docs(config): Update template file paths to use 'template/' subdirectory

Reflects a clearer organization for SWAG configuration templates across all roadmap and setup documentation. This standardizes references to template files by explicitly including the `template/` subdirectory, improving clarity and distinction from generated configuration files.

roadmap/prod-env/02-godaddy-credentials.md

@@ -30,7 +30,7 @@ GODADDY_SECRET=<your-new-api-secret>
 
 ## Step 2 — Repo template file
 
-Same file as test: `swag/dns-conf/godaddy.ini.tpl` (already created in test step 02).
+Same file as test: `template/swag/dns-conf/godaddy.ini.tpl` (already created in test step 02).
 No additional action needed in the repo.
 
 ## Step 3 — (Handled by pipeline) Write credentials file on prod host
@@ -40,7 +40,7 @@ The deploy pipeline (see `08-deploy-pipeline-update.md`) runs on iklim-app-01:
 ```bash
 set -a; . ./.env; set +a
 mkdir -p "$SWAG_CONFIG_DIR/dns-conf"
-envsubst < swag/dns-conf/godaddy.ini.tpl > "$SWAG_CONFIG_DIR/dns-conf/godaddy.ini"
+envsubst < template/swag/dns-conf/godaddy.ini.tpl > "$SWAG_CONFIG_DIR/dns-conf/godaddy.ini"
 chmod 600 "$SWAG_CONFIG_DIR/dns-conf/godaddy.ini"
 ```
 

roadmap/prod-env/04-swag-nginx-configs.md

@@ -1,7 +1,7 @@
 # 04 — SWAG Nginx Proxy Configs (Prod)
 
 ## Context
-Same template files as test (`swag/site-confs/*.conf.tpl`), different env vars.
+Same template files as test (`template/swag/site-confs/*.conf.tpl`), different env vars.
 The pipeline processes templates with prod-specific subdomain values.
 
 ## Required env vars (in `.env` on storagebox `prod/secrets/iklim.co/.env.prod`)
@@ -23,11 +23,11 @@ SWAG_SITE_CONFS_DIR=/mnt/storagebox/swag/site-confs
 
 ## Template files (already created in test step 04)
 
-- `swag/site-confs/default.conf`
-- `swag/site-confs/api.conf.tpl`
-- `swag/site-confs/apigw.conf.tpl`
-- `swag/site-confs/rabbitmq.conf.tpl`
-- `swag/site-confs/grafana.conf.tpl`
+- `template/swag/site-confs/default.conf`
+- `template/swag/site-confs/api.conf.tpl`
+- `template/swag/site-confs/apigw.conf.tpl`
+- `template/swag/site-confs/rabbitmq.conf.tpl`
+- `template/swag/site-confs/grafana.conf.tpl`
 
 No new files to create — the same templates work for both environments.
 
@@ -40,13 +40,13 @@ export RESTRICTED_IPS_BLOCK="$(echo "$RESTRICTED_IPS" | tr ',' '\n' | sed 's|.*|
 mkdir -p "$SWAG_SITE_CONFS_DIR"
 
 SWAG_VARS='${API_SUBDOMAIN}${APIGW_SUBDOMAIN}${GRAFANA_SUBDOMAIN}${RABBITMQ_SUBDOMAIN}${RESTRICTED_IPS_BLOCK}'
-for tpl in swag/site-confs/*.conf.tpl; do
+for tpl in template/swag/site-confs/*.conf.tpl; do
   out="$SWAG_SITE_CONFS_DIR/$(basename "${tpl%.tpl}")"
   envsubst "$SWAG_VARS" < "$tpl" | sudo tee "$out" > /dev/null
   echo "✅ $out"
 done
 
