ci(deploy): integrate with mirror-nginx instead of Caddy

The server's central mirror-nginx already owns 80/443 + manages TLS, so FlatRender
can't run its own Caddy there. Adapt the deploy to the host-port + reverse-proxy model:

- compose: Caddy moved behind `profiles: [edge]` (not started by default); frontend/
  gateway/minio host ports are now EDGE_BIND + FRONTEND_PORT/GATEWAY_PORT/MINIO_PORT
  (so they can avoid Gitea's :3000 etc.); postgres/render stay on HOST_BIND loopback.
- deploy/ENV_FILE.production.example: nginx model, pre-filled for flatrender.ir,
  host ports 1600/1605/1610, no Caddy/ACME vars.
- deploy/mirror-nginx-flatrender.conf: ready-to-paste server blocks routing
  flatrender.ir / api / storage → 171.22.25.73:{1600,1605,1610}.
- deploy/README.md: nginx integration + cert step.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

deploy/ENV_FILE.production.example

@@ -1,32 +1,36 @@
 # ─────────────────────────────────────────────────────────────────────────────
-# FlatRender — PRODUCTION ENV_FILE template
+# FlatRender — PRODUCTION ENV_FILE template (server: 171.22.25.73, behind mirror-nginx)
 #
-# This is the content of the Gitea repo secret named  ENV_FILE.
-# Set it at:  https://git.soroushasadi.com/soroushdes/flatrender/settings/secrets
+# This is the content of the Gitea repo secret  ENV_FILE.
+#   https://git.soroushasadi.com/soroushdes/flatrender/settings/secrets
 # The deploy job writes this verbatim to `.env`, which docker compose reads.
 #
+# TLS + domain routing is handled by the existing central mirror-nginx (it owns
+# 80/443). FlatRender does NOT run Caddy here — it publishes host ports and
+# mirror-nginx reverse-proxies the domains to them (see deploy/README.md).
+#
 # Fill every <PLACEHOLDER>. Generate secrets with:  openssl rand -hex 32
-# After editing the secret, push any commit to trigger a redeploy.
-# Changing a NEXT_PUBLIC_* value requires a redeploy (baked into the frontend at build).
+# Changing a NEXT_PUBLIC_* value requires a redeploy (baked into the frontend build).
 # ─────────────────────────────────────────────────────────────────────────────
 
-# ── Host port binding ────────────────────────────────────────────────────────
-# 127.0.0.1 keeps Postgres/MinIO/gateway/frontend OFF the public internet — only
-# Caddy (80/443) is public. (Docker bypasses ufw, so this binding is the real guard.)
+# ── Host-port binding ────────────────────────────────────────────────────────
+# Internal services (postgres, render) stay on loopback. The three nginx-facing
+# services publish on all interfaces so mirror-nginx can reach 171.22.25.73:PORT.
 HOST_BIND=127.0.0.1
+EDGE_BIND=0.0.0.0
 
-# ── Domains (DNS A-records must point at this server) ────────────────────────
-DOMAIN=flatrender.example.com
-API_DOMAIN=api.flatrender.example.com
-STORAGE_DOMAIN=storage.flatrender.example.com
-ACME_EMAIL=you@example.com
+# nginx-facing host ports (must be free on 171.22.25.73 — :3000 is Gitea, avoid it).
+FRONTEND_PORT=1600
+GATEWAY_PORT=1605
+MINIO_PORT=1610
+MINIO_CONSOLE_PORT=1611
 
-# ── Browser-facing URLs (baked into the frontend at build time) ──────────────
-NEXT_PUBLIC_SITE_URL=https://flatrender.example.com
-NEXT_PUBLIC_API_URL=https://api.flatrender.example.com/v1
-NEXT_PUBLIC_MINIO_URL=https://storage.flatrender.example.com
+# ── Browser-facing URLs (served by mirror-nginx over HTTPS; baked into frontend) ─
+NEXT_PUBLIC_SITE_URL=https://flatrender.ir
+NEXT_PUBLIC_API_URL=https://api.flatrender.ir/v1
+NEXT_PUBLIC_MINIO_URL=https://storage.flatrender.ir
 NEXT_PUBLIC_TENANT_SLUG=flatrender
-CORS_ORIGIN=https://flatrender.example.com
+CORS_ORIGIN=https://flatrender.ir
 
 # ── Core secrets ─────────────────────────────────────────────────────────────
 JWT_SECRET=<openssl rand -hex 32>
@@ -44,30 +48,27 @@ MINIO_SECRET_KEY=<openssl rand -hex 24>
 MINIO_BUCKET=flatrender-exports
 MINIO_TEMPLATES_BUCKET=flatrender-templates
 MINIO_UPLOAD_BUCKET=user-uploads
-# render-svc signs presigned URLs for the public storage domain (over HTTPS via Caddy):
-MINIO_HOST_ENDPOINT=storage.flatrender.example.com
+# render-svc signs presigned URLs for the public storage domain (HTTPS via nginx):
+MINIO_HOST_ENDPOINT=storage.flatrender.ir
 MINIO_HOST_USE_SSL=true
 
 # ── Render farm ──────────────────────────────────────────────────────────────
 # No AE node on the server → keep the dev worker OFF (it would mock-complete jobs).
-# Instead disable rendering in Admin → فارم رندر → موتور رندر so users see a notice.
+# Disable rendering in Admin → فارم رندر → موتور رندر so users see an "unavailable" notice.
 RENDER_DEV_WORKER=false
 RENDER_DEV_SNAPSHOTS=false
 
-# Gateway host port (bound to HOST_BIND above; public access is via API_DOMAIN/Caddy).
-GATEWAY_PORT=8080
-
-# ── Payments (fill the providers you actually use; leave others blank) ───────
+# ── Payments (fill the providers you use; leave others blank) ────────────────
 STRIPE_SECRET_KEY=
 STRIPE_WEBHOOK_SECRET=
 STRIPE_PUBLISHABLE_KEY=
 ZARINPAL_MERCHANT_ID=
-ZARINPAL_CALLBACK_URL=https://api.flatrender.example.com/v1/payments/callback/zarinpal
+ZARINPAL_CALLBACK_URL=https://api.flatrender.ir/v1/payments/callback/zarinpal
 ZARINPAL_SANDBOX=false
 SNAPPAY_CLIENT_ID=
 SNAPPAY_CLIENT_SECRET=
 SNAPPAY_BASE_URL=https://api.snappay.ir
-SNAPPAY_CALLBACK_URL=https://api.flatrender.example.com/v1/payments/callback/snappay
+SNAPPAY_CALLBACK_URL=https://api.flatrender.ir/v1/payments/callback/snappay
 TARA_API_KEY=
 TARA_BASE_URL=https://api.tara.ir
-TARA_CALLBACK_URL=https://api.flatrender.example.com/v1/payments/callback/tara
+TARA_CALLBACK_URL=https://api.flatrender.ir/v1/payments/callback/tara