Fix GrampsWeb: patch service worker to respect subpath (STI-90)

The GrampsWeb service worker was serving index.html for ALL navigation
requests (including Django app routes), hijacking the entire domain.
Patched sw.js at startup to:
- Use subpath-prefixed index.html in createHandlerBoundToURL
- Update denylist regex to match subpath API routes

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.mcp.json

@@ -1,11 +1,9 @@
 {
   "mcpServers": {
     "stiftung": {
-      "command": "ssh",
+      "command": "bash",
       "args": [
-        "-o", "StrictHostKeyChecking=no",
+        "/home/remmer/stiftung/app/mcp_server/connect.sh"
-        "deployment@217.154.84.225",
-        "cd /opt/stiftung && docker compose run --rm -T -e MCP_AUTH_TOKEN=a66d2bf53b83489693a59af6ff0e3dd2a09885b98aced40f6bbb7423a173e173 -e DJANGO_ALLOW_ASYNC_UNSAFE=true mcp"
       ]
     }
   }

app/core/settings.py

@@ -166,7 +166,7 @@ LOGIN_REDIRECT_URL = "/"
 LOGOUT_REDIRECT_URL = "/login/"
 
 # Gramps integration
-GRAMPS_URL = os.environ.get("GRAMPS_URL", "http://grampsweb:80")
+GRAMPS_URL = os.environ.get("GRAMPS_URL", "http://grampsweb:5000")
 GRAMPS_API_TOKEN = os.environ.get("GRAMPS_API_TOKEN", "")
 GRAMPS_STIFTER_IDS = os.environ.get("GRAMPS_STIFTER_IDS", "")  # comma-separated
 GRAMPS_USERNAME = os.environ.get("GRAMPS_USERNAME", "")

app/mcp_server/connect.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+# MCP-Verbindungsskript zum Remote-Server
+# Token wird aus der Umgebungsvariable MCP_AUTH_TOKEN gelesen – nie hardcoden.
+# Einrichten: export MCP_AUTH_TOKEN=<token> in ~/.bashrc oder per Secrets-Manager.
+
+set -euo pipefail
+
+: "${MCP_AUTH_TOKEN:?MCP_AUTH_TOKEN nicht gesetzt. Bitte in ~/.bashrc oder ~/.profile exportieren.}"
+
+exec ssh \
+  -o StrictHostKeyChecking=no \
+  deployment@217.154.84.225 \
+  "cd /opt/stiftung && docker compose run --rm -T \
+    -e MCP_AUTH_TOKEN=${MCP_AUTH_TOKEN} \
+    -e DJANGO_ALLOW_ASYNC_UNSAFE=true \
+    mcp"

app/stiftung/migrations/0064_add_einwilligung_erteilt_am_to_uploadtoken.py

@@ -0,0 +1,18 @@
+# Generated by Django 5.0.6 on 2026-03-21 22:42
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('stiftung', '0063_add_anrede_to_destinataer'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='uploadtoken',
+            name='einwilligung_erteilt_am',
+            field=models.DateTimeField(blank=True, help_text='Zeitpunkt der DSGVO-Einwilligung beim Upload (Art. 7 Abs. 1 DSGVO)', null=True, verbose_name='Einwilligung erteilt am'),
+        ),
+    ]

app/stiftung/models/destinataere.py

@@ -1362,6 +1362,10 @@ class UploadToken(models.Model):
     erinnerung_gesendet = models.BooleanField(
         default=False, verbose_name="Erinnerung gesendet"
     )
+    einwilligung_erteilt_am = models.DateTimeField(
+        null=True, blank=True, verbose_name="Einwilligung erteilt am",
+        help_text="Zeitpunkt der DSGVO-Einwilligung beim Upload (Art. 7 Abs. 1 DSGVO)"
+    )
 
     class Meta:
         verbose_name = "Upload-Token"

app/stiftung/portal_urls.py

@@ -6,6 +6,7 @@ Diese URLs sind ohne Login zugänglich (tokenbasierte Authentifizierung).
 from django.urls import path
 
