From 8a4a494610ab7d429621492bb90a8242a554470a Mon Sep 17 00:00:00 2001
From: Stiftung Development <admin@stiftung-project.local>
Date: Mon, 15 Sep 2025 23:41:54 +0200
Subject: [PATCH] Fix production deployment: preserve .env file + add missing
 volume + simplified pipeline

---
 .github/workflows/ci-cd.yml               | 20 +++++++--
 deploy-production/docker-compose.prod.yml |  1 +
 env-production.template                   | 52 +++++++++++++++++++++++
 3 files changed, 69 insertions(+), 4 deletions(-)
 create mode 100644 env-production.template

diff --git a/.github/workflows/ci-cd.yml b/.github/workflows/ci-cd.yml
index b01d1d2..fed9472 100644
--- a/.github/workflows/ci-cd.yml
+++ b/.github/workflows/ci-cd.yml
@@ -195,14 +195,26 @@ jobs:
         script: |
           cd /opt/stiftung
           
-          # Stash any local changes to avoid conflicts
-          git stash push -m "Auto-stash before deployment $(date)"
+          # Check if production .env exists in root directory
+          if [ ! -f .env ]; then
+            echo "ERROR: No production .env file found at /opt/stiftung/.env"
+            echo "Please create it manually using the env-production.template as reference"
+            echo "Steps:"
+            echo "1. cp env-production.template .env"
+            echo "2. nano .env  # Edit with real production values"
+            echo "3. chmod 600 .env  # Secure permissions"
+            exit 1
+          fi
           
-          # Pull latest changes using Personal Access Token
+          echo "Production .env file found - proceeding with deployment"
+          
+          # Pull latest code changes (.env is in .gitignore so won't be touched)
           git pull https://$DEPLOY_TOKEN@github.com/remmerinio/stiftung-management-system.git main
           
           # Backup current compose.yml
-          cp compose.yml compose.yml.backup
+          if [ -f compose.yml ]; then
+            cp compose.yml compose.yml.backup
+          fi
           
           # Copy production docker compose file to the active compose.yml
           cp deploy-production/docker-compose.prod.yml compose.yml
diff --git a/deploy-production/docker-compose.prod.yml b/deploy-production/docker-compose.prod.yml
index 1be8311..ca7f8f5 100644
--- a/deploy-production/docker-compose.prod.yml
+++ b/deploy-production/docker-compose.prod.yml
@@ -137,3 +137,4 @@ volumes:
   paperless_media:
   paperless_export:
   paperless_consume:
+  media_files:
diff --git a/env-production.template b/env-production.template
new file mode 100644
index 0000000..32b99c2
--- /dev/null
+++ b/env-production.template
@@ -0,0 +1,52 @@
+# =============================================================================
+# PRODUCTION ENVIRONMENT VARIABLES
+# =============================================================================
+# This template shows the required environment variables for production.
+# 
+# SETUP INSTRUCTIONS:
+# 1. SSH into production server: ssh user@your-server-ip
+# 2. Navigate to stiftung directory: cd /opt/stiftung
+# 3. Copy this template: cp env-production.template .env
+# 4. Edit with real values: nano .env
+# 5. Set secure permissions: chmod 600 .env
+# 
+# IMPORTANT: Once created, this file will NEVER be overwritten by git deployments!
+# The .env file is in .gitignore and will be preserved across all future deployments.
+# =============================================================================
+
+# DATABASE CONFIGURATION
+POSTGRES_DB=stiftung
+POSTGRES_USER=stiftung
+POSTGRES_PASSWORD=your_secure_database_password_here
+DB_HOST=db
+DB_PORT=5432
+
+# DJANGO CONFIGURATION
+DJANGO_SECRET_KEY=your_50_character_secret_key_here
+DJANGO_DEBUG=False
+DJANGO_ALLOWED_HOSTS=www.vhtv-stiftung.de,vhtv-stiftung.de
+LANGUAGE_CODE=de-de
+TIME_ZONE=Europe/Berlin
+
+# REDIS CONFIGURATION
+REDIS_URL=redis://redis:6379/0
+
+# PAPERLESS CONFIGURATION
+PAPERLESS_API_URL=http://paperless:8000/api
+PAPERLESS_API_TOKEN=your_paperless_api_token_here
+PAPERLESS_SECRET_KEY=your_paperless_secret_key_here
+PAPERLESS_ADMIN_USER=admin
+PAPERLESS_ADMIN_PASSWORD=your_paperless_admin_password_here
+PAPERLESS_ADMIN_MAIL=admin@vhtv-stiftung.de
+
+# GRAMPS WEB CONFIGURATION
+GRAMPSWEB_SECRET_KEY=your_grampsweb_secret_key_here
+GRAMPSWEB_ADMIN_EMAIL=admin@vhtv-stiftung.de
+GRAMPSWEB_ADMIN_PASSWORD=your_grampsweb_admin_password_here
+
+# =============================================================================
+# GENERATE SECRET KEYS:
+# =============================================================================
+# Django Secret Key: python -c "from django.core.management.utils import get_random_secret_key; print(get_random_secret_key())"
+# Paperless Secret: openssl rand -base64 32
+# GrampsWeb Secret: openssl rand -base64 32
\ No newline at end of file