ci(obs): GitOps obs env split in release — deploy to /opt/familienarchiv/, secrets fresh from Gitea

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-16 00:19:12 +02:00
parent c5139851b8
commit 1ae4bfe325
1 changed files with 19 additions and 8 deletions
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -76,12 +76,6 @@ jobs:
          APP_MAIL_FROM=noreply@raddatz.cloud
          IMPORT_HOST_DIR=/srv/familienarchiv-production/import
          POSTGRES_USER=archiv
-          PORT_GRAFANA=3003
-          PORT_GLITCHTIP=3002
-          PORT_PROMETHEUS=9090
-          GRAFANA_ADMIN_PASSWORD=${{ secrets.GRAFANA_ADMIN_PASSWORD }}
-          GLITCHTIP_SECRET_KEY=${{ secrets.GLITCHTIP_SECRET_KEY }}
-          GLITCHTIP_DOMAIN=https://glitchtip.archiv.raddatz.cloud
          SENTRY_DSN=${{ secrets.SENTRY_DSN }}
          EOF

@@ -104,11 +98,28 @@ jobs:
            --env-file .env.production \
            up -d --wait --remove-orphans

+      - name: Deploy observability configs
+        # Mirrors the nightly approach: copies obs compose file and config tree
+        # to /opt/familienarchiv/ (permanent path, survives workspace wipes — ADR-016),
+        # then writes obs-secrets.env fresh from Gitea secrets.
+        # Non-secret config lives in infra/observability/obs.env (tracked in git).
+        run: |
+          mkdir -p /opt/familienarchiv/infra
+          cp -r infra/observability /opt/familienarchiv/infra/
+          cp docker-compose.observability.yml /opt/familienarchiv/
+          cat > /opt/familienarchiv/obs-secrets.env <<EOF
+          GRAFANA_ADMIN_PASSWORD=${{ secrets.GRAFANA_ADMIN_PASSWORD }}
+          GLITCHTIP_SECRET_KEY=${{ secrets.GLITCHTIP_SECRET_KEY }}
+          POSTGRES_USER=archiv
+          POSTGRES_PASSWORD=${{ secrets.PROD_POSTGRES_PASSWORD }}
+          EOF
+
      - name: Start observability stack
        run: |
          docker compose \
-            -f docker-compose.observability.yml \
-            --env-file .env.production \
+            -f /opt/familienarchiv/docker-compose.observability.yml \
+            --env-file /opt/familienarchiv/infra/observability/obs.env \
+            --env-file /opt/familienarchiv/obs-secrets.env \
            up -d --wait --remove-orphans

      - name: Reload Caddy