 from stiftung.views.portal import (
+    datenschutzerklaerung,
     onboarding_danke,
     onboarding_schritt,
     upload_danke,
@@ -15,6 +16,12 @@ from stiftung.views.portal import (
 app_name = "portal"
 
 urlpatterns = [
+    # Datenschutzerklärung (öffentlich, kein Token erforderlich)
+    path(
+        "datenschutz/",
+        datenschutzerklaerung,
+        name="datenschutzerklaerung",
+    ),
     # Upload-Portal (bestehende Destinatäre – Token-basiert)
     path(
         "upload/<str:token>/",

app/stiftung/tasks.py

@@ -547,6 +547,7 @@ def send_nachweis_aufforderung(self, destinataer_id, nachweis_id, base_url=None)
         "gueltig_bis": gueltig_bis,
         "halbjahr_label": halbjahr_label,
         "quartal_label": quartal_label,
+        "datenschutz_url": f"{base_url}/portal/datenschutz/",
     }
 
     subject = f"Nachweis-Aufforderung: {quartal_label} ({halbjahr_label}) – vHTV-Stiftung"
@@ -618,6 +619,7 @@ def send_nachweis_erinnerung(self, token_id, base_url=None):
         "gueltig_bis": upload_token.gueltig_bis,
         "halbjahr_label": halbjahr_label,
         "ist_erinnerung": True,
+        "datenschutz_url": f"{base_url}/portal/datenschutz/",
     }
 
     subject = f"Erinnerung: Nachweis-Upload noch ausstehend – {halbjahr_label}"

app/stiftung/views/portal.py

@@ -33,6 +33,11 @@ from django.views.decorators.http import require_http_methods
 
 from stiftung.models import DokumentDatei, OnboardingEinladung, UploadToken, VierteljahresNachweis
 
+
+def datenschutzerklaerung(request):
+    """Datenschutzerklärung für das öffentliche Portal."""
+    return render(request, "portal/datenschutzerklaerung.html")
+
 logger = logging.getLogger(__name__)
 
 # Erlaubte Dateitypen für Uploads
@@ -105,6 +110,19 @@ def upload_formular(request, token):
     if request.method == "GET":
         return render(request, "portal/upload_formular.html", base_context)
 
+    # POST: Einwilligung prüfen
+    einwilligung = request.POST.get("einwilligung")
+    if not einwilligung:
+        ctx = {
+            **base_context,
+            "einwilligung_fehler": "Bitte erteilen Sie Ihre Einwilligung zur Datenverarbeitung, um fortzufahren.",
+        }
+        for kat in [
+            "studiennachweis", "einkommenssituation", "vermogenssituation", "weitere_dokumente"
+        ]:
+            ctx[f"{kat}_text"] = request.POST.get(f"{kat}_text", "")
+        return render(request, "portal/upload_formular.html", ctx)
+
     # POST: Kategorisierte Dateien und Texte verarbeiten
     # Kategorien mit ihren DMS-Kontext-Werten und FK-Feldern auf VierteljahresNachweis
     KATEGORIEN = [
@@ -228,6 +246,10 @@ def upload_formular(request, token):
     if nachweis_update_fields:
         nachweis.save(update_fields=list(set(nachweis_update_fields)))
 
+    # DSGVO-Einwilligung protokollieren (Art. 7 Abs. 1 DSGVO)
+    upload_token.einwilligung_erteilt_am = timezone.now()
+    upload_token.save(update_fields=["einwilligung_erteilt_am"])
+
     # Token einlösen
     ip = _get_client_ip(request)
     upload_token.einloesen(ip_address=ip)

app/templates/base.html

@@ -689,6 +689,10 @@
                 <i class="fas fa-book-open"></i>
                 <span>Geschichte</span>
             </a>
+            <a class="sidebar-link" href="/ahnenforschung/" target="_blank">
+                <i class="fas fa-tree"></i>
+                <span>Ahnenforschung</span>
+            </a>
             {% if perms.stiftung.access_administration %}
             <a class="sidebar-link" href="{% url 'stiftung:administration' %}">
                 <i class="fas fa-cogs"></i>

app/templates/email/nachweis_aufforderung.html

@@ -71,7 +71,8 @@
   </div>
   <div class="footer">
     van Hees-Theyssen-Vogel'sche Stiftung &bull; Raesfelder Str. 3 &bull; 46499 Hamminkeln &bull; Tel. 02858/836780<br>
-    Diese E-Mail wurde automatisch erzeugt. Bitte antworten Sie nicht direkt auf diese E-Mail.
+    Diese E-Mail wurde automatisch erzeugt. Bitte antworten Sie nicht direkt auf diese E-Mail.<br>
+    <a href="{{ datenschutz_url }}" style="color:#999;">Datenschutzerklärung</a>
   </div>
 </div>
 </body>

app/templates/email/nachweis_aufforderung.txt

@@ -35,3 +35,4 @@ Tel. 02858/836780
 
 ---
 Diese E-Mail wurde automatisch erzeugt. Bitte antworten Sie nicht direkt auf diese E-Mail.
+Datenschutzerklärung: {{ datenschutz_url }}

app/templates/portal/einwilligung_onboarding.html

@@ -108,7 +108,7 @@
                 <div class="mt-3 p-2 rounded" style="background: #fff8e1; border: 1px solid #ffc107; font-size: 0.82rem;">
                     <i class="fas fa-info-circle me-1 text-warning"></i>
                     <strong>Aktuelle Grenzwerte gemäß § 53 Nr. 2 AO (Stand 01/2024):</strong>
-                    Bezüge max. 2.245 € monatlich (5× Regelsatz 449 €); Vermögen max. 15.500 €.
+                    Bezüge max. 2.815 € monatlich (5× Regelsatz 563 €); Vermögen max. 15.500 €.
                     Bei Haushaltsangehörigen erhöhen sich die Grenzen entsprechend.
                     Maßgeblich sind die jeweils gültigen Werte zum Zeitpunkt der Prüfung.
                 </div>

app/templates/portal/upload_formular.html

@@ -41,6 +41,10 @@
     .deadline { font-size: 13px; color: #888; margin-top: 16px; text-align: center; }
     .footer { text-align: center; margin-top: 24px; font-size: 12px; color: #aaa; }
     .pflicht-hinweis { font-size: 12px; color: #888; margin-bottom: 16px; }
+    .einwilligung-box { background: #f0f6ff; border: 1px solid #b0cce8; border-radius: 6px; padding: 14px 16px; margin: 20px 0; font-size: 14px; }
+    .einwilligung-box label { font-weight: normal; display: flex; align-items: flex-start; gap: 10px; cursor: pointer; }
+    .einwilligung-box input[type="checkbox"] { margin-top: 2px; flex-shrink: 0; width: 16px; height: 16px; cursor: pointer; }
+    .einwilligung-box .einwilligung-fehler { color: #c00; font-size: 13px; margin-top: 6px; }
   </style>
 </head>
 <body>
@@ -128,6 +132,17 @@
         <textarea name="weitere_dokumente_text" placeholder="Optionale Anmerkungen oder Beschreibung">{{ weitere_dokumente_text|default:"" }}</textarea>
       </div>
 
+      <div class="einwilligung-box">
+        <label>
+          <input type="checkbox" name="einwilligung" id="einwilligung" required {% if einwilligung_erteilt %}checked{% endif %}>
+          <span>Ich willige ein, dass die van Hees-Theyssen-Vogel'sche Stiftung die von mir hochgeladenen Dokumente und eingegebenen Daten zum Zweck der Förderprüfung verarbeitet und speichert. Ich habe die <a href="{% url 'portal:datenschutzerklaerung' %}" target="_blank">Datenschutzerklärung</a> gelesen und stimme ihr zu. Die Einwilligung kann ich jederzeit widerrufen (stiftung@vhtv-stiftung.de).
+          </span>
+        </label>
+        {% if einwilligung_fehler %}
+        <p class="einwilligung-fehler">{{ einwilligung_fehler }}</p>
+        {% endif %}
+      </div>
+
       <button type="submit" class="submit-btn">Unterlagen jetzt einreichen</button>
     </form>
 

