chore: overhaul infrastructure and integrate @mintel packages

- Restructure to pnpm monorepo (site moved to apps/web)
- Integrate @mintel/tsconfig, @mintel/eslint-config, @mintel/husky-config
- Implement Docker service architecture (Varnish, Directus, Gatekeeper)
- Setup environment-aware Gitea Actions deployment

docker-compose.yml

@@ -1,80 +1,117 @@
-version: '3.8'
-
 services:
-  # Main website - Next.js standalone
-  website:
-    image: registry.infra.mintel.me/mintel/mintel.me:latest
+  app:
     build:
       context: .
-      dockerfile: docker/Dockerfile
       args:
-        - NEXT_PUBLIC_ANALYTICS_PROVIDER=${NEXT_PUBLIC_ANALYTICS_PROVIDER}
-        - NEXT_PUBLIC_UMAMI_WEBSITE_ID=${NEXT_PUBLIC_UMAMI_WEBSITE_ID}
-        - NEXT_PUBLIC_UMAMI_HOST_URL=${NEXT_PUBLIC_UMAMI_HOST_URL}
-        - NEXT_PUBLIC_PLAUSIBLE_DOMAIN=${NEXT_PUBLIC_PLAUSIBLE_DOMAIN}
-        - NEXT_PUBLIC_PLAUSIBLE_SCRIPT_URL=${NEXT_PUBLIC_PLAUSIBLE_SCRIPT_URL}
-        - NEXT_PUBLIC_GLITCHTIP_DSN=${NEXT_PUBLIC_GLITCHTIP_DSN}
-    container_name: mintel-website
-    restart: unless-stopped
-    # Port 3000 is internal to the docker network, Caddy will proxy to it.
-    # We can expose it for debugging if needed, but it's safer to keep it internal.
-    expose:
-      - "3000"
-    environment:
-      - NODE_ENV=production
-      - REDIS_URL=redis://redis:6379
-      - NEXT_PUBLIC_ANALYTICS_PROVIDER=${NEXT_PUBLIC_ANALYTICS_PROVIDER}
-      - NEXT_PUBLIC_UMAMI_WEBSITE_ID=${NEXT_PUBLIC_UMAMI_WEBSITE_ID}
-      - NEXT_PUBLIC_UMAMI_HOST_URL=${NEXT_PUBLIC_UMAMI_HOST_URL}
-      - NEXT_PUBLIC_PLAUSIBLE_DOMAIN=${NEXT_PUBLIC_PLAUSIBLE_DOMAIN}
-      - NEXT_PUBLIC_PLAUSIBLE_SCRIPT_URL=${NEXT_PUBLIC_PLAUSIBLE_SCRIPT_URL}
-      - NEXT_PUBLIC_GLITCHTIP_DSN=${NEXT_PUBLIC_GLITCHTIP_DSN}
-    depends_on:
-      - redis
+        NEXT_PUBLIC_BASE_URL: ${NEXT_PUBLIC_BASE_URL}
+        NEXT_PUBLIC_TARGET: ${TARGET:-development}
+    image: registry.infra.mintel.me/mintel/mintel.me:${IMAGE_TAG:-latest}
+    restart: always
     networks:
-      - app-network
+      - infra
+    env_file:
+      - ${ENV_FILE:-.env}
+    labels:
+      - "traefik.enable=false"
 
-  # Redis cache for performance
-  redis:
-    image: redis:7-alpine
-    container_name: mintel-redis
-    restart: unless-stopped
+  varnish:
+    image: varnish:7
+    restart: always
+    networks:
+      - infra
     volumes:
-      - redis-data:/data
-    command: redis-server --appendonly yes --maxmemory 256mb --maxmemory-policy allkeys-lru
-    networks:
-      - app-network
-    healthcheck:
-      test: ["CMD", "redis-cli", "ping"]
-      interval: 10s
-      timeout: 3s
-      retries: 3
-
-  # Caddy reverse proxy with automatic SSL
-  caddy:
-    image: caddy:2-alpine
-    container_name: mintel-caddy
-    restart: unless-stopped
-    ports:
-      - "80:80"
-      - "443:443"
-    volumes:
-      - ./docker/Caddyfile:/etc/caddy/Caddyfile
-      - caddy-data:/data
-      - caddy-config:/config
+      - ./varnish/default.vcl:/etc/varnish/default.vcl:ro
+    tmpfs:
+      - /var/lib/varnish:exec
     environment:
-      - DOMAIN=${DOMAIN:-localhost}
-      - EMAIL=${ADMIN_EMAIL:-admin@example.com}
-    depends_on:
-      - website
-    networks:
-      - app-network
+      VARNISH_SIZE: ${VARNISH_CACHE_SIZE:-256M}
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.${PROJECT_NAME:-mintel-me}-web.rule=Host(`${TRAEFIK_HOST}`) && !PathPrefix(`/.well-known/acme-challenge/`)"
+      - "traefik.http.routers.${PROJECT_NAME:-mintel-me}-web.entrypoints=web"
+      - "traefik.http.routers.${PROJECT_NAME:-mintel-me}-web.middlewares=redirect-https"
+      - "traefik.http.routers.${PROJECT_NAME:-mintel-me}.rule=Host(`${TRAEFIK_HOST}`)"
+      - "traefik.http.routers.${PROJECT_NAME:-mintel-me}.entrypoints=websecure"
+      - "traefik.http.routers.${PROJECT_NAME:-mintel-me}.tls.certresolver=le"
+      - "traefik.http.routers.${PROJECT_NAME:-mintel-me}.tls=true"
+      - "traefik.http.routers.${PROJECT_NAME:-mintel-me}.service=${PROJECT_NAME:-mintel-me}"
+      - "traefik.http.services.${PROJECT_NAME:-mintel-me}.loadbalancer.server.port=80"
+      - "traefik.http.routers.${PROJECT_NAME:-mintel-me}.middlewares=${PROJECT_NAME:-mintel-me}-ratelimit,${AUTH_MIDDLEWARE:-compress}"
 
