feat: migrate all stacks to Coolify (proxy network, clean labels, pull_policy)

- Remove traefik.enable, traefik.docker.network, traefik.http.routers.* from all services
- Keep traefik.http.services.<name>.loadbalancer.server.port labels
- Keep all middleware definitions (forwardauth, headers, redirects)
- Add pull_policy: always to main/frontend services
- Add proxy network + label to gitea and karakeep (previously missing)
- Add COOLIFY-TEMPLATE.md reference guide

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

authentik/docker-compose.yml

@@ -25,6 +25,7 @@ services:
   ths-authentik-server:
     image: ${AUTHENTIK_IMAGE}
     container_name: ths-authentik-server
+    pull_policy: always
     restart: unless-stopped
     command: ["server"]
     environment:
@@ -54,33 +55,14 @@ services:
       - proxy
 
     labels:
-      traefik.enable: "true"
-      traefik.docker.network: "${TRAEFIK_DOCKER_NETWORK}"
-
       # Service Authentik (panel + endpoints)
       traefik.http.services.ths-authentik.loadbalancer.server.port: "${AUTHENTIK_HTTP_PORT}"
 
-      # Panel Authentik (auth.thehomelesssherlock.com)
-      traefik.http.routers.ths-authentik.rule: "Host(`${AUTHENTIK_DOMAIN}`)"
-      traefik.http.routers.ths-authentik.entrypoints: "${TRAEFIK_ENTRYPOINT_SECURE}"
-      traefik.http.routers.ths-authentik.tls: "true"
-      traefik.http.routers.ths-authentik.tls.certresolver: "${TRAEFIK_CERTRESOLVER}"
-      traefik.http.routers.ths-authentik.service: "ths-authentik"
-
-      # Middleware forwardAuth (para proteger otros servicios) -> usar ths-ths-authentik@docker en tus stacks THS
+      # Middleware forwardAuth (para proteger otros servicios) -> usar ths-authentik@docker en tus stacks THS
       traefik.http.middlewares.ths-authentik.forwardauth.address: "http://ths-authentik-server:${AUTHENTIK_HTTP_PORT}/outpost.goauthentik.io/auth/traefik"
       traefik.http.middlewares.ths-authentik.forwardauth.trustForwardHeader: "true"
       traefik.http.middlewares.ths-authentik.forwardauth.authResponseHeaders: "X-Authentik-Username,X-Authentik-Groups,X-Authentik-Email,X-Authentik-Uid,X-Authentik-Jwt"
 
-      # OUTPOST genérico para TODO el dominio THS (subdominios + apex + www)
-      # ✅ Sin comas dentro de Host()
-      traefik.http.routers.ths-authentik-outpost.rule: "(HostRegexp(`{subdomain:[a-z0-9-]+}.thehomelesssherlock.com`) || Host(`thehomelesssherlock.com`) || Host(`www.thehomelesssherlock.com`)) && PathPrefix(`/outpost.goauthentik.io/`)"
-      traefik.http.routers.ths-authentik-outpost.entrypoints: "${TRAEFIK_ENTRYPOINT_SECURE}"
-      traefik.http.routers.ths-authentik-outpost.tls: "true"
-      traefik.http.routers.ths-authentik-outpost.tls.certresolver: "${TRAEFIK_CERTRESOLVER}"
-      traefik.http.routers.ths-authentik-outpost.service: "ths-authentik"
-      traefik.http.routers.ths-authentik-outpost.priority: "1000"
-
   ths-authentik-worker:
     image: ${AUTHENTIK_IMAGE}
     container_name: ths-authentik-worker
@@ -109,4 +91,3 @@ networks:
     external: true
   ths_authentik_internal:
     driver: bridge
-