Add Gitea CI/CD for hamkadr.ir (Nexus build + self-hosted compose deploy)

- .gitea/workflows/ci-cd.yml: dotnet build via mirror.soroushasadi.com; self-hosted deploy with pg_dump backup, rollback tag, scoped recreate, /healthz wait, prune
- Dockerfile (sdk/aspnet 10 via Nexus) + nuget.docker.config + .dockerignore
- docker-compose.prod.yml: app on 127.0.0.1:APP_PORT, Postgres internal-only + named volume
- deploy/nginx-hamkadr.ir.conf + DEPLOY.md (ports: 22/80/443 only; DB never exposed)
- Prod seeds reference data only (no demo listings); ForwardedHeaders for nginx TLS; /healthz endpoint

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

.gitea/workflows/ci-cd.yml

@@ -0,0 +1,126 @@
+name: CI/CD
+
+on:
+  push:         { branches: [main] }
+  pull_request: { branches: [main] }
+
+concurrency:
+  group: hamkadr-cicd-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  # ---------------------------------------------------------------- CI
+  build:
+    name: "CI — dotnet build (Release)"
+    runs-on: ubuntu-latest
+    container:
+      image: mirror.soroushasadi.com/dotnet/sdk:10.0
+      options: --add-host=gitea:host-gateway
+    steps:
+      - name: Checkout
+        env:
+          TOKEN: ${{ github.token }}
+          REF:   ${{ github.ref }}
+        run: |
+          git init
+          git remote add origin "${{ github.server_url }}/${{ github.repository }}.git"
+          git config http.extraheader "Authorization: Bearer ${TOKEN}"
+          git fetch --depth=1 origin "${REF}"
+          git checkout FETCH_HEAD
+
+      - name: Write NuGet config (Nexus)
+        run: |
+          cat > /tmp/nuget.ci.config << 'EOF'
+          <?xml version="1.0" encoding="utf-8"?>
+          <configuration>
+            <packageSources>
+              <clear />
+              <add key="nexus"
+                   value="https://mirror.soroushasadi.com/repository/nuget-group/index.json"
+                   protocolVersion="3" />
+            </packageSources>
+          </configuration>
+          EOF
+
+      - name: Restore
+        run: dotnet restore src/JobsMedical.Web/JobsMedical.Web.csproj --configfile /tmp/nuget.ci.config
+        env: { DOTNET_CLI_TELEMETRY_OPTOUT: 1 }
+
+      - name: Build
+        run: dotnet build src/JobsMedical.Web/JobsMedical.Web.csproj --no-restore -c Release
+
+  # ---------------------------------------------------------------- Deploy
+  deploy:
+    name: "Deploy — hamkadr (compose)"
+    runs-on: self-hosted
+    needs: [build]
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    timeout-minutes: 40
+    env:
+      # act host runner starts with a minimal PATH — extend so docker/snap resolve.
+      PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
+      DOCKER_BUILDKIT: 1
+      COMPOSE_DOCKER_CLI_BUILD: 1
+    steps:
+      - name: Checkout
+        env:
+          TOKEN: ${{ github.token }}
+          REF:   ${{ github.ref }}
+        run: |
+          git init
+          git remote add origin "${{ github.server_url }}/${{ github.repository }}.git"
+          git config http.extraheader "Authorization: Bearer ${TOKEN}"
+          git fetch --depth=1 origin "${REF}"
+          git checkout FETCH_HEAD
+
+      - name: Write .env
+        run: printf '%s' "$ENV_FILE" > .env
+        env: { ENV_FILE: ${{ secrets.ENV_FILE }} }
+
+      - name: Back up database (if running)
+        run: |
+          set -a; . ./.env; set +a
+          if docker ps -a --format '{{.Names}}' | grep -q '^hamkadr-db$'; then
+            mkdir -p /opt/hamkadr-backups
+            TS=$(date +%Y%m%d-%H%M%S)
+            echo "Backing up DB → /opt/hamkadr-backups/hamkadr-$TS.sql"
+            docker exec hamkadr-db pg_dump -U "$POSTGRES_USER" "$POSTGRES_DB" \
+              > "/opt/hamkadr-backups/hamkadr-$TS.sql" || echo "WARN: backup skipped (db not ready yet)"
+          else
+            echo "No existing db container — first deploy, nothing to back up."
+          fi
+
+      - name: Tag current image for rollback
+        run: |
+          if docker image inspect hamkadr-app:latest >/dev/null 2>&1; then
+            docker tag hamkadr-app:latest hamkadr-app:rollback
+            echo "Tagged hamkadr-app:rollback"
+          fi
+
+      - name: Build app image
+        run: docker compose -f docker-compose.prod.yml build app
+
+      - name: Start database
+        run: docker compose -f docker-compose.prod.yml up -d --no-deps db
+
+      - name: Recreate app (stop + rm + up — reliable across docker versions)
+        run: |
+          docker stop hamkadr-app 2>/dev/null || true
+          docker rm   hamkadr-app 2>/dev/null || true
+          docker compose -f docker-compose.prod.yml up -d --no-deps app
+
+      - name: Wait for app healthy
+        run: |
+          set -a; . ./.env; set +a
+          for i in $(seq 1 24); do
+            if curl -fsS "http://127.0.0.1:${APP_PORT}/healthz" >/dev/null 2>&1; then
+              echo "OK — hamkadr-app healthy on 127.0.0.1:${APP_PORT}"; exit 0
+            fi
+            echo "  [$i/24] not ready yet…"
+            sleep 5
+          done
+          echo "TIMEOUT — dumping logs"; docker logs --tail=60 hamkadr-app; exit 1
+
+      - name: Prune dangling images
+        if: success()
+        run: docker image prune -f