Align CI/CD with soroush method (DrSousan single-app pattern)

Audited against working Meezi/DrSousan pipelines. Fixes:
- Single docker-compose.yml is the production stack (api + internal db); folded in docker-compose.prod.yml; dev Postgres → docker-compose.dev.yml
- Dockerfile HEALTHCHECK (bash /dev/tcp) so deploy's docker-inspect Health.Status wait works
- Naming to convention: service api, container hamkadr_api/hamkadr_db, image mirror.soroushasadi.com/hamkadr/api:${API_TAG}
- Workflow rewritten to DrSousan pattern: ci build + deploy (rollback-tag before build, pg_dump backup, stop/rm/up, docker-inspect health-wait with crash detection, scoped image prune)
- environment: block with ${VAR:-default} substitution (no hard-failing env_file); HOST_PORT; .env excluded from image context
- nginx vhost + DEPLOY.md updated to match

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

docker-compose.yml

@@ -1,16 +1,56 @@
+# Production compose for hamkadr.ir — the Gitea deploy job uses THIS file directly
+# (docker compose build api / up -d --no-deps api). Local dev DB → docker-compose.dev.yml.
+# nginx (host) terminates TLS for hamkadr.ir and reverse-proxies to 127.0.0.1:${HOST_PORT}.
+name: hamkadr   # locked so redeploys reuse the same named volume (no orphaned data)
+
 services:
+
+  # ── .NET 10 Razor Pages app ──────────────────────────────────────────────────
+  api:
+    image: mirror.soroushasadi.com/hamkadr/api:${API_TAG:-latest}
+    build:
+      context: .
+      dockerfile: Dockerfile
+    container_name: hamkadr_api
+    restart: unless-stopped
+    depends_on:
+      db:
+        condition: service_healthy
+    ports:
+      - "127.0.0.1:${HOST_PORT:-8090}:8080"   # localhost-only; nginx proxies hamkadr.ir → here
+    environment:
+      ASPNETCORE_ENVIRONMENT: "Production"
+      ASPNETCORE_URLS: "http://+:8080"
+      ConnectionStrings__Default: "Host=db;Port=5432;Database=${POSTGRES_DB:-hamkadr};Username=${POSTGRES_USER:-hamkadr};Password=${POSTGRES_PASSWORD}"
+      Auth__AdminPhone: "${ADMIN_PHONE:-}"
+      # Channel scraping (optional; enable + configure via ENV_FILE)
+      Ingestion__Enabled: "${INGESTION_ENABLED:-false}"
+      Ingestion__IntervalMinutes: "${INGESTION_INTERVAL_MINUTES:-30}"
+      Ingestion__Telegram__Enabled: "${TELEGRAM_ENABLED:-false}"
+      Ingestion__Telegram__BotToken: "${TELEGRAM_BOT_TOKEN:-}"
+      Ingestion__Bale__Enabled: "${BALE_ENABLED:-false}"
+      Ingestion__Bale__BotToken: "${BALE_BOT_TOKEN:-}"
+      Ingestion__Divar__Enabled: "${DIVAR_ENABLED:-false}"
+    # healthcheck is defined in the Dockerfile (bash /dev/tcp probe) so the deploy
+    # job's `docker inspect Health.Status` wait works.
+
+  # ── PostgreSQL (internal only — never published) ─────────────────────────────
   db:
-    image: postgres:17-alpine
-    container_name: jobsmedical-db
+    image: mirror.soroushasadi.com/postgres:16-alpine
+    container_name: hamkadr_db
     restart: unless-stopped
     environment:
-      POSTGRES_DB: jobsmedical
-      POSTGRES_USER: jobsmedical
-      POSTGRES_PASSWORD: jobsmedical_dev
-    ports:
-      - "5433:5432"   # host 5433 to avoid clashing with a local Postgres on 5432
+      POSTGRES_DB: ${POSTGRES_DB:-hamkadr}
+      POSTGRES_USER: ${POSTGRES_USER:-hamkadr}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
     volumes:
-      - jobsmedical-pgdata:/var/lib/postgresql/data
+      - hamkadr_db_data:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-hamkadr} -d ${POSTGRES_DB:-hamkadr}"]
+      interval: 5s
+      timeout: 5s
+      retries: 20
 
 volumes:
-  jobsmedical-pgdata:
+  hamkadr_db_data:
+    name: hamkadr_db_data