From 1ae4bfe3256b5c2dd99b4d1c33a6e1b9d0c5fed0 Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Sat, 16 May 2026 00:19:12 +0200
Subject: [PATCH] =?UTF-8?q?ci(obs):=20GitOps=20obs=20env=20split=20in=20re?=
 =?UTF-8?q?lease=20=E2=80=94=20deploy=20to=20/opt/familienarchiv/,=20secre?=
 =?UTF-8?q?ts=20fresh=20from=20Gitea?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .gitea/workflows/release.yml | 27 +++++++++++++++++++--------
 1 file changed, 19 insertions(+), 8 deletions(-)

diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml
index 2645dc15..bd22cb63 100644
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -76,12 +76,6 @@ jobs:
           APP_MAIL_FROM=noreply@raddatz.cloud
           IMPORT_HOST_DIR=/srv/familienarchiv-production/import
           POSTGRES_USER=archiv
-          PORT_GRAFANA=3003
-          PORT_GLITCHTIP=3002
-          PORT_PROMETHEUS=9090
-          GRAFANA_ADMIN_PASSWORD=${{ secrets.GRAFANA_ADMIN_PASSWORD }}
-          GLITCHTIP_SECRET_KEY=${{ secrets.GLITCHTIP_SECRET_KEY }}
-          GLITCHTIP_DOMAIN=https://glitchtip.archiv.raddatz.cloud
           SENTRY_DSN=${{ secrets.SENTRY_DSN }}
           EOF
 
@@ -104,11 +98,28 @@ jobs:
             --env-file .env.production \
             up -d --wait --remove-orphans
 
+      - name: Deploy observability configs
+        # Mirrors the nightly approach: copies obs compose file and config tree
+        # to /opt/familienarchiv/ (permanent path, survives workspace wipes — ADR-016),
+        # then writes obs-secrets.env fresh from Gitea secrets.
+        # Non-secret config lives in infra/observability/obs.env (tracked in git).
+        run: |
+          mkdir -p /opt/familienarchiv/infra
+          cp -r infra/observability /opt/familienarchiv/infra/
+          cp docker-compose.observability.yml /opt/familienarchiv/
+          cat > /opt/familienarchiv/obs-secrets.env <<EOF
+          GRAFANA_ADMIN_PASSWORD=${{ secrets.GRAFANA_ADMIN_PASSWORD }}
+          GLITCHTIP_SECRET_KEY=${{ secrets.GLITCHTIP_SECRET_KEY }}
+          POSTGRES_USER=archiv
+          POSTGRES_PASSWORD=${{ secrets.PROD_POSTGRES_PASSWORD }}
+          EOF
+
       - name: Start observability stack
         run: |
           docker compose \
-            -f docker-compose.observability.yml \
-            --env-file .env.production \
+            -f /opt/familienarchiv/docker-compose.observability.yml \
+            --env-file /opt/familienarchiv/infra/observability/obs.env \
+            --env-file /opt/familienarchiv/obs-secrets.env \
             up -d --wait --remove-orphans
 
       - name: Reload Caddy