From 2aec03221ec49d67fff1a521cb51b5fe263a2e43 Mon Sep 17 00:00:00 2001
From: Marc Mintel <marc@mintel.me>
Date: Wed, 11 Feb 2026 22:03:52 +0100
Subject: [PATCH] fix(pipeline): restore run directive in deploy.yml

---
 .gitea/workflows/deploy.yml | 24 ++++++++++++++++++++----
 docker-compose.yml          | 27 ++++++++++++++++++---------
 2 files changed, 38 insertions(+), 13 deletions(-)

diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index 2141fc9..011c53f 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -231,13 +231,31 @@ jobs:
           GATEKEEPER_HOST: gatekeeper.${{ needs.prepare.outputs.traefik_host }}
           ENV_FILE: ${{ needs.prepare.outputs.env_file }}
         run: |
+          # Middleware & Auth Logic
+          LOG_LEVEL=$( [[ "$TARGET" == "testing" || "$TARGET" == "development" ]] && echo "debug" || echo "info" )
+          STD_MW="${PROJECT_NAME}-forward,compress"
+
+          if [[ "$TARGET" == "production" ]]; then
+            AUTH_MIDDLEWARE="$STD_MW"
+            COMPOSE_PROFILES=""
+          else
+            # Order: Forward (Proto) -> Auth -> Compression
+            AUTH_MIDDLEWARE="${PROJECT_NAME}-forward,${PROJECT_NAME}-auth,compress"
+            COMPOSE_PROFILES="gatekeeper"
+          fi
+
+          # Gatekeeper Origin
+          GATEKEEPER_ORIGIN="$NEXT_PUBLIC_BASE_URL/gatekeeper"
+
           # Generate Environment File
           cat > .env.deploy << EOF
           # Generated by CI - $TARGET
           IMAGE_TAG=$IMAGE_TAG
           NEXT_PUBLIC_BASE_URL=$NEXT_PUBLIC_BASE_URL
+          GATEKEEPER_ORIGIN=$GATEKEEPER_ORIGIN
           SENTRY_DSN=$SENTRY_DSN
           PROJECT_COLOR=$PROJECT_COLOR
+          LOG_LEVEL=$LOG_LEVEL
 
           # Directus
           DIRECTUS_URL=$DIRECTUS_URL
@@ -276,12 +294,10 @@ jobs:
           ENV_FILE=$ENV_FILE
           TRAEFIK_RULE='$TRAEFIK_RULE'
           TRAEFIK_HOST='$TRAEFIK_HOST'
-          GATEKEEPER_HOST='$GATEKEEPER_HOST'
+          COMPOSE_PROFILES=$COMPOSE_PROFILES
+          AUTH_MIDDLEWARE=$AUTH_MIDDLEWARE
           EOF
 
-          # AUTH_MIDDLEWARE logic
-          printf "AUTH_MIDDLEWARE=%s\n" "$( [[ "$TARGET" == "production" ]] && echo "compress" || echo "${PROJECT_NAME}-auth,compress" )" >> .env.deploy
-
       - name: 🚀 SSH Deploy
         shell: bash
         env:
diff --git a/docker-compose.yml b/docker-compose.yml
index a87d0e6..cc1f9a6 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -16,8 +16,8 @@ services:
       - "traefik.http.routers.${PROJECT_NAME}.middlewares=${TRAEFIK_MIDDLEWARES:-${PROJECT_NAME}-auth}"
       - "traefik.docker.network=infra"
 
-      # Gatekeeper Router (Shared Host + dedicated Subdomain)
-      - "traefik.http.routers.${PROJECT_NAME}-gatekeeper.rule=${GATEKEEPER_RULE:-(Host(`${TRAEFIK_HOST:-mintel.me.localhost}`) && PathPrefix(`/gatekeeper`)) || Host(`gatekeeper.${TRAEFIK_HOST:-mintel.me.localhost}`)}"
+      # Gatekeeper Router (Path-based)
+      - "traefik.http.routers.${PROJECT_NAME}-gatekeeper.rule=(Host(`${TRAEFIK_HOST}`) && PathPrefix(`/gatekeeper`))"
       - "traefik.http.routers.${PROJECT_NAME}-gatekeeper.entrypoints=websecure"
       - "traefik.http.routers.${PROJECT_NAME}-gatekeeper.tls.certresolver=le"
       - "traefik.http.routers.${PROJECT_NAME}-gatekeeper.tls=true"
@@ -25,11 +25,13 @@ services:
 
       - "traefik.http.middlewares.${PROJECT_NAME}-auth.forwardauth.address=http://${PROJECT_NAME}-gatekeeper:3000/gatekeeper/api/verify"
       - "traefik.http.middlewares.${PROJECT_NAME}-auth.forwardauth.trustForwardHeader=true"
+      - "traefik.http.middlewares.${PROJECT_NAME}-auth.forwardauth.authRequestHeaders=X-Forwarded-Host,X-Forwarded-Proto,X-Forwarded-For"
       - "traefik.http.middlewares.${PROJECT_NAME}-auth.forwardauth.authResponseHeaders=X-Auth-User"
       - "traefik.docker.network=infra"
 
   gatekeeper:
-    image: registry.infra.mintel.me/mintel/gatekeeper:latest
+    profiles: ["gatekeeper"]
+    image: registry.infra.mintel.me/mintel/gatekeeper:v1.7.10
     container_name: ${PROJECT_NAME:-mintel-me}-gatekeeper
     restart: always
     networks:
@@ -45,8 +47,7 @@ services:
       COOKIE_DOMAIN: ${COOKIE_DOMAIN:-.mintel.me}
       AUTH_COOKIE_NAME: ${AUTH_COOKIE_NAME:-mintel_gatekeeper_session}
       GATEKEEPER_PASSWORD: ${GATEKEEPER_PASSWORD:-mintel}
-      # Dedicated Base URL for Gatekeeper subdomain to prevent redirect loops
-      NEXT_PUBLIC_BASE_URL: https://${GATEKEEPER_HOST:-gatekeeper.mintel.me}
+      NEXT_PUBLIC_BASE_URL: ${GATEKEEPER_ORIGIN}
     labels:
       - "traefik.enable=true"
       - "traefik.http.services.${PROJECT_NAME}-gatekeeper.loadbalancer.server.port=3000"
@@ -63,9 +64,9 @@ services:
     environment:
       KEY: ${DIRECTUS_KEY}
       SECRET: ${DIRECTUS_SECRET}
-      DB_CLIENT: 'pg'
-      DB_HOST: 'directus-db'
-      DB_PORT: '5432'
+      DB_CLIENT: "pg"
+      DB_HOST: "directus-db"
+      DB_PORT: "5432"
       DB_DATABASE: ${DIRECTUS_DB_NAME:-directus}
       DB_USER: ${DIRECTUS_DB_USER:-directus}
       DB_PASSWORD: ${DIRECTUS_DB_PASSWORD:-directus}
@@ -74,7 +75,15 @@ services:
       - ./directus/uploads:/directus/uploads
       - ./directus/extensions:/directus/extensions
     healthcheck:
-      test: [ "CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://127.0.0.1:8055/server/ping" ]
+      test:
+        [
+          "CMD",
+          "wget",
+          "--no-verbose",
+          "--tries=1",
+          "--spider",
+          "http://127.0.0.1:8055/server/ping",
+        ]
       interval: 30s
       timeout: 5s
       retries: 3