ci: enable deploy stage with SSH-based blue/green deployment

Writes .env to web/, runs deploy.sh from web/. Pushes env vars
from GitLab CI/CD variables to the server on every master push.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.gitlab/.gitlab-ci.yml

@@ -3,7 +3,7 @@ image: python:3.13
 stages:
 #  - lint
   - test
-#  - deploy
+  - deploy
 
 variables:
   UV_CACHE_DIR: "$CI_PROJECT_DIR/.uv-cache"
@@ -71,41 +71,44 @@ test:web:
     - changes:
         - web/**/*
 
-#deploy:web:
-#  stage: deploy
-#  image: alpine:latest
-#  needs: [test:web]
-#  rules:
-#    - if: $CI_COMMIT_BRANCH == "master"
-#      changes:
-#        - web/**/*
-#  before_script:
-#    - apk add --no-cache openssh-client
-#    - eval $(ssh-agent -s)
-#    - echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add -
-#    - mkdir -p ~/.ssh
-#    - chmod 700 ~/.ssh
-#    - echo "$SSH_KNOWN_HOSTS" >> ~/.ssh/known_hosts
-#  script:
-#    - |
-#      ssh "$DEPLOY_USER@$DEPLOY_HOST" "cat > /opt/beanflows/beanflows/.env" << ENVEOF
-#      APP_NAME=$APP_NAME
-#      SECRET_KEY=$SECRET_KEY
-#      BASE_URL=$BASE_URL
-#      DEBUG=false
-#      ADMIN_PASSWORD=$ADMIN_PASSWORD
-#      DATABASE_PATH=data/app.db
-#      MAGIC_LINK_EXPIRY_MINUTES=${MAGIC_LINK_EXPIRY_MINUTES:-15}
-#      SESSION_LIFETIME_DAYS=${SESSION_LIFETIME_DAYS:-30}
-#      RESEND_API_KEY=$RESEND_API_KEY
-#      EMAIL_FROM=${EMAIL_FROM:-hello@example.com}
-#      ADMIN_EMAILS=${ADMIN_EMAILS:-}
-#      RATE_LIMIT_REQUESTS=${RATE_LIMIT_REQUESTS:-100}
-#      RATE_LIMIT_WINDOW=${RATE_LIMIT_WINDOW:-60}
-#      PADDLE_API_KEY=$PADDLE_API_KEY
-#      PADDLE_WEBHOOK_SECRET=$PADDLE_WEBHOOK_SECRET
-#      PADDLE_PRICE_STARTER=$PADDLE_PRICE_STARTER
-#      PADDLE_PRICE_PRO=$PADDLE_PRICE_PRO
-#      ENVEOF
-#    - ssh "$DEPLOY_USER@$DEPLOY_HOST" "chmod 600 /opt/beanflows/beanflows/.env"
-#    - ssh "$DEPLOY_USER@$DEPLOY_HOST" "cd /opt/beanflows && git pull origin master && ./deploy.sh"
+deploy:web:
+  stage: deploy
+  image: alpine:latest
+  needs: [test:web]
+  rules:
+    - if: $CI_COMMIT_BRANCH == "master"
+  before_script:
+    - apk add --no-cache openssh-client
+    - eval $(ssh-agent -s)
+    - echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add -
+    - mkdir -p ~/.ssh
+    - chmod 700 ~/.ssh
+    - echo "$SSH_KNOWN_HOSTS" >> ~/.ssh/known_hosts
+  script:
+    - |
+      ssh "$DEPLOY_USER@$DEPLOY_HOST" "cat > /opt/beanflows/web/.env" << ENVEOF
+      APP_NAME=$APP_NAME
+      SECRET_KEY=$SECRET_KEY
+      BASE_URL=$BASE_URL
+      DEBUG=false
+      DATABASE_PATH=data/app.db
+      MAGIC_LINK_EXPIRY_MINUTES=$MAGIC_LINK_EXPIRY_MINUTES
+      SESSION_LIFETIME_DAYS=$SESSION_LIFETIME_DAYS
+      RESEND_API_KEY=$RESEND_API_KEY
+      EMAIL_FROM=$EMAIL_FROM
+      RESEND_AUDIENCE_WAITLIST=$RESEND_AUDIENCE_WAITLIST
+      ADMIN_EMAILS=$ADMIN_EMAILS
+      WAITLIST_MODE=$WAITLIST_MODE
+      RATE_LIMIT_REQUESTS=$RATE_LIMIT_REQUESTS
+      RATE_LIMIT_WINDOW=$RATE_LIMIT_WINDOW
+      PADDLE_API_KEY=$PADDLE_API_KEY
+      PADDLE_WEBHOOK_SECRET=$PADDLE_WEBHOOK_SECRET
+      PADDLE_ENVIRONMENT=$PADDLE_ENVIRONMENT
+      PADDLE_PRICE_STARTER=$PADDLE_PRICE_STARTER
+      PADDLE_PRICE_PRO=$PADDLE_PRICE_PRO
+      UMAMI_SCRIPT_URL=$UMAMI_SCRIPT_URL
+      UMAMI_WEBSITE_ID=$UMAMI_WEBSITE_ID
+      SERVING_DUCKDB_PATH=$SERVING_DUCKDB_PATH
+      ENVEOF
+    - ssh "$DEPLOY_USER@$DEPLOY_HOST" "chmod 600 /opt/beanflows/web/.env"
+    - ssh "$DEPLOY_USER@$DEPLOY_HOST" "cd /opt/beanflows && git pull origin master && cd web && bash deploy.sh"