Add missing configs: traefik middlewares, gollum config.rb, brain nginx.conf

stacks/brain/nginx.conf

@@ -0,0 +1,16 @@
+server {
+    listen       80;
+    listen  [::]:80;
+    server_name  localhost;
+
+    location / {
+        root   /usr/share/nginx/html;
+        index  index.html index.htm;
+        try_files $uri $uri/ $uri.html =404;
+    }
+
+    error_page   500 502 503 504  /50x.html;
+    location = /50x.html {
+        root   /usr/share/nginx/html;
+    }
+}

stacks/gollum/config.rb

@@ -0,0 +1,12 @@
+module Gollum
+  Gollum::GIT_ADAPTER = "my"
+end
+
+Gollum::Hook.register(:post_commit, :hook_id) do |committer, sha1|
+  committer.wiki.repo.git.pull('origin', committer.wiki.ref)
+  committer.wiki.repo.git.push('origin', committer.wiki.ref)
+end
+
+wiki_options = {}
+
+Precious::App.set(:wiki_options, wiki_options)

stacks/traefik/conf.d/middlewares.yaml

@@ -0,0 +1,61 @@
+# Core middlewares for traefik
+# External service routers should be added as separate files or via docker labels
+
+http:
+  routers:
+    # Redirect HTTP to HTTPS
+    https-redirect:
+      entryPoints:
+        - http
+      rule: "HostRegexp(`{host:.+}`)"
+      service: noop@internal
+      middlewares:
+        - redirect-to-https
+      priority: 1
+
+  middlewares:
+    # HTTPS redirect
+    redirect-to-https:
+      redirectScheme:
+        scheme: https
+
+    # Authentik forward auth - update URL after authentik is deployed
+    auth:
+      forwardAuth:
+        address: http://authentik-server:9000/outpost.goauthentik.io/auth/traefik
+        trustForwardHeader: true
+        authResponseHeaders:
+          - X-authentik-username
+          - X-authentik-groups
+          - X-authentik-email
+          - X-authentik-name
+          - X-authentik-uid
+          - X-authentik-jwt
+          - X-authentik-meta-jwks
+          - X-authentik-meta-outpost
+          - X-authentik-meta-provider
+          - X-authentik-meta-app
+          - X-authentik-meta-version
+
+    # Security headers
+    securityHeaders:
+      headers:
+        customResponseHeaders:
+          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex"
+          server: ""
+          X-Forwarded-Proto: "https"
+        sslProxyHeaders:
+          X-Forwarded-Proto: https
+        referrerPolicy: "same-origin"
+        hostsProxyHeaders:
+          - "X-Forwarded-Host"
+        contentTypeNosniff: true
+        browserXssFilter: true
+        forceSTSHeader: true
+        stsIncludeSubdomains: true
+        stsSeconds: 63072000
+        stsPreload: true
+
+    # Gzip compression
+    gzip:
+      compress: {}