feat: add Traefik dynamic configs to GitOps management

nodes/heimdall/core/traefik/dynamic/middleware.yml

@@ -0,0 +1,53 @@
+---
+# Traefik dynamic middleware configuration
+# Managed by homelab-registry-mcp write path
+# Source of truth: nodes/heimdall/core/traefik/dynamic/
+# Do not edit /mnt/appdata/traefik/dynamic/ directly
+
+http:
+  middlewares:
+
+    security-headers:
+      headers:
+        stsSeconds: 63072000
+        stsIncludeSubdomains: true
+        stsPreload: true
+        frameDeny: true
+        contentTypeNosniff: true
+        browserXssFilter: true
+        referrerPolicy: "same-origin"
+
+    ratelimit-basic:
+      rateLimit:
+        average: 50
+        burst: 100
+
+    dashboard-auth:
+      basicAuth:
+        users:
+          - "chester:$2y$05$li5tJ0g9IN.QCfX1Q/QJu.ygbpuVQQmnEe1.jFdfFg9R8OvZiMNEi"
+
+    https-redirect:
+      redirectScheme:
+        scheme: https
+        permanent: true
+
+    dashboard-slash:
+      redirectregex:
+        regex: ^/dashboard$
+        replacement: /dashboard/
+        permanent: true
+
+    authentik-auth:
+      forwardAuth:
+        # If your Authentik container is on the same network as Traefik, 
+        # use the container name. Otherwise, use the internal IP.
+        address: "http://10.0.0.151:9000/outpost.goauthentik.io/auth/traefik"
+        trustForwardHeader: true
+        authResponseHeaders:
+          - X-authentik-username
+          - X-authentik-groups
+          - X-authentik-email
+          - X-authentik-name
+          - X-authentik-uid
+          - X-authentik-jwt

nodes/heimdall/core/traefik/dynamic/static-backends.yml

@@ -0,0 +1,82 @@
+---
+# Traefik static backend routes for non-containerised lab services
+# Managed by homelab-registry-mcp write path
+# Source of truth: nodes/heimdall/core/traefik/dynamic/
+# Do not edit /mnt/appdata/traefik/dynamic/ directly
+
+http:
+
+  serversTransports:
+    insecure-transport:
+      insecureSkipVerify: true
+
+  routers:
+    tnas-router:
+      rule: "Host(`tnas.castaldifamily.com`)"
+      entryPoints:
+        - websecure
+      tls:
+        certResolver: cloudflare
+      service: tnas-service
+      middlewares:
+        - security-headers@file
+    dsm-router:
+      rule: "Host(`dsm.castaldifamily.com`)"
+      entryPoints:
+        - websecure
+      tls:
+        certResolver: cloudflare
+      service: dsm-service
+      middlewares:
+        - security-headers@file
+    watchtower-router:
+      rule: "Host(`watchtower.castaldifamily.com`)"
+      entryPoints:
+        - websecure
+      tls:
+        certResolver: cloudflare
+      service: watchtower-service
+      middlewares:
+        - security-headers@file
+    gitvana-router:
+      rule: "Host(`gitvana.castaldifamily.com`)"
+      entryPoints:
+        - websecure
+      tls:
+        certResolver: cloudflare
+      service: gitvana-service
+      middlewares:
+        - security-headers@file
+    immich-router:
+      rule: "Host(`photos.castaldifamily.com`)"
+      entryPoints:
+        - websecure
+      tls:
+        certResolver: cloudflare
+      service: immich-service
+
+  services:
+    tnas-service:
+      loadBalancer:
+        servers:
+          - url: "https://10.0.0.250:5443/tos/#/"
+        serversTransport: insecure-transport
+    dsm-service:
+      loadBalancer:
+        servers:
+          - url: "https://10.0.0.249:5001"
+        serversTransport: insecure-transport
+    watchtower-service:
+      loadBalancer:
+        servers:
+          - url: "https://10.0.0.200:9090"
+        serversTransport: insecure-transport
+    gitvana-service:
+      loadBalancer:
+        servers:
+          - url: "http://10.0.0.201:3000"
+    immich-service:
+      loadBalancer:
+        servers:
+          - url: "http://10.0.0.251:2283"
+