feat(ci): deploy the docs site to home-main-2 (docs.punktfunk.unom.io)

docker.yml gains a deploy-docs job after the image pushes: scp
compose.production.yml to ~/punktfunk-docs on home-main-2, then
docker compose pull + up over SSH — the unom/website / unom/cms
deploy pattern, same DEPLOY_* secret set (unom-ci-deploy key). Docs
bind host port 3220; the docs.punktfunk.unom.io vhost lives in
unom/reverse-proxy (306d9c0).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

.gitea/workflows/docker.yml

@@ -59,3 +59,42 @@ jobs:
         run: |
           docker push "$REGISTRY/$OWNER/${{ matrix.image }}:sha-${GITHUB_SHA::8}"
           docker push "$REGISTRY/$OWNER/${{ matrix.image }}:latest"
+
+  # Deploy the docs site to home-main-2 (docs.punktfunk.unom.io via Caddy on
+  # home-reverse-proxy-1 -> :3220). Same secret set as unom/website's deploy:
+  # DEPLOY_HOST/DEPLOY_USER/DEPLOY_PORT/DEPLOY_SSH_KEY (the unom-ci-deploy key).
+  deploy-docs:
+    runs-on: ubuntu-24.04
+    needs: build-push
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Sync compose file
+        uses: appleboy/scp-action@v0.1.7
+        with:
+          host: ${{ secrets.DEPLOY_HOST }}
+          username: ${{ secrets.DEPLOY_USER }}
+          port: ${{ secrets.DEPLOY_PORT }}
+          key: ${{ secrets.DEPLOY_SSH_KEY }}
+          source: "compose.production.yml"
+          target: "~/punktfunk-docs"
+          overwrite: true
+
+      - name: Pull and start docs
+        uses: appleboy/ssh-action@v1.2.5
+        env:
+          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
+        with:
+          host: ${{ secrets.DEPLOY_HOST }}
+          username: ${{ secrets.DEPLOY_USER }}
+          port: ${{ secrets.DEPLOY_PORT }}
+          key: ${{ secrets.DEPLOY_SSH_KEY }}
+          # Token enters via env, never the script text (keeps it out of run logs).
+          envs: REGISTRY_TOKEN
+          script: |
+            set -euo pipefail
+            printf '%s' "$REGISTRY_TOKEN" | docker login git.unom.io -u enricobuehler --password-stdin
+            cd ~/punktfunk-docs
+            docker compose -f compose.production.yml pull docs
+            docker compose -f compose.production.yml up -d --no-build docs

compose.production.yml

@@ -0,0 +1,11 @@
+# Production compose for the deployed punktfunk pieces — runs on home-main-2 under
+# ~/punktfunk-docs (synced there by .gitea/workflows/docker.yml's deploy job; pattern
+# follows unom/website + unom/cms). Caddy on home-reverse-proxy-1 serves
+# docs.punktfunk.unom.io -> home-main-2:3220 (vhost in unom/reverse-proxy).
+name: punktfunk-docs-prod
+services:
+  docs:
+    image: git.unom.io/unom/punktfunk-docs:latest
+    restart: unless-stopped
+    ports:
+      - "3220:3000"

docs-site/content/docs/ci.md

@@ -55,6 +55,17 @@ ssh enricobuehler@192.168.1.135 GITEA_RUNNER_TOKEN=<token> bash -s \
     < scripts/ci/setup-macos-runner.sh
 ```
 
+## Deployment
+
+`docker.yml`'s `deploy-docs` job ships this docs site after every image push: it syncs
+`compose.production.yml` to `~/punktfunk-docs` on **home-main-2** and runs
+`docker compose pull && up -d` there over SSH (same pattern and secret set as
+`unom/website`: `DEPLOY_HOST` / `DEPLOY_USER` / `DEPLOY_PORT` / `DEPLOY_SSH_KEY`, the
+`unom-ci-deploy` key). The container binds host port **3220**; Caddy on
+`home-reverse-proxy-1` serves it as <https://docs.punktfunk.unom.io> (vhost tracked in
+`unom/reverse-proxy`). The host and the web console are NOT deployed — the console
+fronts a punktfunk host's management API on whatever box runs the host.
+
 ## Troubleshooting
 
 - **Mac runner offline** — `ssh <mac> tail -50 '~/ci/act-runner/runner.log'`; restart with