docs(deployment): add observability secrets to §3.3 Gitea secrets table

GRAFANA_ADMIN_PASSWORD, GLITCHTIP_SECRET_KEY, and SENTRY_DSN were referenced in the workflow env files but absent from the secrets table, leaving the first-run operator without a complete checklist. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
devops(ci): wire SENTRY_DSN into staging and production env files
2026-05-15 13:46:01 +02:00 · 2026-05-15 13:45:07 +02:00 · 2026-05-15 13:44:16 +02:00 · 2026-05-15 13:43:35 +02:00
4 changed files with 14 additions and 2 deletions
--- a/.gitea/workflows/nightly.yml
+++ b/.gitea/workflows/nightly.yml
@@ -30,6 +30,9 @@ name: nightly
 #   STAGING_OCR_TRAINING_TOKEN
 #   STAGING_APP_ADMIN_USERNAME
 #   STAGING_APP_ADMIN_PASSWORD
 #   GRAFANA_ADMIN_PASSWORD
 #   GLITCHTIP_SECRET_KEY
 #   SENTRY_DSN                  (set after GlitchTip first-run; empty = Sentry disabled)
 on:
  schedule:
@@ -81,6 +84,7 @@ jobs:
          GRAFANA_ADMIN_PASSWORD=${{ secrets.GRAFANA_ADMIN_PASSWORD }}
          GLITCHTIP_SECRET_KEY=${{ secrets.GLITCHTIP_SECRET_KEY }}
          GLITCHTIP_DOMAIN=https://glitchtip.archiv.raddatz.cloud
          SENTRY_DSN=${{ secrets.SENTRY_DSN }}
          EOF
      - name: Verify backend /import:ro mount is wired
@@ -132,7 +136,7 @@ jobs:
          docker compose \
            -f docker-compose.observability.yml \
            --env-file .env.staging \
-            up -d
+            up -d --wait
      - name: Reload Caddy
        # Apply any committed Caddyfile changes before smoke-testing the
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -34,6 +34,9 @@ name: release
 #   MAIL_PORT
 #   MAIL_USERNAME
 #   MAIL_PASSWORD
 #   GRAFANA_ADMIN_PASSWORD
 #   GLITCHTIP_SECRET_KEY
 #   SENTRY_DSN                    (set after GlitchTip first-run; empty = Sentry disabled)
 on:
  push:
@@ -79,6 +82,7 @@ jobs:
          GRAFANA_ADMIN_PASSWORD=${{ secrets.GRAFANA_ADMIN_PASSWORD }}
          GLITCHTIP_SECRET_KEY=${{ secrets.GLITCHTIP_SECRET_KEY }}
          GLITCHTIP_DOMAIN=https://glitchtip.archiv.raddatz.cloud
          SENTRY_DSN=${{ secrets.SENTRY_DSN }}
          EOF
      - name: Build images
@@ -105,7 +109,7 @@ jobs:
          docker compose \
            -f docker-compose.observability.yml \
            --env-file .env.production \
-            up -d
+            up -d --wait
      - name: Reload Caddy
        # See nightly.yml — same rationale and mechanism: DooD job containers
--- a/docs/DEPLOYMENT.md
+++ b/docs/DEPLOYMENT.md
@@ -223,6 +223,9 @@ git.raddatz.cloud      A   <server IP>
 | `MAIL_PORT` | release.yml | typically `587` |
 | `MAIL_USERNAME` | release.yml | SMTP user |
 | `MAIL_PASSWORD` | release.yml | SMTP password |
 | `GRAFANA_ADMIN_PASSWORD` | both | Grafana `admin` login — generate a strong password |
 | `GLITCHTIP_SECRET_KEY` | both | Django secret key — `openssl rand -hex 32` |
 | `SENTRY_DSN` | both | GlitchTip project DSN — set after first-run (§4); leave empty to keep Sentry disabled |
 ### 3.4 First deploy
--- a/infra/caddy/Caddyfile
+++ b/infra/caddy/Caddyfile
@@ -95,5 +95,6 @@ grafana.archiv.raddatz.cloud {
 }
 glitchtip.archiv.raddatz.cloud {
 	header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
 	reverse_proxy 127.0.0.1:3002
 }
Author	SHA1	Message	Date
Marcel	553e2f8898	docs(deployment): add observability secrets to §3.3 Gitea secrets table All checks were successful CI / Unit & Component Tests (pull_request) Successful in 5m35s Details CI / OCR Service Tests (pull_request) Successful in 33s Details CI / Backend Unit Tests (pull_request) Successful in 7m10s Details CI / fail2ban Regex (pull_request) Successful in 1m54s Details CI / Compose Bucket Idempotency (pull_request) Successful in 1m39s Details GRAFANA_ADMIN_PASSWORD, GLITCHTIP_SECRET_KEY, and SENTRY_DSN were referenced in the workflow env files but absent from the secrets table, leaving the first-run operator without a complete checklist. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-15 13:46:01 +02:00
Marcel	4a7349543a	devops(ci): wire SENTRY_DSN into staging and production env files Adds SENTRY_DSN as an optional secret (empty by default) so it can be set after GlitchTip first-run without requiring another code change. Backend reads it via application.yaml; empty value keeps Sentry disabled. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-15 13:45:07 +02:00
Marcel	f15e004645	devops(ci): add --wait to observability stack startup Prometheus, Loki, Tempo, and Grafana all define healthchecks in docker-compose.observability.yml. Without --wait, the step exits 0 as soon as containers are created, masking startup failures silently. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-15 13:44:16 +02:00
Marcel	b137e3e72d	devops(caddy): add HSTS to GlitchTip vhost Caddy does not set Strict-Transport-Security on GlitchTip because the full security_headers snippet is intentionally omitted (Permissions-Policy interferes with the Sentry SDK CORS). Adding HSTS alone guarantees HTTPS enforcement at the Caddy layer without breaking SDK ingestion. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-15 13:43:35 +02:00