From 2677ca34a2f8b07360cb37a33fa7d12b262bb5d7 Mon Sep 17 00:00:00 2001
From: Marc Mintel <marc@mintel.me>
Date: Tue, 10 Feb 2026 19:23:10 +0100
Subject: [PATCH] fix: remove varnish

---
 .gitea/workflows/deploy.yml |  20 +++----
 docker-compose.yml          |  31 +++--------
 varnish/default.vcl         | 102 ------------------------------------
 3 files changed, 14 insertions(+), 139 deletions(-)
 delete mode 100644 varnish/default.vcl

diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index 08526329..e7bd39f4 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -356,22 +356,17 @@ jobs:
           # 1. Cleanup and Create Directories on server BEFORE SCP
           ssh -o StrictHostKeyChecking=accept-new root@alpha.mintel.me bash << 'EOF'
             set -e
-            mkdir -p /home/deploy/sites/klz-cables.com/varnish
             mkdir -p /home/deploy/sites/klz-cables.com/directus/uploads \
                      /home/deploy/sites/klz-cables.com/directus/extensions \
                      /home/deploy/sites/klz-cables.com/directus/schema
-            if [ -d "/home/deploy/sites/klz-cables.com/varnish/default.vcl" ]; then
-              echo "🧹 Removing directory 'varnish/default.vcl' created by Docker..."
-              rm -rf /home/deploy/sites/klz-cables.com/varnish/default.vcl
-            fi
-            chown -R deploy:deploy /home/deploy/sites/klz-cables.com/directus /home/deploy/sites/klz-cables.com/varnish
+            chown -R deploy:deploy /home/deploy/sites/klz-cables.com/directus
+
           EOF
 
           # 2. Transfer files
           scp -o StrictHostKeyChecking=accept-new /tmp/klz-cables.env root@alpha.mintel.me:/home/deploy/sites/klz-cables.com/$ENV_FILE
           scp -o StrictHostKeyChecking=accept-new docker-compose.yml root@alpha.mintel.me:/home/deploy/sites/klz-cables.com/docker-compose.yml
           scp -r -o StrictHostKeyChecking=accept-new directus/schema root@alpha.mintel.me:/home/deploy/sites/klz-cables.com/directus/
-          scp -r -o StrictHostKeyChecking=accept-new varnish root@alpha.mintel.me:/home/deploy/sites/klz-cables.com/
 
           ssh -o StrictHostKeyChecking=accept-new root@alpha.mintel.me IMAGE_TAG="$IMAGE_TAG" ENV_FILE="$ENV_FILE" PROJECT_NAME="$PROJECT_NAME" bash << 'EOF'
             set -e
@@ -401,14 +396,11 @@ jobs:
               echo "ℹ️ No snapshot.yaml found, skipping schema apply."
             fi
             
-            echo "→ Verifying Varnish Backend Health..."
-            docker compose -p "$PROJECT_NAME" --env-file "$ENV_FILE" exec -T varnish varnishadm backend.list
-            if ! docker compose -p "$PROJECT_NAME" --env-file "$ENV_FILE" exec -T varnish varnishadm backend.list | grep -q "healthy"; then
-              echo "❌ Fehler: Varnish Backend ist SICK!"
-              docker compose -p "$PROJECT_NAME" --env-file "$ENV_FILE" logs varnish
-              exit 1
+            else
+              echo "ℹ️ No snapshot.yaml found, skipping schema apply."
             fi
-            echo "✅ Varnish Backend ist Healthy."
+            
+            echo "✅ Deployment successful."
 
   # ──────────────────────────────────────────────────────────────────────────────
   # JOB 5: PageSpeed Test
diff --git a/docker-compose.yml b/docker-compose.yml
index b079a1f6..f0bf1962 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -4,24 +4,9 @@ services:
     restart: always
     networks:
       - default
+      - infra
     env_file:
       - ${ENV_FILE:-.env}
-    labels:
-      - "traefik.enable=false"
-
-  varnish:
-    image: varnish:7
-    restart: always
-    networks:
-      - default
-      - infra
-    volumes:
-      - ./varnish/default.vcl:/etc/varnish/default.vcl:ro
-    tmpfs:
-      - /var/lib/varnish:exec,mode=1777
-    environment:
-      VARNISH_SIZE: ${VARNISH_CACHE_SIZE:-256M}
-      APP_VERSION: ${IMAGE_TAG:-latest}
     labels:
       - "traefik.enable=true"
       # HTTP ⇒ HTTPS redirect
@@ -51,13 +36,6 @@ services:
       # Middleware Definitions
       - "traefik.http.middlewares.${PROJECT_NAME:-klz-cables}-compress.compress=true"
 
