ci: Auto deploy via server-side pounce-deploy

.gitea/workflows/deploy.yml

@@ -35,10 +35,8 @@ jobs:
             ./ \
             "${{ secrets.DEPLOY_USER }}@${{ secrets.DEPLOY_HOST }}:${{ secrets.DEPLOY_PATH }}/"
 
-      - name: Deploy (build + restart + health check)
+      - name: Generate backend env file (from secrets)
         env:
-          DEPLOY_SUDO_PASSWORD: ${{ secrets.DEPLOY_SUDO_PASSWORD }}
-          # App secrets (used to generate backend env file on server)
           DATABASE_URL: ${{ secrets.DATABASE_URL }}
           SECRET_KEY: ${{ secrets.SECRET_KEY }}
           SMTP_PASSWORD: ${{ secrets.SMTP_PASSWORD }}
@@ -49,20 +47,7 @@ jobs:
           CZDS_USERNAME: ${{ secrets.CZDS_USERNAME }}
           CZDS_PASSWORD: ${{ secrets.CZDS_PASSWORD }}
         run: |
-          ssh -i ~/.ssh/deploy_key "${{ secrets.DEPLOY_USER }}@${{ secrets.DEPLOY_HOST }}" << 'DEPLOY_EOF'
-          set -euo pipefail
-
-          # Use sudo non-interactively (password supplied via env)
-          sudo_cmd() {
-            printf '%s\n' "$DEPLOY_SUDO_PASSWORD" | sudo -S "$@"
-          }
-
-          # Ensure dirs
-          sudo_cmd mkdir -p /data/pounce/env /data/pounce/zones
-          sudo_cmd chmod -R 755 /data/pounce || true
-
-          # Generate backend env file from pipeline-provided secrets (never echo values)
-          sudo_cmd python3 - <<'PY'
+          python3 - <<'PY'
 import os
 from pathlib import Path
 
@@ -125,62 +110,25 @@ for k, v in env.items():
         continue
     lines.append(f"{k}={v}")
 
-path = Path("/data/pounce/env/backend.env")
-path.write_text("\n".join(lines) + "\n")
+Path("backend.env").write_text("\n".join(lines) + "\n")
 PY
 
-          # Build images from synced repo
-          cd "${{ secrets.DEPLOY_PATH }}"
-          sudo_cmd docker build -t pounce-backend:latest backend
-          sudo_cmd docker build \
-            --build-arg NEXT_PUBLIC_API_URL=https://api.pounce.ch \
-            --build-arg BACKEND_URL=http://pounce-backend:8000 \
-            -t pounce-frontend:latest \
-            frontend
+      - name: Upload backend env to server
+        run: |
+          rsync -az \
+            -e "ssh -i ~/.ssh/deploy_key -o StrictHostKeyChecking=yes" \
+            ./backend.env \
+            "${{ secrets.DEPLOY_USER }}@${{ secrets.DEPLOY_HOST }}:/tmp/pounce-backend.env"
 
-          # Deploy backend
-          sudo_cmd docker stop pounce-backend 2>/dev/null || true
-          sudo_cmd docker rm pounce-backend 2>/dev/null || true
-          sudo_cmd docker run -d \
-            --name pounce-backend \
-            --network coolify \
-            --restart unless-stopped \
-            --shm-size=8g \
-            --env-file /data/pounce/env/backend.env \
-            -v /data/pounce/zones:/data \
-            -l "traefik.enable=true" \
-            -l "traefik.http.routers.pounce-api.rule=Host(\`api.pounce.ch\`)" \
-            -l "traefik.http.routers.pounce-api.entryPoints=https" \
-            -l "traefik.http.routers.pounce-api.tls=true" \
-            -l "traefik.http.routers.pounce-api.tls.certresolver=letsencrypt" \
-            -l "traefik.http.services.pounce-api.loadbalancer.server.port=8000" \
-            pounce-backend:latest
-          sudo_cmd docker network connect n0488s44osgoow4wgo04ogg0 pounce-backend 2>/dev/null || true
-
-          # Deploy frontend
-          sudo_cmd docker stop pounce-frontend 2>/dev/null || true
-          sudo_cmd docker rm pounce-frontend 2>/dev/null || true
-          sudo_cmd docker run -d \
-            --name pounce-frontend \
-            --network coolify \
-            --restart unless-stopped \
-            -l "traefik.enable=true" \
-            -l "traefik.http.routers.pounce-web.rule=Host(\`pounce.ch\`) || Host(\`www.pounce.ch\`)" \
-            -l "traefik.http.routers.pounce-web.entryPoints=https" \
-            -l "traefik.http.routers.pounce-web.tls=true" \
-            -l "traefik.http.routers.pounce-web.tls.certresolver=letsencrypt" \
-            -l "traefik.http.services.pounce-web.loadbalancer.server.port=3000" \
-            pounce-frontend:latest
-          sudo_cmd docker network connect n0488s44osgoow4wgo04ogg0 pounce-frontend 2>/dev/null || true
-
-          # Health check
-          sleep 15
-          curl -sf https://api.pounce.ch/api/v1/health >/dev/null
-          curl -sf https://pounce.ch >/dev/null
-
-          # Cleanup
-          sudo_cmd docker image prune -f >/dev/null 2>&1 || true
-          echo "✅ Deploy finished"
+      - name: Deploy on server (pounce-deploy)
+        run: |
+          ssh -i ~/.ssh/deploy_key "${{ secrets.DEPLOY_USER }}@${{ secrets.DEPLOY_HOST }}" << 'DEPLOY_EOF'
+          set -euo pipefail
+          mkdir -p /data/pounce/env
+          # Move env file into place (requires no password due to sudoers rule)
+          sudo mv /tmp/pounce-backend.env /data/pounce/env/backend.env
+          sudo chmod 600 /data/pounce/env/backend.env
+          sudo /usr/local/bin/pounce-deploy
           DEPLOY_EOF
 
       - name: Summary