Add traefik routing configs to GitOps

Sync all conf.d routing configs from core:
- authentik.yml - routes to ubuntu-prod:9000
- gitea.yml - routes to ubuntu-prod:3001
- middlewares.yaml - forward-auth, redirects, security headers
- dynamic.yml, library.yaml, meshmon.yaml, minecraft.yaml
- radio.yml, spider.yml, tlc.yml, wille.yaml

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

stacks/traefik/conf.d/authentik.yml

@@ -0,0 +1,23 @@
+http:
+  routers:
+    authentik:
+      entrypoints:
+        - https
+      rule: "Host(`authentik.ghost.tel`)"
+      service: authentik
+      tls:
+        certResolver: http
+    
+    authentik-outpost:
+      entrypoints:
+        - https
+      rule: "HostRegexp(`{subdomain:[a-z0-9]+}.ghost.tel`) && PathPrefix(`/outpost.goauthentik.io/`)"
+      service: authentik
+      tls:
+        certResolver: http
+
+  services:
+    authentik:
+      loadBalancer:
+        servers:
+          - url: "http://192.168.5.123:9000"

stacks/traefik/conf.d/dynamic.yml

@@ -0,0 +1,14 @@
+tcp:
+  routers:
+    ssh-router:
+      entryPoints:
+        - ssh
+      rule: "HostSNI(`*`)"
+      service: ssh-service
+
+  services:
+    ssh-service:
+      loadBalancer:
+        servers:
+          - address: "web:22"  # Reference the service name defined in docker-compose
+

stacks/traefik/conf.d/gitea.yml

@@ -0,0 +1,15 @@
+http:
+  routers:
+    gitea:
+      entrypoints:
+        - https
+      rule: "Host(`gitea.ghost.tel`)"
+      service: gitea
+      tls:
+        certResolver: http
+  
+  services:
+    gitea:
+      loadBalancer:
+        servers:
+          - url: "http://192.168.5.123:3001"

stacks/traefik/conf.d/library.yaml

@@ -0,0 +1,19 @@
+http:
+  routers:
+    library:
+      entrypoints:
+        - https
+        - http
+      rule: Host(`library.ghost.tel`)
+      service: library
+      tls:
+        certResolver: http
+      middlewares:
+        - securityHeaders
+
+  services:
+    library:
+      loadBalancer:
+        passHostHeader: true
+        servers:
+          - url: "http://docker-dev:8033/"

stacks/traefik/conf.d/meshmon.yaml

@@ -0,0 +1,19 @@
+http:
+  routers:
+    meshmon:
+      entrypoints:
+        - https
+        - http
+      rule: Host(`meshmon.ghost.tel`)
+      service: meshmon
+      tls:
+        certResolver: http
+      middlewares:
+        - securityHeaders
+
+  services:
+    meshmon:
+      loadBalancer:
+        passHostHeader: true
+        servers:
+          - url: "http://docker-dev:8383/"

stacks/traefik/conf.d/middlewares.yaml

@@ -1,28 +1,211 @@
-# Core middlewares for traefik
-# External service routers should be added as separate files or via docker labels
+core:
+  defaultRuleSyntax: v2
 