-      # Gatekeeper Router (to show the login page)
-      - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-gatekeeper.rule=Host(`gatekeeper.${TRAEFIK_HOST:-klz-cables.com}`)"
-      - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-gatekeeper.entrypoints=websecure"
-      - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-gatekeeper.tls.certresolver=le"
-      - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-gatekeeper.tls=true"
-      - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-gatekeeper.service=${PROJECT_NAME:-klz-cables}-gatekeeper"
-
       # Forwarded Headers
       - "traefik.http.middlewares.${PROJECT_NAME:-klz-cables}-forward.headers.customrequestheaders.X-Forwarded-Proto=https"
       - "traefik.http.middlewares.${PROJECT_NAME:-klz-cables}-forward.headers.customrequestheaders.X-Forwarded-Ssl=on"
@@ -89,6 +67,13 @@ services:
       DIRECTUS_ADMIN_PASSWORD: ${DIRECTUS_ADMIN_PASSWORD}
     labels:
       - "traefik.enable=true"
+      # Gatekeeper Router (Moved from Varnish)
+      - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-gatekeeper.rule=Host(`gatekeeper.${TRAEFIK_HOST:-klz-cables.com}`)"
+      - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-gatekeeper.entrypoints=websecure"
+      - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-gatekeeper.tls.certresolver=le"
+      - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-gatekeeper.tls=true"
+      - "traefik.http.routers.${PROJECT_NAME:-klz-cables}-gatekeeper.service=${PROJECT_NAME:-klz-cables}-gatekeeper"
+
       - "traefik.http.services.${PROJECT_NAME:-klz-cables}-gatekeeper.loadbalancer.server.port=3000"
       - "traefik.docker.network=infra"
 
diff --git a/varnish/default.vcl b/varnish/default.vcl
deleted file mode 100644
index 02afda8a..00000000
--- a/varnish/default.vcl
+++ /dev/null
@@ -1,102 +0,0 @@
-vcl 4.1;
-
-import std;
-
-probe default_probe {
-    .url = "/health";
-    .timeout = 2s;
-    .interval = 5s;
-    .window = 5;
-    .threshold = 3;
-}
-
-backend default {
-    .host = "klz-app";
-    .port = "3000";
-    .connect_timeout = 10s;
-    .first_byte_timeout = 300s;
-    .between_bytes_timeout = 10s;
-    .probe = default_probe;
-}
-
-acl purge {
-    "localhost";
-    "127.0.0.1";
-}
-
-sub vcl_recv {
-    # Only allow PURGE from the ACL
-    if (req.method == "PURGE") {
-        if (!client.ip ~ purge) {
-            return (synth(405, "Not allowed."));
-        }
-        return (purge);
-    }
-
-    # Only cache GET and HEAD requests
-    if (req.method != "GET" && req.method != "HEAD") {
-        return (pass);
-    }
-
-    # Bypass cache for Directus and CMS proxy
-    if (req.url ~ "^/directus" || req.url ~ "^/admin" || req.url ~ "^/cms") {
-        return (pass);
-    }
-
-    # Bypass cache for Next.js preview mode / health checks
-    if (req.url ~ "^/api/preview" || req.url ~ "^/health") {
-        return (pass);
-    }
-
-    # Remove all cookies for static files to improve cache hits
-    if (req.url ~ "\.(png|gif|jpg|jpeg|svg|ico|webp|js|css|woff|woff2|otf|ttf)$") {
-        unset req.http.Cookie;
-    }
-
-    # Normalize Cookies: Remove tracking cookies that don't affect page content
-    # This keeps cookies like NEXT_LOCALE or AUTH cookies if needed, but strips others
-    if (req.http.Cookie) {
-        # Strip Google Analytics cookies
-        set req.http.Cookie = regsuball(req.http.Cookie, "(^|;\s*)(__utm.|_ga.|_gid.|_gat)(=[^;]*)?", "");
-        # Strip empty cookies
-        set req.http.Cookie = regsub(req.http.Cookie, "^;\s*", "");
-        if (req.http.Cookie ~ "^\s*$") {
-            unset req.http.Cookie;
-        }
-    }
-
-    return (hash);
-}
-
-sub vcl_backend_response {
-    # Cache static assets for a long time
-    if (bereq.url ~ "\.(png|gif|jpg|jpeg|svg|ico|webp|js|css|woff|woff2|otf|ttf)$") {
-        set beresp.ttl = 1w;
-    }
-
-    # Respect Cache-Control from Next.js
-    # If the response should not be cached, Next.js will usually send Cache-Control: no-cache, no-store, etc.
-    if (beresp.http.Cache-Control ~ "private" ||
-        beresp.http.Cache-Control ~ "no-cache" ||
-        beresp.http.Cache-Control ~ "no-store") {
-        set beresp.uncacheable = true;
-        return (deliver);
-    }
-
-    # Set a default TTL if none is provided by the backend
-    if (beresp.ttl <= 0s) {
-        set beresp.ttl = 120s;
-    }
-
-    return (deliver);
-}
-
-sub vcl_deliver {
-    # Add a debug header to show if it was a hit or miss
-    if (obj.hits > 0) {
-        set resp.http.X-Cache = "HIT";
-        set resp.http.X-Cache-Hits = obj.hits;
-    } else {
-        set resp.http.X-Cache = "MISS";
-    }
-}