMEOUT') }}
          
          Traefik SSL/ACME Errors:
          {{ traefik_ssl_errors.stdout }}
          
          ================================================================================

    - name: Restart Gitea if not in network or connection failed
      ansible.builtin.shell: |
        cd {{ gitea_stack_path }}
        docker compose restart gitea
      register: gitea_restart
      changed_when: gitea_restart.rc == 0
      when: gitea_in_network.stdout != 'YES' or 'CONNECTION_FAILED' in traefik_gitea_direct.stdout

    - name: Wait for Gitea to be ready after restart
      ansible.builtin.pause:
        seconds: 30
      when: gitea_restart.changed | default(false)

    - name: Restart Traefik to refresh service discovery and SSL
      ansible.builtin.shell: |
        cd {{ traefik_stack_path }}
        docker compose restart traefik
      register: traefik_restart
      changed_when: traefik_restart.rc == 0
      when: >
        (traefik_auto_restart | default(false) | bool)
        and (gitea_restart.changed | default(false) or gitea_https_test.status | default(0) != 200)

    - name: Wait for Traefik to be ready after restart
      ansible.builtin.pause:
        seconds: 15
      when: traefik_restart.changed | default(false)

    - name: Wait for Gitea to be reachable via HTTPS (with retries)
      ansible.builtin.uri:
        url: "{{ gitea_url }}/api/healthz"
        method: GET
        status_code: [200]
        validate_certs: false
        timeout: 10
      register: final_gitea_test
      until: final_gitea_test.status == 200
      retries: 20
      delay: 3
      changed_when: false
      failed_when: false
      when: traefik_restart.changed | default(false) or gitea_restart.changed | default(false)

    - name: Final status check
      ansible.builtin.uri:
        url: "{{ gitea_url }}/api/healthz"
        method: GET
        status_code: [200]
        validate_certs: false
        timeout: 10
      register: final_status
      changed_when: false
      failed_when: false

    - name: Summary
      ansible.builtin.debug:
        msg: |
          ================================================================================
          ZUSAMMENFASSUNG - Gitea SSL/Routing Fix:
          ================================================================================
          
          Aktionen:
          - Gitea Restart: {% if gitea_restart.changed | default(false) %}✅ Durchgeführt{% else %}ℹ️  Nicht nötig{% endif %}
          - Traefik Restart: {% if traefik_restart.changed | default(false) %}✅ Durchgeführt{% else %}ℹ️  Nicht nötig{% endif %}
          
          Final Status:
          - Gitea via HTTPS: {% if final_status.status == 200 %}✅ Erreichbar{% else %}❌ Nicht erreichbar (Status: {{ final_status.status | default('TIMEOUT') }}){% endif %}
          
          {% if final_status.status == 200 %}
          ✅ Gitea ist jetzt über Traefik erreichbar!
          URL: {{ gitea_url }}
          {% else %}
          ⚠️  Gitea ist noch nicht erreichbar
          
          Mögliche Ursachen:
          1. SSL-Zertifikat wird noch generiert (ACME Challenge läuft)
          2. Traefik Service Discovery braucht mehr Zeit
          3. Netzwerk-Problem zwischen Traefik und Gitea
          
          Nächste Schritte:
          1. Warte 2-5 Minuten und teste erneut: curl -k {{ gitea_url }}/api/healthz
          2. Prüfe Traefik-Logs: cd {{ traefik_stack_path }} && docker compose logs traefik --tail=50
          3. Prüfe Gitea-Logs: cd {{ gitea_stack_path }} && docker compose logs gitea --tail=50
          4. Prüfe Netzwerk: docker network inspect traefik-public | grep -A 5 gitea
          {% endif %}
          
          ================================================================================