compose.dev.yml

@@ -197,9 +197,7 @@ services:
       - GRAMPSWEB_ADMIN_EMAIL=admin@localhost
       - GRAMPSWEB_ADMIN_PASSWORD=gramps_dev_password
       - GRAMPSWEB_TREE=Stiftung
-      - GRAMPSWEB_BASE_URL=/ahnenforschung
+      - GRAMPSWEB_BASE_URL=/
-      - GRAMPSWEB_STATIC_PATH=/ahnenforschung/static
-      - GRAMPSWEB_STATIC_URL=/ahnenforschung/static/
       - GRAMPSWEB_CELERY_CONFIG__broker_url=redis://redis:6379/0
       - GRAMPSWEB_CELERY_CONFIG__result_backend=redis://redis:6379/0
       - GRAMPSWEB_RATELIMIT_STORAGE_URI=redis://redis:6379/1
@@ -211,9 +209,9 @@ services:
 
 volumes:
   dbdata_dev:
+  gramps_data_dev:
   paperless_data_dev:
   paperless_media_dev:
   paperless_export_dev:
   paperless_consume_dev:
-  gramps_data_dev:
   ollama_data_dev:

compose.yml

@@ -193,17 +193,81 @@ services:
     ports:
       - "8090:5000"
     environment:
-      - GRAMPSWEB_SECRET_KEY=${GRAMPSWEB_SECRET_KEY}
+      - GRAMPSWEB_SECRET_KEY=${GRAMPSWEB_SECRET_KEY:-dev-grampsweb-secret-key-not-for-production}
-      - GRAMPSWEB_ADMIN_EMAIL=${GRAMPSWEB_ADMIN_EMAIL}
+      - GRAMPSWEB_ADMIN_EMAIL=${GRAMPSWEB_ADMIN_EMAIL:-admin@localhost}
-      - GRAMPSWEB_ADMIN_PASSWORD=${GRAMPSWEB_ADMIN_PASSWORD}
+      - GRAMPSWEB_ADMIN_PASSWORD=${GRAMPSWEB_ADMIN_PASSWORD:-gramps_dev_password}
       - GRAMPSWEB_TREE=${GRAMPSWEB_TREE:-Stiftung}
-      - GRAMPSWEB_BASE_URL=${GRAMPSWEB_BASE_URL:-/ahnenforschung}
+      - GRAMPSWEB_BASE_URL=${GRAMPSWEB_BASE_URL:-http://localhost:8090}
-      - GRAMPSWEB_STATIC_PATH=${GRAMPSWEB_STATIC_PATH:-/ahnenforschung/static}
-      - GRAMPSWEB_STATIC_URL=${GRAMPSWEB_STATIC_URL:-/ahnenforschung/static/}
       - GRAMPSWEB_CELERY_CONFIG__broker_url=redis://redis:6379/0
       - GRAMPSWEB_CELERY_CONFIG__result_backend=redis://redis:6379/0
       - GRAMPSWEB_RATELIMIT_STORAGE_URI=redis://redis:6379/1
       - GRAMPSWEB_NEW_DB_BACKEND=sqlite
+      - GRAMPSWEB_SUBPATH=${GRAMPSWEB_SUBPATH:-/ahnenforschung}
+    command:
+      - sh
+      - -c
+      - |
+        if [ -n "$$GRAMPSWEB_SUBPATH" ] && [ "$$GRAMPSWEB_SUBPATH" != "/" ]; then
+          SUBPATH="$$GRAMPSWEB_SUBPATH"
+          case "$$SUBPATH" in */) ;; *) SUBPATH="$${SUBPATH}/" ;; esac
+          echo "[grampsweb] Patching static files for subpath $$SUBPATH ..."
+          find / -name index.html -path "*/gramps*" -o -name index.html -path "*/static/*" 2>/dev/null | while read f; do
+            if grep -q '<base href="/">' "$$f" 2>/dev/null; then
+              sed -i "s|<base href=\"/\">|<base href=\"$$SUBPATH\">|g" "$$f"
+              echo "[grampsweb]   patched base href: $$f"
+            fi
+          done
+          for f in /app/static/*.js; do
+            if [ -f "$$f" ] && grep -q '/api/' "$$f" 2>/dev/null; then