-volumes:
-  redis-data:
-  caddy-data:
-  caddy-config:
+      # Gatekeeper
+      - "traefik.http.routers.${PROJECT_NAME:-mintel-me}-gatekeeper.rule=Host(`${TRAEFIK_HOST}`) && PathPrefix(`/gatekeeper`)"
+      - "traefik.http.routers.${PROJECT_NAME:-mintel-me}-gatekeeper.entrypoints=websecure"
+      - "traefik.http.routers.${PROJECT_NAME:-mintel-me}-gatekeeper.tls.certresolver=le"
+      - "traefik.http.routers.${PROJECT_NAME:-mintel-me}-gatekeeper.tls=true"
+      - "traefik.http.routers.${PROJECT_NAME:-mintel-me}-gatekeeper.service=${PROJECT_NAME:-mintel-me}-gatekeeper"
+
+      # Middleware Definitions
+      - "traefik.http.middlewares.${PROJECT_NAME:-mintel-me}-ratelimit.ratelimit.average=100"
+      - "traefik.http.middlewares.${PROJECT_NAME:-mintel-me}-ratelimit.ratelimit.burst=50"
+      - "traefik.http.middlewares.${PROJECT_NAME:-mintel-me}-auth.forwardauth.address=http://${PROJECT_NAME}-gatekeeper:3000/verify"
+      - "traefik.http.middlewares.${PROJECT_NAME:-mintel-me}-auth.forwardauth.trustForwardHeader=true"
+      - "traefik.http.middlewares.${PROJECT_NAME:-mintel-me}-auth.forwardauth.authResponseHeaders=X-Auth-User"
+
+  gatekeeper:
+    image: registry.infra.mintel.me/mintel/gatekeeper:latest
+    container_name: ${PROJECT_NAME:-mintel-me}-gatekeeper
+    restart: always
+    networks:
+      - infra
+    env_file:
+      - ${ENV_FILE:-.env}
+    environment:
+      PORT: 3000
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.services.${PROJECT_NAME:-mintel-me}-gatekeeper.loadbalancer.server.port=3000"
+
+  directus:
+    image: registry.infra.mintel.me/mintel/directus:latest
+    restart: always
+    networks:
+      - infra
+    env_file:
+      - ${ENV_FILE:-.env}
+    environment:
+      KEY: ${DIRECTUS_KEY}
+      SECRET: ${DIRECTUS_SECRET}
+      DB_CLIENT: 'pg'
+      DB_HOST: 'directus-db'
+      DB_PORT: '5432'
+      DB_DATABASE: ${DIRECTUS_DB_NAME:-directus}
+      DB_USER: ${DIRECTUS_DB_USER:-directus}
+      DB_PASSWORD: ${DIRECTUS_DB_PASSWORD:-directus}
+      PUBLIC_URL: ${DIRECTUS_URL:-https://cms.mintel.me}
+    volumes:
+      - ./directus/uploads:/directus/uploads
+      - ./directus/extensions:/directus/extensions
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.${PROJECT_NAME:-mintel-me}-directus.rule=Host(`${DIRECTUS_HOST}`)"
+      - "traefik.http.routers.${PROJECT_NAME:-mintel-me}-directus.entrypoints=websecure"
+      - "traefik.http.routers.${PROJECT_NAME:-mintel-me}-directus.tls.certresolver=le"
+      - "traefik.http.routers.${PROJECT_NAME:-mintel-me}-directus.tls=true"
+      - "traefik.http.routers.${PROJECT_NAME:-mintel-me}-directus.middlewares=${AUTH_MIDDLEWARE:-compress}"
+      - "traefik.http.services.${PROJECT_NAME:-mintel-me}-directus.loadbalancer.server.port=8055"
+
+  directus-db:
+    image: postgres:15-alpine
+    restart: always
+    networks:
+      - infra
+    env_file:
+      - ${ENV_FILE:-.env}
+    environment:
+      POSTGRES_DB: ${DIRECTUS_DB_NAME:-directus}
+      POSTGRES_USER: ${DIRECTUS_DB_USER:-directus}
+      POSTGRES_PASSWORD: ${DIRECTUS_DB_PASSWORD:-directus}
+    volumes:
+      - directus-db-data:/var/lib/postgresql/data
 
 networks:
-  app-network:
-    driver: bridge
+  infra:
+    external: true
+
+volumes:
+  directus-db-data: