devops(ci): add --remove-orphans to observability stack deploy steps

Both nightly and release workflows were missing --remove-orphans on the observability compose up, while the main app deploy step already had it. Without it, containers removed from docker-compose.observability.yml linger as unnamed orphans until manually pruned. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
devops(caddy): apply full security_headers snippet to GlitchTip vhost
2026-05-15 14:55:28 +02:00 · 2026-05-15 14:54:54 +02:00 · 2026-05-15 13:46:01 +02:00 · 2026-05-15 13:45:07 +02:00 · 2026-05-15 13:44:16 +02:00 · 2026-05-15 13:43:35 +02:00
5 changed files with 50 additions and 0 deletions
--- a/.gitea/workflows/nightly.yml
+++ b/.gitea/workflows/nightly.yml
@@ -30,6 +30,9 @@ name: nightly
 #   STAGING_OCR_TRAINING_TOKEN
 #   STAGING_APP_ADMIN_USERNAME
 #   STAGING_APP_ADMIN_PASSWORD
+#   GRAFANA_ADMIN_PASSWORD
+#   GLITCHTIP_SECRET_KEY
+#   SENTRY_DSN                  (set after GlitchTip first-run; empty = Sentry disabled)

 on:
  schedule:
@@ -74,6 +77,14 @@ jobs:
          MAIL_STARTTLS_ENABLE=false
          APP_MAIL_FROM=noreply@staging.raddatz.cloud
          IMPORT_HOST_DIR=/srv/familienarchiv-staging/import
+          POSTGRES_USER=archiv
+          PORT_GRAFANA=3003
+          PORT_GLITCHTIP=3002
+          PORT_PROMETHEUS=9090
+          GRAFANA_ADMIN_PASSWORD=${{ secrets.GRAFANA_ADMIN_PASSWORD }}
+          GLITCHTIP_SECRET_KEY=${{ secrets.GLITCHTIP_SECRET_KEY }}
+          GLITCHTIP_DOMAIN=https://glitchtip.archiv.raddatz.cloud
+          SENTRY_DSN=${{ secrets.SENTRY_DSN }}
          EOF

      - name: Verify backend /import:ro mount is wired
@@ -120,6 +131,13 @@ jobs:
            --profile staging \
            up -d --wait --remove-orphans

+      - name: Start observability stack
+        run: |
+          docker compose \
+            -f docker-compose.observability.yml \
+            --env-file .env.staging \
+            up -d --wait --remove-orphans
+
      - name: Reload Caddy
        # Apply any committed Caddyfile changes before smoke-testing the
        # public surface. Without this step, a Caddyfile edit lands in the
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -34,6 +34,9 @@ name: release
 #   MAIL_PORT
 #   MAIL_USERNAME
 #   MAIL_PASSWORD
+#   GRAFANA_ADMIN_PASSWORD
+#   GLITCHTIP_SECRET_KEY
+#   SENTRY_DSN                    (set after GlitchTip first-run; empty = Sentry disabled)

 on:
  push:
@@ -72,6 +75,14 @@ jobs:
          MAIL_STARTTLS_ENABLE=true
          APP_MAIL_FROM=noreply@raddatz.cloud
          IMPORT_HOST_DIR=/srv/familienarchiv-production/import
+          POSTGRES_USER=archiv
+          PORT_GRAFANA=3003
+          PORT_GLITCHTIP=3002
+          PORT_PROMETHEUS=9090
+          GRAFANA_ADMIN_PASSWORD=${{ secrets.GRAFANA_ADMIN_PASSWORD }}
+          GLITCHTIP_SECRET_KEY=${{ secrets.GLITCHTIP_SECRET_KEY }}
+          GLITCHTIP_DOMAIN=https://glitchtip.archiv.raddatz.cloud
+          SENTRY_DSN=${{ secrets.SENTRY_DSN }}
          EOF

      - name: Build images
@@ -93,6 +104,13 @@ jobs:
            --env-file .env.production \
            up -d --wait --remove-orphans

+      - name: Start observability stack
+        run: |
+          docker compose \
+            -f docker-compose.observability.yml \
+            --env-file .env.production \
+            up -d --wait --remove-orphans
+
      - name: Reload Caddy
        # See nightly.yml — same rationale and mechanism: DooD job containers
        # cannot call systemctl directly; nsenter via a privileged sibling
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -39,6 +39,7 @@
 networks:
  archiv-net:
    driver: bridge
+    name: archiv-net

 volumes:
  postgres-data:
--- a/docs/DEPLOYMENT.md
+++ b/docs/DEPLOYMENT.md
@@ -223,6 +223,9 @@ git.raddatz.cloud      A   <server IP>
 | `MAIL_PORT` | release.yml | typically `587` |
 | `MAIL_USERNAME` | release.yml | SMTP user |
 | `MAIL_PASSWORD` | release.yml | SMTP password |
+| `GRAFANA_ADMIN_PASSWORD` | both | Grafana `admin` login — generate a strong password |
+| `GLITCHTIP_SECRET_KEY` | both | Django secret key — `openssl rand -hex 32` |
+| `SENTRY_DSN` | both | GlitchTip project DSN — set after first-run (§4); leave empty to keep Sentry disabled |

