nginx template: allow /.well-known/* (the runtime-generated config)

PR #9 fixed default.conf and default-rootless.conf — the static, baked-
into-image versions. But the running container generates its config
from default.conf.template via envsubst at startup, overwriting the
baked default.conf with the templated output. The fix needs to live
on the template path or it never reaches running pods.

Verified live: a fresh id pod showed the correct `location ^~
/.well-known/` in default.conf (baked) but a regenerated
runtime default.conf without the block. /.well-known/openid-configuration
remained 404. Adding the well-known allow to the template, with
${NGINX_TRY_FILES} for the framework's index target, so the
runtime config gets it.

Build-and-push needs another workflow_dispatch since the workflow
doesn't auto-trigger on path changes.

Author: sylvesterdamgaard

php-fpm-nginx/common/default.conf.template

@@ -176,6 +176,21 @@ ${NGINX_SECURITY_HEADERS}
     # SECURITY: Block sensitive files and directories
     # ─────────────────────────────────────────────────────────────────────────
 
+    # RFC 8615 — /.well-known/ is the reserved namespace for site-wide
+    # service metadata: OIDC discovery, OAuth authorization-server
+    # metadata, security.txt, ACME challenges, change-password, etc.
+    # Apps register handlers (e.g. Laravel: `Route::get('.well-known/...')`),
+    # but the catch-all dotfile block below would otherwise 404 every
+    # request before the app sees it.
+    #
+    # `^~` makes this a prefix match that wins over the regex catch-all
+    # below — nginx prefers `^~` matches and skips regex evaluation
+    # when one matches. Place BEFORE the `/\.` block; ordering of
+    # regex blocks matters but `^~` short-circuits regardless.
+    location ^~ /.well-known/ {
+        try_files $uri $uri/ ${NGINX_TRY_FILES};
+    }
+
     # Block hidden files (.env, .git, .htaccess, .svn, etc.)
     location ~ /\.(env|git|svn|htaccess|htpasswd|gitignore|gitattributes|dockerignore) {
         deny all;