-sudo cp swag/site-confs/default.conf "$SWAG_SITE_CONFS_DIR/default.conf"
+sudo cp template/swag/site-confs/default.conf "$SWAG_SITE_CONFS_DIR/default.conf"
 ```
 
 With `API_SUBDOMAIN=api.iklim.co`, the output file `$SWAG_SITE_CONFS_DIR/api.conf`
@@ -74,4 +74,4 @@ Expected: APISIX response with valid `*.iklim.co` cert.
 - `Prometheus` is intentionally NOT exposed via SWAG. Access it via Grafana
   (internal connection: `http://prometheus:9090`) or SSH tunnel.
 - If additional restricted-access subdomains are needed in the future, create a new
-  `swag/site-confs/<name>.conf.tpl` following the same pattern.
+  `template/swag/site-confs/<name>.conf.tpl` following the same pattern.

roadmap/prod-env/08-deploy-pipeline-update.md

@@ -71,7 +71,7 @@ Insert **before** `Bootstrap Vault TLS Placeholder`:
 
           mkdir -p "$SWAG_CONFIG_DIR/dns-conf" "$SWAG_SITE_CONFS_DIR"
 
-          envsubst < swag/dns-conf/godaddy.ini.tpl | docker run --rm -i \
+          envsubst < template/swag/dns-conf/godaddy.ini.tpl | docker run --rm -i \
             -v "${SWAG_CONFIG_DIR}/dns-conf:/output" \
             alpine sh -c "cat > /output/godaddy.ini && chmod 600 /output/godaddy.ini"
           echo "✅ godaddy.ini written"
@@ -79,7 +79,7 @@ Insert **before** `Bootstrap Vault TLS Placeholder`:
           export RESTRICTED_IPS_BLOCK="$(echo "$RESTRICTED_IPS" | tr ',' '\n' | sed 's|.*|        allow &;|')"
 
           SWAG_VARS='${API_SUBDOMAIN}${APIGW_SUBDOMAIN}${GRAFANA_SUBDOMAIN}${RABBITMQ_SUBDOMAIN}${RESTRICTED_IPS_BLOCK}'
-          for tpl in swag/site-confs/*.conf.tpl; do
+          for tpl in template/swag/site-confs/*.conf.tpl; do
             fname=$(basename "${tpl%.tpl}")
             envsubst "$SWAG_VARS" < "$tpl" | docker run --rm -i \
               -v "${SWAG_SITE_CONFS_DIR}:/output" \
@@ -87,7 +87,7 @@ Insert **before** `Bootstrap Vault TLS Placeholder`:
             echo "✅ ${fname}"
           done
 
-          cat swag/site-confs/default.conf | docker run --rm -i \
+          cat template/swag/site-confs/default.conf | docker run --rm -i \
             -v "${SWAG_SITE_CONFS_DIR}:/output" \
             alpine sh -c "cat > /output/default.conf"
 

roadmap/test-env/02-godaddy-credentials.md

@@ -33,7 +33,7 @@ These are fetched by the deploy pipeline's `Fetch Service Secret Files` step and
 
 ## Step 2 — Template file in the repo
 
-`swag/dns-conf/godaddy.ini.tpl` already exists in the repository root:
+`template/swag/dns-conf/godaddy.ini.tpl` already exists in the repository root:
 
 ```ini
 dns_godaddy_key = ${GODADDY_KEY}
@@ -48,7 +48,7 @@ The deploy pipeline (see `07-deploy-pipeline-update.md`) runs:
 
 ```bash
 mkdir -p /opt/iklimco/swag/dns-conf
-envsubst < swag/dns-conf/godaddy.ini.tpl > /opt/iklimco/swag/dns-conf/godaddy.ini
+envsubst < template/swag/dns-conf/godaddy.ini.tpl > /opt/iklimco/swag/dns-conf/godaddy.ini
 chmod 600 /opt/iklimco/swag/dns-conf/godaddy.ini
 ```
 

roadmap/test-env/04-swag-nginx-configs.md

@@ -1,7 +1,7 @@
 # 04 — SWAG Nginx Proxy Configs (Test)
 
 ## Context
-SWAG nginx auto-includes only `site-confs/*.conf`. All proxy config templates live in `swag/site-confs/` in the repo and are rendered to `/opt/iklimco/swag/site-confs/` on the host at deploy time.
+SWAG nginx auto-includes only `site-confs/*.conf`. All proxy config templates live in `template/swag/site-confs/` in the repo and are rendered to `/opt/iklimco/swag/site-confs/` on the host at deploy time.
 
 Templates use `${VAR}` placeholders processed with `envsubst` at deploy time.
 
@@ -18,7 +18,7 @@ RESTRICTED_IPS="78.187.87.109/32,95.70.151.248/32"
 
 ## Files to create
 
-### `swag/site-confs/default.conf`
+### `template/swag/site-confs/default.conf`
 Default catch-all: HTTP→HTTPS redirect + 444 for unknown HTTPS hosts.
 
 ```nginx
@@ -38,7 +38,7 @@ server {
 }
 ```
 
-### `swag/site-confs/api.conf.tpl`
+### `template/swag/site-confs/api.conf.tpl`
 Public API gateway — no IP restriction.
 
 ```nginx
@@ -63,7 +63,7 @@ server {
 }
 ```
 
-### `swag/site-confs/apigw.conf.tpl`
+### `template/swag/site-confs/apigw.conf.tpl`
 APISIX Dashboard — IP restricted.
 
 ```nginx
@@ -94,7 +94,7 @@ ${RESTRICTED_IPS_BLOCK}
 > `${RESTRICTED_IPS_BLOCK}` is generated at deploy time from `RESTRICTED_IPS` (comma-separated CIDRs)
 > as multi-line `allow` directives with `/32` suffix. See `07-deploy-pipeline-update.md` for the pipeline step.
 
-### `swag/site-confs/rabbitmq.conf.tpl`
+### `template/swag/site-confs/rabbitmq.conf.tpl`
 RabbitMQ Management UI — IP restricted.
 