+              sed -i "s|\"/api/|\"$${SUBPATH}api/|g" "$$f"
+              sed -i 's|`/api/|`'"$${SUBPATH}"'api/|g' "$$f"
+              sed -i "s|\"/lang/|\"$${SUBPATH}lang/|g" "$$f"
+              sed -i 's|`/lang/|`'"$${SUBPATH}"'lang/|g' "$$f"
+              sed -i "s|\"/fonts/|\"$${SUBPATH}fonts/|g" "$$f"
+              sed -i 's|`/fonts/|`'"$${SUBPATH}"'fonts/|g' "$$f"
+              sed -i "s|\"/assets/|\"$${SUBPATH}assets/|g" "$$f"
+              sed -i 's|`/assets/|`'"$${SUBPATH}"'assets/|g' "$$f"
+              sed -i "s|location\.href=\"/\"|location.href=\"$$SUBPATH\"|g" "$$f"
+              sed -i "s|document\.location\.href=\"/\"|document.location.href=\"$$SUBPATH\"|g" "$$f"
+              echo "[grampsweb]   patched JS paths: $$f"
+            fi
+          done
+          if [ -f /app/static/sw.js ]; then
+            sed -i "s|createHandlerBoundToURL(\"/index.html\")|createHandlerBoundToURL(\"$${SUBPATH}index.html\")|g" /app/static/sw.js
+            SUBPATH_BS=$$(echo "$$SUBPATH" | sed "s|/|\\\\\\\\/|g")
+            sed -i "s|\\^\\\\/api|\\^$${SUBPATH_BS}api|g" /app/static/sw.js
+            echo "[grampsweb]   patched sw.js navigation routes"
+          fi
+          find /app/static -name '*.css' 2>/dev/null | while read f; do
+            if grep -q '\.\./fonts/' "$$f" 2>/dev/null; then
+              sed -i "s|'../fonts/|'fonts/|g" "$$f"
+              sed -i "s|\"../fonts/|\"fonts/|g" "$$f"
+              echo "[grampsweb]   patched CSS font paths: $$f"
+            fi
+          done
+          echo "[grampsweb] Done."
+        fi
+        echo "[grampsweb] Ensuring admin user exists ..."
+        python3 << 'PYEOF' 2>&1 | grep -v Gtk
+        from gramps_webapi.app import create_app
+        from gramps_webapi.auth import add_user, get_number_users, ROLE_OWNER
+        import os
+        email = os.environ.get('GRAMPSWEB_ADMIN_EMAIL', '')
+        pw = os.environ.get('GRAMPSWEB_ADMIN_PASSWORD', '')
+        if email and pw:
+            app = create_app()
+            with app.app_context():
+                if get_number_users() == 0:
+                    add_user(name='Admin', email=email, password=pw, role=ROLE_OWNER)
+                    print('[grampsweb] Admin user created')
+                else:
+                    print('[grampsweb] Users already exist, skipping')
+        else:
+            print('[grampsweb] No admin credentials configured, skipping')
+        PYEOF
+        exec gunicorn -w $${GUNICORN_NUM_WORKERS:-8} -b 0.0.0.0:5000 \
+          gramps_webapi.wsgi:app --timeout $${GUNICORN_TIMEOUT:-120} \
+          --limit-request-line 8190
     volumes:
       - gramps_data:/app/data
     depends_on:

deploy-production/docker-compose.prod.yml

@@ -49,6 +49,10 @@ services:
       - REDIS_URL=${REDIS_URL}
       - PAPERLESS_API_URL=${PAPERLESS_API_URL}
       - PAPERLESS_API_TOKEN=${PAPERLESS_API_TOKEN}
+      - GRAMPS_URL=${GRAMPS_URL}
+      - GRAMPS_USERNAME=${GRAMPS_USERNAME}
+      - GRAMPS_PASSWORD=${GRAMPS_PASSWORD}
+      - GRAMPS_API_TOKEN=${GRAMPS_API_TOKEN}
     ports:
       - "8081:8000"
     volumes:
@@ -111,14 +115,89 @@ services:
 
   grampsweb:
     image: ghcr.io/gramps-project/grampsweb:latest
+    restart: unless-stopped
     ports:
-      - "8090:80"
+      - "8090:5000"
     environment:
       - GRAMPSWEB_SECRET_KEY=${GRAMPSWEB_SECRET_KEY}
       - GRAMPSWEB_ADMIN_EMAIL=${GRAMPSWEB_ADMIN_EMAIL}
       - GRAMPSWEB_ADMIN_PASSWORD=${GRAMPSWEB_ADMIN_PASSWORD}
+      - GRAMPSWEB_TREE=${GRAMPSWEB_TREE:-Stiftung}
+      - GRAMPSWEB_BASE_URL=${GRAMPSWEB_BASE_URL:-/}
+      - GRAMPSWEB_CELERY_CONFIG__broker_url=redis://redis:6379/0
+      - GRAMPSWEB_CELERY_CONFIG__result_backend=redis://redis:6379/0
+      - GRAMPSWEB_RATELIMIT_STORAGE_URI=redis://redis:6379/1
+      - GRAMPSWEB_NEW_DB_BACKEND=sqlite
+      - GRAMPSWEB_SUBPATH=${GRAMPSWEB_SUBPATH:-/ahnenforschung}
+    command:
+      - sh
+      - -c
+      - |
+        if [ -n "$$GRAMPSWEB_SUBPATH" ] && [ "$$GRAMPSWEB_SUBPATH" != "/" ]; then
+          SUBPATH="$$GRAMPSWEB_SUBPATH"
+          case "$$SUBPATH" in */) ;; *) SUBPATH="$${SUBPATH}/" ;; esac
+          echo "[grampsweb] Patching static files for subpath $$SUBPATH ..."
+          find / -name index.html -path "*/gramps*" -o -name index.html -path "*/static/*" 2>/dev/null | while read f; do
+            if grep -q '<base href="/">' "$$f" 2>/dev/null; then
+              sed -i "s|<base href=\"/\">|<base href=\"$$SUBPATH\">|g" "$$f"
+              echo "[grampsweb]   patched base href: $$f"
+            fi
+          done
+          for f in /app/static/*.js; do
+            if [ -f "$$f" ] && grep -q '/api/' "$$f" 2>/dev/null; then
+              sed -i "s|\"/api/|\"$${SUBPATH}api/|g" "$$f"
+              sed -i 's|`/api/|`'"$${SUBPATH}"'api/|g' "$$f"
+              sed -i "s|\"/lang/|\"$${SUBPATH}lang/|g" "$$f"
+              sed -i 's|`/lang/|`'"$${SUBPATH}"'lang/|g' "$$f"
+              sed -i "s|\"/fonts/|\"$${SUBPATH}fonts/|g" "$$f"
+              sed -i 's|`/fonts/|`'"$${SUBPATH}"'fonts/|g' "$$f"