 ### 3.4 First deploy

--- a/infra/caddy/Caddyfile
+++ b/infra/caddy/Caddyfile
@@ -88,3 +88,13 @@ git.raddatz.cloud {
 	import security_headers
 	reverse_proxy 127.0.0.1:3005
 }
+
+grafana.archiv.raddatz.cloud {
+	import security_headers
+	reverse_proxy 127.0.0.1:3003
+}
+
+glitchtip.archiv.raddatz.cloud {
+	import security_headers
+	reverse_proxy 127.0.0.1:3002
+}
Author	SHA1	Message	Date
Marcel	ada3a3ccaf	devops(ci): add --remove-orphans to observability stack deploy steps All checks were successful CI / Unit & Component Tests (pull_request) Successful in 5m27s Details CI / OCR Service Tests (pull_request) Successful in 34s Details CI / Backend Unit Tests (pull_request) Successful in 7m13s Details CI / fail2ban Regex (pull_request) Successful in 1m51s Details CI / Compose Bucket Idempotency (pull_request) Successful in 1m47s Details CI / Unit & Component Tests (push) Successful in 5m45s Details CI / OCR Service Tests (push) Successful in 36s Details CI / Backend Unit Tests (push) Successful in 7m12s Details CI / fail2ban Regex (push) Successful in 1m54s Details CI / Compose Bucket Idempotency (push) Successful in 1m41s Details Both nightly and release workflows were missing --remove-orphans on the observability compose up, while the main app deploy step already had it. Without it, containers removed from docker-compose.observability.yml linger as unnamed orphans until manually pruned. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-15 14:55:28 +02:00
Marcel	8cf3a2a726	devops(caddy): apply full security_headers snippet to GlitchTip vhost The GlitchTip vhost only had a manual HSTS header; the rest of the (security_headers) snippet (X-Content-Type-Options, Referrer-Policy, Permissions-Policy, -Server removal) was missing. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-15 14:54:54 +02:00
Marcel	553e2f8898	docs(deployment): add observability secrets to §3.3 Gitea secrets table All checks were successful CI / Unit & Component Tests (pull_request) Successful in 5m35s Details CI / OCR Service Tests (pull_request) Successful in 33s Details CI / Backend Unit Tests (pull_request) Successful in 7m10s Details CI / fail2ban Regex (pull_request) Successful in 1m54s Details CI / Compose Bucket Idempotency (pull_request) Successful in 1m39s Details GRAFANA_ADMIN_PASSWORD, GLITCHTIP_SECRET_KEY, and SENTRY_DSN were referenced in the workflow env files but absent from the secrets table, leaving the first-run operator without a complete checklist. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-15 13:46:01 +02:00
Marcel	4a7349543a	devops(ci): wire SENTRY_DSN into staging and production env files Adds SENTRY_DSN as an optional secret (empty by default) so it can be set after GlitchTip first-run without requiring another code change. Backend reads it via application.yaml; empty value keeps Sentry disabled. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-15 13:45:07 +02:00
Marcel	f15e004645	devops(ci): add --wait to observability stack startup Prometheus, Loki, Tempo, and Grafana all define healthchecks in docker-compose.observability.yml. Without --wait, the step exits 0 as soon as containers are created, masking startup failures silently. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-15 13:44:16 +02:00
Marcel	b137e3e72d	devops(caddy): add HSTS to GlitchTip vhost Caddy does not set Strict-Transport-Security on GlitchTip because the full security_headers snippet is intentionally omitted (Permissions-Policy interferes with the Sentry SDK CORS). Adding HSTS alone guarantees HTTPS enforcement at the Caddy layer without breaking SDK ingestion. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-15 13:43:35 +02:00
Marcel	4c8a23ff14	devops(caddy): add Grafana and GlitchTip vhosts All checks were successful CI / Unit & Component Tests (pull_request) Successful in 5m33s Details CI / OCR Service Tests (pull_request) Successful in 33s Details CI / Backend Unit Tests (pull_request) Successful in 7m10s Details CI / fail2ban Regex (pull_request) Successful in 1m55s Details CI / Compose Bucket Idempotency (pull_request) Successful in 1m42s Details grafana.archiv.raddatz.cloud → 127.0.0.1:3003 (with security headers) glitchtip.archiv.raddatz.cloud → 127.0.0.1:3002 (no security headers — GlitchTip manages its own; the Sentry SDK also POSTs here) Requires A records for both subdomains pointing at the server before the next `systemctl reload caddy`. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-15 11:27:07 +02:00
Marcel	d7d225af77	devops(observability): wire observability stack into nightly and release deploys All checks were successful CI / Unit & Component Tests (pull_request) Successful in 4m32s Details CI / OCR Service Tests (pull_request) Successful in 17s Details CI / Backend Unit Tests (pull_request) Successful in 4m3s Details CI / fail2ban Regex (pull_request) Successful in 1m55s Details CI / Compose Bucket Idempotency (pull_request) Successful in 1m42s Details - docker-compose.prod.yml: add `name: archiv-net` so the network has a stable Docker name regardless of compose project name (-p flag). Both staging and production share the same host-level network, which is correct since the observability stack is a single shared instance. - nightly.yml / release.yml: add observability env vars (POSTGRES_USER, PORT_GRAFANA=3003, PORT_GLITCHTIP=3002, PORT_PROMETHEUS=9090, GRAFANA_ADMIN_PASSWORD, GLITCHTIP_SECRET_KEY, GLITCHTIP_DOMAIN) to the env file, then `docker compose -f docker-compose.observability.yml up -d` after the app deploy step. PORT_GRAFANA=3003 avoids collision with staging frontend on 3001. Requires two new Gitea secrets: GRAFANA_ADMIN_PASSWORD, GLITCHTIP_SECRET_KEY. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-15 11:22:37 +02:00