 ```nginx
@@ -122,7 +122,7 @@ ${RESTRICTED_IPS_BLOCK}
 }
 ```
 
-### `swag/site-confs/grafana.conf.tpl`
+### `template/swag/site-confs/grafana.conf.tpl`
 Grafana — IP restricted.
 
 ```nginx
@@ -158,7 +158,7 @@ set -a; . ./.env; . ./.env.secrets.swag; set +a
 docker run --rm -v /opt/iklimco/swag:/output alpine \
   mkdir -p /output/dns-conf /output/site-confs
 
-envsubst < swag/dns-conf/godaddy.ini.tpl | docker run --rm -i \
+envsubst < template/swag/dns-conf/godaddy.ini.tpl | docker run --rm -i \
   -v /opt/iklimco/swag/dns-conf:/output \
   alpine sh -c "cat > /output/godaddy.ini && chmod 600 /output/godaddy.ini"
 
@@ -167,7 +167,7 @@ export RESTRICTED_IPS_BLOCK="$(echo "$RESTRICTED_IPS" | tr ',' '\n' | sed 's|.*|
 
 # Explicit var list prevents nginx $upstream_* from being substituted by envsubst
 SWAG_VARS='${API_SUBDOMAIN}${APIGW_SUBDOMAIN}${GRAFANA_SUBDOMAIN}${RABBITMQ_SUBDOMAIN}${RESTRICTED_IPS_BLOCK}'
-for tpl in swag/site-confs/*.conf.tpl; do
+for tpl in template/swag/site-confs/*.conf.tpl; do
   fname=$(basename "${tpl%.tpl}")
   envsubst "$SWAG_VARS" < "$tpl" | docker run --rm -i \
     -v /opt/iklimco/swag/site-confs:/output \
@@ -175,7 +175,7 @@ for tpl in swag/site-confs/*.conf.tpl; do
   echo "✅ ${fname}"
 done
 