+              sed -i "s|\"/assets/|\"$${SUBPATH}assets/|g" "$$f"
+              sed -i 's|`/assets/|`'"$${SUBPATH}"'assets/|g' "$$f"
+              sed -i "s|location\.href=\"/\"|location.href=\"$$SUBPATH\"|g" "$$f"
+              sed -i "s|document\.location\.href=\"/\"|document.location.href=\"$$SUBPATH\"|g" "$$f"
+              echo "[grampsweb]   patched JS paths: $$f"
+            fi
+          done
+          if [ -f /app/static/sw.js ]; then
+            sed -i "s|createHandlerBoundToURL(\"/index.html\")|createHandlerBoundToURL(\"$${SUBPATH}index.html\")|g" /app/static/sw.js
+            SUBPATH_BS=$$(echo "$$SUBPATH" | sed "s|/|\\\\\\\\/|g")
+            sed -i "s|\\^\\\\/api|\\^$${SUBPATH_BS}api|g" /app/static/sw.js
+            echo "[grampsweb]   patched sw.js navigation routes"
+          fi
+          find /app/static -name '*.css' 2>/dev/null | while read f; do
+            if grep -q '\.\./fonts/' "$$f" 2>/dev/null; then
+              sed -i "s|'../fonts/|'fonts/|g" "$$f"
+              sed -i "s|\"../fonts/|\"fonts/|g" "$$f"
+              echo "[grampsweb]   patched CSS font paths: $$f"
+            fi
+          done
+          echo "[grampsweb] Done."
+        fi
+        echo "[grampsweb] Ensuring admin user exists ..."
+        python3 << 'PYEOF' 2>&1 | grep -v Gtk
+        from gramps_webapi.app import create_app
+        from gramps_webapi.auth import add_user, get_number_users, ROLE_OWNER
+        import os
+        email = os.environ.get('GRAMPSWEB_ADMIN_EMAIL', '')
+        pw = os.environ.get('GRAMPSWEB_ADMIN_PASSWORD', '')
+        if email and pw:
+            app = create_app()
+            with app.app_context():
+                if get_number_users() == 0:
+                    add_user(name='Admin', email=email, password=pw, role=ROLE_OWNER)
+                    print('[grampsweb] Admin user created')
+                else:
+                    print('[grampsweb] Users already exist, skipping')
+        else:
+            print('[grampsweb] No admin credentials configured, skipping')
+        PYEOF
+        exec gunicorn -w $${GUNICORN_NUM_WORKERS:-8} -b 0.0.0.0:5000 \
+          gramps_webapi.wsgi:app --timeout $${GUNICORN_TIMEOUT:-120} \
+          --limit-request-line 8190
     volumes:
       - gramps_data:/app/data
+    depends_on:
+      - redis
 
