From 0e972983bc8a993bf97caae8b4204d0a371e918c Mon Sep 17 00:00:00 2001
From: Marc Mintel <marc@mintel.me>
Date: Tue, 17 Feb 2026 02:06:34 +0100
Subject: [PATCH] fix(infra): add TLS entrypoint/certresolver to deploy env
 generation

All Traefik routers were defaulting to entrypoints=web with tls=false,
making the app unreachable over HTTPS. Production worked because it had
these values set from a previous deploy, but testing never received them.
---
 .gitea/workflows/deploy.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index de16b8a6..abc1eea4 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -325,6 +325,9 @@ jobs:
             echo "PROJECT_NAME=$PROJECT_NAME"
             printf 'TRAEFIK_HOST_RULE=%s\n' "$TRAEFIK_RULE"
             echo "TRAEFIK_HOST=$TRAEFIK_HOST"
+            echo "TRAEFIK_ENTRYPOINT=websecure"
+            echo "TRAEFIK_TLS=true"
+            echo "TRAEFIK_CERT_RESOLVER=le"
             echo "ENV_FILE=$ENV_FILE"
             echo "COMPOSE_PROFILES=$COMPOSE_PROFILES"
             echo "AUTH_MIDDLEWARE=$AUTH_MIDDLEWARE"