 http:
   routers:
-    # Redirect HTTP to HTTPS
     https-redirect:
       entryPoints:
         - http
-      rule: "HostRegexp(`{host:.+}`)"
-      service: noop@internal
+      # Activate this Router on any Host requested
+      rule: "hostregexp(`{host:.+}`)"
+      service: dummy
       middlewares:
         - redirect-to-https
-      priority: 1
+
+    # (NEW) Redirect immich.ghost.tel to photos.ghost.tel
+    immich-redirect:
+      entryPoints:
+        - http
+        - https  # Catch both HTTP and HTTPS requests
+      rule: Host(`immich.ghost.tel`)
+      service: dummy  # Dummy service since it's a redirect, not proxying
+      middlewares:
+        - redirect-immich-to-photos
+      tls:
+        certResolver: http
+
+    homeassist:
+      entryPoints:
+        - https
+      rule: Host(`home.ghost.tel`)
+      service: HomeAssistant
+      tls:
+        certResolver: http
+      middlewares:
+        - securityHeaders
+
+    dynmap:
+      entryPoints:
+        - http
+        - https
+      rule: Host(`dynmap.ghost.tel`)
+      service: dynmap
+      tls:
+        certResolver: http
+
+    amp:
+      entryPoints:
+        - http
+      rule: Host(`amped.ghost.tel`)
+      service: amp
+      tls:
+        certResolver: http
+
+    # Uncomment if you need them; included for reference
+    # brake:
+    #   entryPoints:
+    #     - http
+    #   rule: Host(`parker.ramz.cc`) || Host(`whoami.brake.tel`) || Host(`electrate.brake.tel`) || Host(`sarah.brake.tel`) || Host(`brake.tel`)
+    #   service: brake
+
+    # brakehttps:
+    #   entryPoints:
+    #     - https
+    #   rule: Host(`parker.ramz.cc`) || Host(`whoami.brake.tel`) || Host(`electrate.brake.tel`) || Host(`sarah.brake.tel`) || Host(`brake.tel`)
+    #   service: brakehttps
+
+    invid:
+      entryPoints:
+        - http
+        - https
+      rule: Host(`inv.ghost.tel`) && !(Path(`/latest_version`) || PathPrefix(`/api/manifest/dash/id/`) || PathPrefix(`/videoplayback`) || PathPrefix(`/download`))
+      service: invid
+      tls:
+        certResolver: http
+
+    # (NEW) Route /companion path to Invidious Companion
+    invid-companion:
+      entryPoints:
+        - http
+        - https
+      rule: Host(`inv.ghost.tel`) && (Path(`/latest_version`) || PathPrefix(`/api/manifest/dash/id/`) || PathPrefix(`/youtubei/v1/player`) || PathPrefix(`/videoplayback`) || PathPrefix(`/download`))
+      service: invid-companion
+      tls:
+        certResolver: http
+      middlewares:
+        - invid-companion-prefix
+
+#    tempai:
+#      entryPoints:
+#        - http
+#        - https
+#      rule: Host(`shell.ghost.tel`)
+#      service: tempai
+#      tls:
+#        certResolver: http
+#      middlewares:
+#        - dashboard-auth
+
+
+    picam:
+      entryPoints:
+        - http
+        - https
+      rule: Host(`printview.ghost.tel`)
+      service: picam
+      tls:
+        certResolver: http
+
+    # Example internal API / dashboard config (for reference)
+    # my-api:
+    #   entryPoints:
+    #     - dashboard
+    #   rule: "PathPrefix(`/dashboard`) || PathPrefix(`/api`)"
+    #   service: api@internal
+    #   middlewares:
+    #     - dashboard-auth
+
+    my-secure-api:
+      entryPoints:
+        - https
+      rule: "Host(`traefik.ghost.tel`)"
+      service: api@internal
+      middlewares:
+        - auth
+      tls:
+        certResolver: http
+
+  services:
+    HomeAssistant:
+      loadBalancer:
+        passHostHeader: true
+        servers:
+          - url: "http://homeassistant.localdomain:8123"
+
+    dummy:
+      loadBalancer:
+        servers:
+          - url: "localhost"
+
+    dynmap:
+      loadBalancer:
+        servers:
+          - url: "http://ramiel:8123/"
+
+    amp:
+      loadBalancer:
+        passHostHeader: true
+        servers:
+          - url: "http://192.168.1.205:8080"
+
+    # brake:
+    #   loadBalancer:
+    #     passHostHeader: true
+    #     servers:
+    #       - url: "http://192.168.1.231:3333"
+
+    # brakehttps:
+    #   loadBalancer:
+    #     passHostHeader: true
+    #     servers:
+    #       - url: "http://192.168.1.231:3333"
+
+    invid:
+      loadBalancer:
+        passHostHeader: true
+        servers:
+          - url: "http://192.168.5.123:3000"
+
+    # (NEW) Invidious Companion service at port 8282
+    invid-companion:
+      loadBalancer:
+        passHostHeader: true
+        servers:
+          - url: "http://192.168.5.123:8282"
+
+    picam:
+      loadBalancer:
+        passHostHeader: true
+        servers:
+          - url: "http://192.168.1.80:8080"
+
+ #   tempai:
+ #     loadBalancer:
+ #       passHostHeader: true
+ #       servers:
+ #         - url: "http://192.168.5.10:3001"
+
 
   middlewares:
-    # HTTPS redirect
+    # (NEW) Middleware to redirect immich.ghost.tel to photos.ghost.tel
+    redirect-immich-to-photos:
+      redirectRegex:
+        regex: "^https?://immich\\.ghost\\.tel(/.*)?$"
+        replacement: "https://photos.ghost.tel$1"
+        permanent: true
+
+    dashboard-auth:
+      basicAuth:
+        usersFile: "/basicAuth"
+
     redirect-to-https:
       redirectScheme:
         scheme: https
+        # permanent: true
 