   paperless:
     image: ghcr.io/paperless-ngx/paperless-ngx:latest

deploy-production/nginx.conf

@@ -0,0 +1,128 @@
+# HTTP server block - redirect to HTTPS
+server {
+    listen 80;
+    server_name vhtv-stiftung.de www.vhtv-stiftung.de;
+
+    # Redirect all HTTP traffic to HTTPS
+    return 301 https://$server_name$request_uri;
+}
+
+# HTTPS server block
+server {
+    listen 443 ssl http2;
+    server_name vhtv-stiftung.de www.vhtv-stiftung.de;
+
+    # SSL Certificate Configuration
+    ssl_certificate /etc/letsencrypt/live/vhtv-stiftung.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/vhtv-stiftung.de/privkey.pem;
+
+    # SSL Security Settings
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;
+    ssl_prefer_server_ciphers off;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+
+    # HSTS (HTTP Strict Transport Security)
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+    # Enhanced Security headers
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header Referrer-Policy "no-referrer-when-downgrade" always;
+    add_header Content-Security-Policy "default-src 'self' https: data: blob: 'unsafe-inline'" always;
+
+    # Static files
+    location /static/ {
+        alias /opt/stiftung/app/static/;
+        expires 1y;
+        add_header Cache-Control "public, immutable";
+    }
+
+    location /media/ {
+        alias /opt/stiftung/app/media/;
+        expires 1y;
+        add_header Cache-Control "public";
+    }
+
+    # Django application
+    location / {
+        proxy_pass http://127.0.0.1:8081;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        # Timeouts
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 60s;
+
+        # Buffer settings
+        proxy_buffering on;
+        proxy_buffer_size 128k;
+        proxy_buffers 4 256k;
+        proxy_busy_buffers_size 256k;
+    }
+
+    # Paperless-ngx document management
+    location /paperless/ {
+        proxy_pass http://127.0.0.1:8080/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Script-Name /paperless;
+
+        # Large file uploads for documents
+        client_max_body_size 100M;
+        proxy_read_timeout 300s;
+        proxy_connect_timeout 300s;
+        proxy_send_timeout 300s;
+    }
+
+    # GrampsWeb Ahnenforschung
+    # GrampsWeb SPA has <base href="/"> hardcoded — sub_filter rewrites it
+    # so asset URLs resolve under /ahnenforschung/ instead of /
+    location /ahnenforschung/ {
+        proxy_pass http://127.0.0.1:8090/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Script-Name /ahnenforschung;
+
+        # Rewrite <base href="/"> to <base href="/ahnenforschung/">
+        # so the SPA loads JS/CSS from the correct subpath
+        proxy_set_header Accept-Encoding "";
+        sub_filter '<base href="/">' '<base href="/ahnenforschung/">';
+        sub_filter_once on;
+        sub_filter_types text/html;
+
+        # WebSocket support
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+
+        proxy_read_timeout 300s;
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 300s;
+    }
+
+    # Health check endpoint
+    location /health/ {
+        access_log off;
+        return 200 "healthy\n";
+        add_header Content-Type text/plain;
+    }
+
+    # Block access to sensitive files
+    location ~ /\. {
+        deny all;
+    }
+
+    location ~ ^/(\.env|docker-compose|Dockerfile) {
+        deny all;
+    }
+}

deploy.sh

@@ -135,6 +135,23 @@ echo ""
 echo "--- Collecting static files ---"
 docker compose -f "$COMPOSE_FILE" exec -T web python manage.py collectstatic --noinput
 
+echo ""
+echo "--- Updating nginx config ---"
+NGINX_CONF="$PROD_DIR/deploy-production/nginx.conf"
+NGINX_DEST="/etc/nginx/sites-enabled/stiftung"
+if [[ -f "$NGINX_CONF" ]]; then
+    if ! diff -q "$NGINX_CONF" "$NGINX_DEST" &>/dev/null; then
+        echo "Nginx config changed — updating and reloading"
+        sudo cp "$NGINX_CONF" "$NGINX_DEST"
+        sudo nginx -t && sudo systemctl reload nginx
+        echo "Nginx reloaded"
+    else
+        echo "Nginx config unchanged — skipping"
+    fi
+else
+    echo "WARNUNG: $NGINX_CONF nicht gefunden — nginx nicht aktualisiert"
+fi
+
 echo ""
 echo "--- Service status ---"
 docker compose -f "$COMPOSE_FILE" ps

env-template.txt

@@ -53,8 +53,17 @@ IMAP_FOLDER=INBOX
 IMAP_USE_SSL=true
 
 # Integration von Grampsweb zur Ahnenforschung und Prüfung
-GRAMPS_URL=http://192.168.178.167:30179
+# Django-App Verbindung zu GrampsWeb API (internes Docker-Netzwerk)
+GRAMPS_URL=http://grampsweb:5000
 GRAMPS_USERNAME=Stiftung
-GRAMPS_PASSWORD=home4Gty94rj*de
+GRAMPS_PASSWORD=your-gramps-password-here
+GRAMPS_API_TOKEN=
+
+# GrampsWeb Container Konfiguration
+GRAMPSWEB_SECRET_KEY=your-grampsweb-secret-key-here
+GRAMPSWEB_ADMIN_EMAIL=admin@vhtv-stiftung.de
+GRAMPSWEB_ADMIN_PASSWORD=your-grampsweb-admin-password-here
+GRAMPSWEB_TREE=Stiftung
+GRAMPSWEB_BASE_URL=/ahnenforschung