ci: Gitea CI/CD pipeline + server deploy (Nexus mirror, Caddy HTTPS)

- .gitea/workflows/ci-cd.yml: frontend tsc check → self-hosted deploy job that
  builds the full compose stack and brings it up behind Caddy. Locks
  COMPOSE_PROJECT_NAME=flatrender (stable volumes), backs up the DB before each
  deploy, health-waits gateway+frontend, no `down -v`.
- Route all package installs through mirror.soroushasadi.com:
  frontend Dockerfile npm registry → NPM_REGISTRY build arg (Nexus default);
  3× NuGet.Config (content/identity/studio) → HTTPS nuget-group (were a bare IP).
- Harden host ports: ${HOST_BIND:-0.0.0.0} prefix on postgres/minio/render/gateway/
  frontend so prod (HOST_BIND=127.0.0.1) keeps them off the public internet — only
  Caddy 80/443 is public. Dev (unset → 0.0.0.0) unchanged.
- render-svc MINIO_USE_SSL now env-driven (MINIO_HOST_USE_SSL) for HTTPS storage domain.
- deploy/ENV_FILE.production.example (the Gitea secret template) + deploy/README.md
  (one-time setup + go-live checklist).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

services/content/NuGet.Config

@@ -2,6 +2,6 @@
 <configuration>
   <packageSources>
     
-    <add key="nuget.org" value="http://171.22.25.73:8081/repository/nuget-group/index.json" protocolVersion="3" allowInsecureConnections="true" />
+    <add key="nexus" value="https://mirror.soroushasadi.com/repository/nuget-group/index.json" protocolVersion="3" />
   </packageSources>
 </configuration>