-cat swag/site-confs/default.conf | docker run --rm -i \
+cat template/swag/site-confs/default.conf | docker run --rm -i \
   -v /opt/iklimco/swag/site-confs:/output \
   alpine sh -c "cat > /output/default.conf"
 ```

roadmap/test-env/07-deploy-pipeline-update.md

@@ -39,7 +39,7 @@ Insert this step **before** `Deploy Swarm Stack`:
           docker run --rm -v /opt/iklimco/swag:/output alpine \
             mkdir -p /output/dns-conf /output/site-confs
 
-          envsubst < swag/dns-conf/godaddy.ini.tpl | docker run --rm -i \
+          envsubst < template/swag/dns-conf/godaddy.ini.tpl | docker run --rm -i \
             -v /opt/iklimco/swag/dns-conf:/output \
             alpine sh -c "cat > /output/godaddy.ini && chmod 600 /output/godaddy.ini"
           echo "✅ godaddy.ini written"
@@ -49,7 +49,7 @@ Insert this step **before** `Deploy Swarm Stack`:
 
           # Explicit var list prevents nginx $upstream_* from being substituted by envsubst
           SWAG_VARS='${API_SUBDOMAIN}${APIGW_SUBDOMAIN}${GRAFANA_SUBDOMAIN}${RABBITMQ_SUBDOMAIN}${RESTRICTED_IPS_BLOCK}'
-          for tpl in swag/site-confs/*.conf.tpl; do
+          for tpl in template/swag/site-confs/*.conf.tpl; do
             fname=$(basename "${tpl%.tpl}")
             envsubst "$SWAG_VARS" < "$tpl" | docker run --rm -i \
               -v /opt/iklimco/swag/site-confs:/output \
@@ -57,7 +57,7 @@ Insert this step **before** `Deploy Swarm Stack`:
             echo "✅ ${fname}"
           done
 
-          cat swag/site-confs/default.conf | docker run --rm -i \
+          cat template/swag/site-confs/default.conf | docker run --rm -i \
             -v /opt/iklimco/swag/site-confs:/output \
             alpine sh -c "cat > /output/default.conf"
 

setup-vs-roadmap-map.md

@@ -21,7 +21,7 @@ Terraform/Ansible setup aşamalarından hangisinde ele alındığını gösterir
 | `act_runner` systemd kurulumu | **Ansible `05-test-runner-ve-deploy-onkosullari.md`** — `act_runner` role (`test-app-post-stack.yml`) |
 | GoDaddy credentials storagebox'a yükleme | **Manuel kalır** — secret yönetimi, Terraform/Ansible dışı |
 | `docker-stack-infra.yml` port kaldırma + SWAG/cert-reloader ekleme | **Pipeline `deploy-test.yml`** + **repo değişikliği** — `roadmap/test-env/03` |
-| SWAG nginx proxy conf'ları (`swag/site-confs/*.conf.tpl`) | **Repo içinde teslim edildi** — `roadmap/test-env/04` |
+| SWAG nginx proxy conf'ları (`template/swag/site-confs/*.conf.tpl`) | **Repo içinde teslim edildi** — `roadmap/test-env/04` |
 | APISIX SSL cert yükleme bloğu kaldırma (`init/apisix-core/init.sh`) | **Repo değişikliği** — `roadmap/test-env/05` |
 | cert-reloader sidecar servisi | **`docker-stack-infra.yml`'e eklendi** — `roadmap/test-env/06` |
 | Pipeline güncelleme: Prepare SWAG Dirs + Bootstrap SWAG Cert + Run DB Init | **`deploy-test.yml`** — `roadmap/test-env/07` |
@@ -49,7 +49,7 @@ Terraform/Ansible setup aşamalarından hangisinde ele alındığını gösterir
 | 3× `act_runner` systemd (HA runner) | **Ansible `09-prod-runner-ha-ve-swarm.md`** — `act_runner` role |
 | GoDaddy credentials storagebox'a yükleme | **Manuel kalır** — secret yönetimi, Terraform/Ansible dışı |
 | `docker-stack-infra.yml` port kaldırma + SWAG/cert-reloader ekleme | **Repo değişikliği** — `roadmap/prod-env/03` |
-| SWAG nginx proxy conf'ları (`swag/site-confs/*.conf.tpl`) | **Repo içinde teslim edildi** — `roadmap/prod-env/04` |
+| SWAG nginx proxy conf'ları (`template/swag/site-confs/*.conf.tpl`) | **Repo içinde teslim edildi** — `roadmap/prod-env/04` |
 | APISIX SSL cert yükleme bloğu kaldırma (`init/apisix-core/init.sh`) | **Repo değişikliği** — `roadmap/prod-env/05` |
 | cert-reloader sidecar servisi | **`docker-stack-infra.yml`'e eklendi** — `roadmap/prod-env/06` |
 | Vault Raft Cluster geçiş planı | **Manuel / İleri Faz** — `roadmap/prod-env/07` |

setup/09-prod-runner-ha-ve-swarm.md

@@ -112,11 +112,11 @@ docker secret ls
 
 Before the deploy pipeline runs, the following template files must exist in the repo:
 
-- `swag/site-confs/default.conf`
-- `swag/site-confs/api.conf.tpl`
-- `swag/site-confs/apigw.conf.tpl`
-- `swag/site-confs/rabbitmq.conf.tpl`
-- `swag/site-confs/grafana.conf.tpl`
+- `template/swag/site-confs/default.conf`
+- `template/swag/site-confs/api.conf.tpl`
+- `template/swag/site-confs/apigw.conf.tpl`
+- `template/swag/site-confs/rabbitmq.conf.tpl`
+- `template/swag/site-confs/grafana.conf.tpl`
 
 These files are created in the test environment (`test-env/04-swag-nginx-configs.md`); they are not created separately for prod. Template files are shared by both environments; prod-specific values are injected with environment variables during deploy.
 
@@ -645,7 +645,7 @@ Expected: valid JSON weather response.
 - `PROD_FLOATING_IP` project variable is defined in Gitea.
 - `rabbitmq_erlang_cookie` appears in `docker secret ls`.
 - The `ssl`, `swag/config`, `swag/site-confs`, `grafana/data`, and `precipitation/images` directories exist on StorageBox; see `07-prod-ansible-bootstrap.md` — StorageBox Directory Structure.
-- The `swag/site-confs/default.conf`, `api.conf.tpl`, `apigw.conf.tpl`, `rabbitmq.conf.tpl`, and `grafana.conf.tpl` template files exist in the repo.
+- The `template/swag/site-confs/default.conf`, `api.conf.tpl`, `apigw.conf.tpl`, `rabbitmq.conf.tpl`, and `grafana.conf.tpl` template files exist in the repo.
 - StorageBox `prod/secrets/iklim.co/.env.prod` has correct values for `API_SUBDOMAIN`, `APIGW_SUBDOMAIN`, `RABBITMQ_SUBDOMAIN`, `GRAFANA_SUBDOMAIN`, `RESTRICTED_IPS`, `SWAG_CERT_DIR`, `SWAG_CONFIG_DIR`, and `SWAG_SITE_CONFS_DIR`.
 - After the first deploy, `docker exec $(docker ps -q -f name=iklimco_swag) nginx -t` succeeds and returns `syntax is ok`.
 - The output of `cat /mnt/storagebox/swag/site-confs/api.conf | grep server_name` contains `server_name api.iklim.co;`.