Add missing configs: traefik middlewares, gollum config.rb, brain nginx.conf

stacks/traefik/conf.d/middlewares.yaml

@@ -0,0 +1,61 @@
+# Core middlewares for traefik
+# External service routers should be added as separate files or via docker labels
+
+http:
+  routers:
+    # Redirect HTTP to HTTPS
+    https-redirect:
+      entryPoints:
+        - http
+      rule: "HostRegexp(`{host:.+}`)"
+      service: noop@internal
+      middlewares:
+        - redirect-to-https
+      priority: 1
+
+  middlewares:
+    # HTTPS redirect
+    redirect-to-https:
+      redirectScheme:
+        scheme: https
+
+    # Authentik forward auth - update URL after authentik is deployed
+    auth:
+      forwardAuth:
+        address: http://authentik-server:9000/outpost.goauthentik.io/auth/traefik
+        trustForwardHeader: true
+        authResponseHeaders:
+          - X-authentik-username
+          - X-authentik-groups
+          - X-authentik-email
+          - X-authentik-name
+          - X-authentik-uid
+          - X-authentik-jwt
+          - X-authentik-meta-jwks
+          - X-authentik-meta-outpost
+          - X-authentik-meta-provider
+          - X-authentik-meta-app
+          - X-authentik-meta-version
+
+    # Security headers
+    securityHeaders:
+      headers:
+        customResponseHeaders:
+          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex"
+          server: ""
+          X-Forwarded-Proto: "https"
+        sslProxyHeaders:
+          X-Forwarded-Proto: https
+        referrerPolicy: "same-origin"
+        hostsProxyHeaders:
+          - "X-Forwarded-Host"
+        contentTypeNosniff: true
+        browserXssFilter: true
+        forceSTSHeader: true
+        stsIncludeSubdomains: true
+        stsSeconds: 63072000
+        stsPreload: true
+
+    # Gzip compression
+    gzip:
+      compress: {}