From 41b592fbe0ccadad0f11a380743112cceee53e99 Mon Sep 17 00:00:00 2001
From: Marc Mintel <marc@mintel.me>
Date: Mon, 9 Feb 2026 10:59:44 +0100
Subject: [PATCH] chore: align deployment standards with mb-grid-solutions 1:1

---
 .gitea/workflows/deploy.yml |  7 ++++---
 docker-compose.yml          | 21 +++++++++++++--------
 2 files changed, 17 insertions(+), 11 deletions(-)

diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index 34389ca..1e2411b 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -138,9 +138,9 @@ jobs:
           
           # Determine middleware
           if [[ "$TARGET" == "production" ]]; then
-            echo "auth_middleware=compress" >> "$GITHUB_OUTPUT"
+            echo "traefik_middlewares=compress" >> "$GITHUB_OUTPUT"
           else
-            echo "auth_middleware=$PRJ_ID-$TARGET-auth" >> "$GITHUB_OUTPUT"
+            echo "traefik_middlewares=$PRJ_ID-$TARGET-auth" >> "$GITHUB_OUTPUT"
           fi
 
   qa:
@@ -270,7 +270,8 @@ jobs:
           GATEKEEPER_PASSWORD=${{ secrets.GATEKEEPER_PASSWORD || vars.GATEKEEPER_PASSWORD || 'mintel' }}
           AUTH_COOKIE_NAME=${{ secrets.AUTH_COOKIE_NAME || vars.AUTH_COOKIE_NAME || 'mintel_gatekeeper_session' }}
           COOKIE_DOMAIN=${{ secrets.COOKIE_DOMAIN || vars.COOKIE_DOMAIN || '.mintel.me' }}
-          AUTH_MIDDLEWARE=${{ needs.prepare.outputs.auth_middleware }}
+          TRAEFIK_MIDDLEWARES=${{ needs.prepare.outputs.traefik_middlewares }}
+          AUTH_MIDDLEWARE=${{ needs.prepare.outputs.traefik_middlewares }}
 
           # External Services
           SENTRY_DSN=${{ secrets.SENTRY_DSN || vars.SENTRY_DSN }}
diff --git a/docker-compose.yml b/docker-compose.yml
index 06d82db..f310baf 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -8,16 +8,16 @@ services:
       - ${ENV_FILE:-.env}
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.${PROJECT_NAME}.rule=${TRAEFIK_RULE}"
+      - "traefik.http.routers.${PROJECT_NAME}.rule=${TRAEFIK_RULE:-Host(`${TRAEFIK_HOST:-mintel.me.localhost}`)}"
       - "traefik.http.routers.${PROJECT_NAME}.entrypoints=websecure"
       - "traefik.http.routers.${PROJECT_NAME}.tls.certresolver=le"
       - "traefik.http.routers.${PROJECT_NAME}.tls=true"
       - "traefik.http.services.${PROJECT_NAME}.loadbalancer.server.port=3000"
-      - "traefik.http.routers.${PROJECT_NAME}.middlewares=${AUTH_MIDDLEWARE}"
+      - "traefik.http.routers.${PROJECT_NAME}.middlewares=${TRAEFIK_MIDDLEWARES:-${PROJECT_NAME}-auth}"
       - "traefik.docker.network=infra"
 
-      # Gatekeeper Router
-      - "traefik.http.routers.${PROJECT_NAME}-gatekeeper.rule=${GATEKEEPER_RULE}"
+      # Gatekeeper Router (Shared Host + dedicated Subdomain)
+      - "traefik.http.routers.${PROJECT_NAME}-gatekeeper.rule=${GATEKEEPER_RULE:-(Host(`${TRAEFIK_HOST:-mintel.me.localhost}`) && PathPrefix(`/gatekeeper`)) || Host(`gatekeeper.${TRAEFIK_HOST:-mintel.me.localhost}`)}"
       - "traefik.http.routers.${PROJECT_NAME}-gatekeeper.entrypoints=websecure"
       - "traefik.http.routers.${PROJECT_NAME}-gatekeeper.tls.certresolver=le"
       - "traefik.http.routers.${PROJECT_NAME}-gatekeeper.tls=true"
@@ -30,6 +30,7 @@ services:
 
   gatekeeper:
     image: registry.infra.mintel.me/mintel/gatekeeper:latest
+    container_name: ${PROJECT_NAME:-mintel-me}-gatekeeper
     restart: always
     networks:
       infra:
@@ -38,7 +39,7 @@ services:
     env_file:
       - ${ENV_FILE:-.env}
     environment:
-      PORT: 3000
+      PORT: ${PORT:-3000}
       PROJECT_NAME: ${PROJECT_NAME:-Mintel.me}
       PROJECT_COLOR: ${PROJECT_COLOR:-#ff00ff}
       COOKIE_DOMAIN: ${COOKIE_DOMAIN:-.mintel.me}
@@ -56,6 +57,7 @@ services:
     restart: always
     networks:
       - infra
+      - backend
     env_file:
       - ${ENV_FILE:-.env}
     environment:
@@ -79,19 +81,20 @@ services:
       start_period: 30s
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.${PROJECT_NAME}-directus.rule=Host(`${DIRECTUS_HOST}`)"
+      - "traefik.http.routers.${PROJECT_NAME}-directus.rule=Host(`${DIRECTUS_HOST:-cms.mintel.me.localhost}`)"
       - "traefik.http.routers.${PROJECT_NAME}-directus.entrypoints=websecure"
       - "traefik.http.routers.${PROJECT_NAME}-directus.tls.certresolver=le"
       - "traefik.http.routers.${PROJECT_NAME}-directus.tls=true"
-      - "traefik.http.routers.${PROJECT_NAME}-directus.middlewares=${AUTH_MIDDLEWARE}"
+      - "traefik.http.routers.${PROJECT_NAME}-directus.middlewares=${PROJECT_NAME}-forward,compress"
       - "traefik.http.services.${PROJECT_NAME}-directus.loadbalancer.server.port=8055"
+      - "traefik.http.middlewares.${PROJECT_NAME}-forward.headers.customrequestheaders.X-Forwarded-Proto=https"
       - "traefik.docker.network=infra"
 
   directus-db:
     image: postgres:15-alpine
     restart: always
     networks:
-      - infra
+      - backend
     env_file:
       - ${ENV_FILE:-.env}
     environment:
@@ -104,6 +107,8 @@ services:
 networks:
   infra:
     external: true
+  backend:
+    internal: true
 
 volumes:
   directus-db-data: