brain.gharbeia.net: add Traefik router + update gharbeia-site to external LXC nginx

- Add brain router with Authentik forward-auth pointing to LXC nginx on 8082
- Update gharbeia-site-internal from production-1 Docker nginx to LXC nginx on 8083
- Add brain-internal service (10.10.10.29:8082)

infrastructure.org

@@ -502,7 +502,20 @@
    502|      tls:
    503|        certResolver: letsencrypt
    504|
-   505|    # -- Management ------------------------------------------------
+   505|    # -- Brain Knowledge Base (private, behind Authentik) ------------
+   506|
+   507|    brain:
+   508|      rule: "Host(`brain.gharbeia.net`)"
+   509|      service: brain-internal
+   510|      entryPoints:
+   511|        - secureweb
+   512|      tls:
+   513|        certResolver: letsencrypt
+   514|      middlewares:
+   515|        - authentik-forwardauth@file
+   516|        - security-headers@file
+   517|
+   518|    # -- Management ------------------------------------------------
    506|
    507|    gitea:
    508|      rule: "Host(`git.gharbeia.net`)"
@@ -696,8 +709,12 @@
    696|    gharbeia-site-internal:
    697|      loadBalancer:
    698|        servers:
-   699|          - url: http://gharbeia-site:80
+   699|          - url: http://10.10.10.29:8083
-   700|    gitea-internal:
+   700|    brain-internal:
+   701|      loadBalancer:
+   702|        servers:
+   703|          - url: "http://10.10.10.29:8082"
+   704|    gitea-internal:
    701|      loadBalancer:
    702|        servers:
    703|          - url: http://gitea:3000