Migrate sigvild-gallery to production environment

- Add multi-environment architecture (homelab + production)
- Create production environment (mini-vps) for client projects
- Create homelab playbook for arch-vps services
- Create production playbook for mini-vps services
- Move sigvild-gallery from homelab to production
- Restructure variables: group_vars/production + host_vars/arch-vps
- Add backup-sigvild.yml playbook with auto-restore functionality
- Fix restore logic to check for data before creating directories
- Add manual variable loading workaround for Ansible 2.20
- Update all documentation for multi-environment setup
- Add ADR-007 documenting multi-environment architecture decision

docs/deployment-guide.md

@@ -43,21 +43,45 @@ The rick-infra deployment system provides:
 └─────────────────────────────────────────────────────────────┘
 ```
 
+## Infrastructure Overview
+
+Rick-infra now manages **two separate environments**:
+
+### Homelab (arch-vps)
+Personal services and experimentation platform at **jnss.me**:
+- PostgreSQL, Valkey, Podman infrastructure
+- Caddy reverse proxy with auto-HTTPS
+- Nextcloud (cloud.jnss.me)
+- Authentik SSO (auth.jnss.me)
+- Gitea (git.jnss.me)
+
+### Production (mini-vps)
+Client projects requiring high uptime:
+- Caddy reverse proxy with auto-HTTPS
+- Sigvild Gallery (sigvild.no, api.sigvild.no)
+
 ## Available Deployments
 
-### 1. `site.yml` - Complete Infrastructure Stack
-Deploys the full rick-infra stack with role dependencies automatically managed.
+### 1. `site.yml` - Deploy All Environments
+Deploys both homelab and production infrastructure.
 
 ```bash
-ansible-playbook -i inventory/hosts.yml site.yml --ask-vault-pass
+ansible-playbook site.yml --ask-vault-pass
 ```
 
-**What it deploys:**
-- **Security Foundation**: SSH hardening, firewall, fail2ban, system updates
-- **Infrastructure Services**: PostgreSQL, Valkey, Podman container runtime
-- **Reverse Proxy**: Caddy with automatic HTTPS and Cloudflare DNS integration
-- **Authentication**: Authentik SSO server with forward auth integration
-- **Applications**: Gitea, Gallery, and other configured services
+### 2. Environment-Specific Deployments
+
+```bash
+# Deploy only homelab services
+ansible-playbook playbooks/homelab.yml --ask-vault-pass
+
+# Deploy only production services
+ansible-playbook playbooks/production.yml --ask-vault-pass
+
+# Or use site.yml with limits
+ansible-playbook site.yml -l homelab --ask-vault-pass
+ansible-playbook site.yml -l production --ask-vault-pass
+```
 
 ### 2. Service-Specific Deployments
 Deploy individual components using tags:
@@ -193,7 +217,21 @@ For complete authentik architecture details, see [Architecture Decisions](archit
 
 ## Configuration Management
 
-### Host Variables
+### Variable Organization
+
+Rick-infra uses a hybrid approach for variable management:
+
+**Group Variables** (`group_vars/`):
+- `production/main.yml` - Production environment configuration  
+- `production/vault.yml` - Production secrets (encrypted)
+
+**Host Variables** (`host_vars/`):
+- `arch-vps/main.yml` - Homelab configuration
+- `arch-vps/vault.yml` - Homelab secrets (encrypted)
+
+**Note:** Due to variable loading issues in Ansible 2.20, playbooks manually load variables using `include_vars`. This ensures reliable variable resolution during execution.
+
+### Example: Homelab Configuration
 
 Core infrastructure settings in `host_vars/arch-vps/main.yml`: