From e11092234c20488013a78ccaecffd9c9ae90c551 Mon Sep 17 00:00:00 2001
From: Ilia Denisov <evilcart@gmail.com>
Date: Mon, 1 Jun 2026 05:46:19 +0200
Subject: [PATCH] feat(dev-deploy): expose Grafana + Mailpit UIs via Caddy;
 seed monitoring config

Deploy wiring for the observability stack (the services and collector
config landed in the previous commit):

- Caddyfile.dev: route /grafana/* to galaxy-grafana:3000 (Caddy
  sub-path mode, Grafana keeps its own login) and /mailpit/* to
  galaxy-mailpit:8025 behind dev basic-auth, so the captured-mail UI
  (every message, relayed or not) and Grafana are reachable through the
  single dev origin.
- dev-deploy.yaml: seed the monitoring config tree to a stable,
  reboot-surviving host path (GALAXY_DEV_MONITORING_DIR) before bringing
  the stack up, and inject the Grafana admin password from a Gitea
  secret (GALAXY_DEV_GRAFANA_ADMIN_PASSWORD; empty falls back to the
  compose default).
---
 .gitea/workflows/dev-deploy.yaml |  8 ++++++++
 tools/dev-deploy/Caddyfile.dev   | 16 ++++++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/.gitea/workflows/dev-deploy.yaml b/.gitea/workflows/dev-deploy.yaml
index 9e74fbd..5d55451 100644
--- a/.gitea/workflows/dev-deploy.yaml
+++ b/.gitea/workflows/dev-deploy.yaml
@@ -261,11 +261,19 @@ jobs:
           # Unset/empty → the compose default (non-routable) keeps the
           # stack capture-only.
           GALAXY_DEV_MAIL_RELAY_MATCH: ${{ vars.GALAXY_DEV_MAIL_RELAY_MATCH }}
+          # Grafana admin password; unset/empty -> compose default 'admin'.
+          GALAXY_DEV_GRAFANA_ADMIN_PASSWORD: ${{ secrets.GALAXY_DEV_GRAFANA_ADMIN_PASSWORD }}
         run: |
           # Resolve in the shell, not in YAML expressions — `env.HOME`
           # is empty at the workflow-evaluation stage.
           export GALAXY_DEV_GAME_STATE_DIR="$HOME/.galaxy-dev/game-state"
           mkdir -p "$GALAXY_DEV_GAME_STATE_DIR"
+          # Seed the monitoring config to a stable, reboot-surviving host
+          # path (compose binds \${GALAXY_DEV_MONITORING_DIR} read-only).
+          export GALAXY_DEV_MONITORING_DIR="$HOME/.galaxy-dev/monitoring"
+          rm -rf "$GALAXY_DEV_MONITORING_DIR"
+          mkdir -p "$GALAXY_DEV_MONITORING_DIR"
+          cp -r monitoring/. "$GALAXY_DEV_MONITORING_DIR/"
           docker compose up -d --wait --remove-orphans
 
       - name: Probe the stack
diff --git a/tools/dev-deploy/Caddyfile.dev b/tools/dev-deploy/Caddyfile.dev
index af25751..bd485bf 100644
--- a/tools/dev-deploy/Caddyfile.dev
+++ b/tools/dev-deploy/Caddyfile.dev
@@ -37,6 +37,22 @@
 		reverse_proxy galaxy-api:8080
 	}
 
+	# Grafana (observability UI) under /grafana/ — Caddy sub-path mode
+	# (Grafana set with GF_SERVER_SERVE_FROM_SUB_PATH); its own login.
+	handle /grafana/* {
+		reverse_proxy galaxy-grafana:3000
+	}
+
+	# Mailpit captured-mail UI under /mailpit/. Shows every message the
+	# backend sent (relayed or not); basic-auth (dev: gm / gm-dev-password)
+	# guards the OTP codes it exposes. Mailpit runs with MP_WEBROOT=/mailpit.
+	handle /mailpit/* {
+		basic_auth {
+			gm "$2a$14$xVh1TLaZxh8fazlKrI9Mx.NQMQlMarYWtr3FRELmZIXuac/DeeTRO"
+		}
+		reverse_proxy galaxy-mailpit:8025
+	}
+
 	# Bare `/game` (no trailing slash) -> `/game/` so the SPA root
 	# resolves before the site catch-all can claim it.
 	handle /game {