-    # Authentik forward auth - update URL after authentik is deployed
     auth:
       forwardAuth:
-        address: http://authentik-server:9000/outpost.goauthentik.io/auth/traefik
+        address: http://192.168.5.123:9000/outpost.goauthentik.io/auth/traefik
         trustForwardHeader: true
         authResponseHeaders:
           - X-authentik-username
@@ -37,7 +220,6 @@ http:
           - X-authentik-meta-app
           - X-authentik-meta-version
 
-    # Security headers
     securityHeaders:
       headers:
         customResponseHeaders:
@@ -56,6 +238,24 @@ http:
         stsSeconds: 63072000
         stsPreload: true
 
-    # Gzip compression
+    # (NEW) Adds /companion prefix before passing to Companion
+    invid-companion-prefix:
+      addPrefix:
+        prefix: "/companion"
+
     gzip:
       compress: {}
+
+# Example for TCP routing (commented out)
+# tcp:
+#   routers:
+#     router-ssh:
+#       entryPoints:
+#         - web-secure
+#       rule: HostSNI(`*`)
+#       service: service-ssh
+#   services:
+#     service-ssh:
+#       loadBalancer:
+#         servers:
+#           - address: 192.168.1.203:2245

stacks/traefik/conf.d/minecraft.yaml

@@ -0,0 +1,21 @@
+http:
+  routers:
+    skeyta:
+      entrypoints:
+        - https
+        - http
+      rule: Host(`skeyta.ghost.tel`)
+      service: skeyta
+      tls:
+        certResolver: http
+      middlewares:
+        - securityHeaders
+
+  services:
+    skeyta:
+      loadBalancer:
+        passHostHeader: true
+        servers:
+          - url: "http://ramiel.localdomain:8"
+
+

stacks/traefik/conf.d/radio.yml

@@ -0,0 +1,23 @@
+core:
+  defaultRuleSyntax: v2
+
+http:
+  routers:
+    radio:
+      entrypoints:
+        - https
+        - http
+      rule: Host(`radio.uplink.tel`)
+      service: radio
+      tls:
+        certResolver: http
+      middlewares:
+        - securityHeaders
+
+  services:
+    radio:
+      loadBalancer:
+        passHostHeader: true
+        servers:
+          - url: "http://wunder.localdomain:3000"
+

stacks/traefik/conf.d/spider.yml

@@ -0,0 +1,23 @@
+core:
+  defaultRuleSyntax: v2
+
+http:
+  routers:
+    spider:
+      entrypoints:
+        - https
+        - http
+      rule: Host(`spider.ghost.tel`)
+      service: spider
+      tls:
+        certResolver: http
+      middlewares:
+        - securityHeaders
+
+  services:
+    spider:
+      loadBalancer:
+        passHostHeader: true
+        servers:
+          - url: "http://melchior.localdomain:30870"
+

stacks/traefik/conf.d/tlc.yml

@@ -0,0 +1,23 @@
+core:
+  defaultRuleSyntax: v2
+
+http:
+  routers:
+    tlc:
+      entrypoints:
+        - https
+        - http
+      rule: Host(`tlc.ghost.tel`) || Host(`thislittlecorner.net`)
+      service: tlc
+      tls:
+        certResolver: http
+      middlewares:
+        - securityHeaders
+
+  services:
+    tlc:
+      loadBalancer:
+        passHostHeader: true
+        servers:
+          - url: "http://docker-dev:8080/"
+

stacks/traefik/conf.d/wille.yaml

@@ -0,0 +1,20 @@
+http:
+  routers:
+    photos:
+      entrypoints:
+        - https
+        - http
+      rule: Host(`photos.ghost.tel`)
+      service: wille
+      tls:
+        certResolver: http
+      middlewares:
+        - securityHeaders
+
+  services:
+    wille:
+      loadBalancer:
+        passHostHeader: true
+        servers:
+          - url: "http://wille.localdomain:2283"
+