feat(infra): parameterize secrets, add Caddy reverse proxy for domain

All hardcoded passwords/keys replaced with env vars so .env controls
everything in both dev and production:
  - DB_PASSWORD, DB_CONNECTION_STRING, JWT_KEY
  - CORS_ORIGIN_*, ASPNETCORE_ENVIRONMENT
  - All ZarinPal/Kavenegar/Snappfood secrets

New files for tomorrow's domain setup:
  - Caddyfile        → routes all subdomains with auto TLS
  - docker-compose.caddy.yml → adds Caddy service to the stack

.env.example now has clear TODAY (IP) vs TOMORROW (domain) sections.
Fixed hardcoded ZarinPal MerchantId in docker-compose.full.yml.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.env.example

@@ -1,52 +1,85 @@
-# Copy to .env and adjust if ports conflict on your machine:
-#   copy .env.example .env
+# ─────────────────────────────────────────────────────────────────────────────
+# Meezi — environment template
+# Copy to .env and fill in values.  NEVER commit .env to git.
+#
+# For production: put the full contents in Gitea → Settings → Secrets → ENV_FILE
+# ─────────────────────────────────────────────────────────────────────────────
 
-# Host ports (what you open in the browser)
-WEB_PORT=3101          # Dashboard    http://localhost:3101/fa/login
-WEBSITE_PORT=3010      # Website      http://localhost:3010/fa
-ADMIN_WEB_PORT=3102    # Admin panel  http://localhost:3102/fa/admin/login
-API_PORT=5080          # Main API     http://localhost:5080/swagger
-ADMIN_API_PORT=5081    # Admin API    http://localhost:5081/swagger
+# ── Environment ───────────────────────────────────────────────────────────────
+ASPNETCORE_ENVIRONMENT=Production
 
-# Optional: expose DB/Redis on host (for local tools). Change if already in use.
+# ── Database ──────────────────────────────────────────────────────────────────
+DB_PASSWORD=change-me-strong-password
+DB_CONNECTION_STRING=Host=postgres;Port=5432;Database=meezi;Username=meezi;Password=change-me-strong-password
+
+# ── JWT ───────────────────────────────────────────────────────────────────────
+# openssl rand -hex 32
+JWT_KEY=change-me-64-char-random-string-use-openssl-rand-hex-32-output
+
+# ── TODAY: IP-based access (no domain yet) ───────────────────────────────────
+# Replace 171.22.25.73 with your actual server IP.
+# Note: NEXT_PUBLIC_* are baked into Next.js images at build time.
+# When you switch to a domain tomorrow, update these AND re-run CI (to rebuild).
+
+NEXT_PUBLIC_API_URL=http://171.22.25.73:5080
+NEXT_PUBLIC_ADMIN_API_URL=http://171.22.25.73:5081
+NEXT_PUBLIC_SITE_URL=http://171.22.25.73:3010
+NEXT_PUBLIC_FINDER_URL=http://171.22.25.73:3103
+
+APP_QR_BASE_URL=http://171.22.25.73:3101
+BILLING_DASHBOARD_URL=http://171.22.25.73:3101
+
+CORS_ORIGIN_0=http://171.22.25.73:3101
+CORS_ORIGIN_1=http://171.22.25.73:3010
+CORS_ORIGIN_2=http://171.22.25.73:3103
+CORS_ADMIN_ORIGIN_0=http://171.22.25.73:3102
+
+# Host ports (what gets exposed on the server)
+API_PORT=5080
+ADMIN_API_PORT=5081
+WEB_PORT=3101
+ADMIN_WEB_PORT=3102
+WEBSITE_PORT=3010
+FINDER_PORT=3103
 POSTGRES_PORT=5434
 REDIS_PORT=6381
 
-# Browser must reach the API on the host (not Docker service names)
-NEXT_PUBLIC_API_URL=http://localhost:5080
-NEXT_PUBLIC_ADMIN_API_URL=http://localhost:5081
+# ── TOMORROW: domain + Caddy (comment out IP section above, use this) ─────────
+# DOMAIN=meezi.ir
+# ACME_EMAIL=you@example.com
+#
+# NEXT_PUBLIC_API_URL=https://api.meezi.ir
+# NEXT_PUBLIC_ADMIN_API_URL=https://admin-api.meezi.ir
+# NEXT_PUBLIC_SITE_URL=https://meezi.ir
+# NEXT_PUBLIC_FINDER_URL=https://finder.meezi.ir
+#
+# APP_QR_BASE_URL=https://app.meezi.ir
+# BILLING_DASHBOARD_URL=https://app.meezi.ir
+#
+# CORS_ORIGIN_0=https://app.meezi.ir
+# CORS_ORIGIN_1=https://meezi.ir
+# CORS_ORIGIN_2=https://finder.meezi.ir
+# CORS_ADMIN_ORIGIN_0=https://admin.meezi.ir
+#
+# Then run CI once to rebuild images with the new URLs baked in.
+# DNS required: meezi.ir, app.meezi.ir, api.meezi.ir,
+#               finder.meezi.ir, admin.meezi.ir, admin-api.meezi.ir → server IP
 
-# Marketing website — public URL (used for sitemap, JSON-LD, canonical)
-NEXT_PUBLIC_SITE_URL=http://localhost:3010
+# ── Migrations ────────────────────────────────────────────────────────────────
+RUN_MIGRATIONS=true
 
-# API Docker base images (if build fails — see docs/DOCKER.md)
-# DOTNET_SDK_IMAGE=mcr.microsoft.com/dotnet/sdk:10.0
-# DOTNET_ASPNET_IMAGE=mcr.microsoft.com/dotnet/aspnet:10.0
-
-# --- API (docker-compose / Arvan) ---
-# ConnectionStrings__DefaultConnection=Host=postgres;Port=5432;Database=meezi;Username=meezi;Password=...
-# ConnectionStrings__Redis=redis:6379
-# Jwt__Key=<32+ char secret>
-# App__PublicBaseUrl=http://localhost:5080
-# App__QrPublicBaseUrl=http://localhost:3101
-# Billing__DashboardBaseUrl=http://localhost:3101
-# RUN_MIGRATIONS=true
-
-# ZarinPal (empty = mock payment in dev)
+# ── Payment: ZarinPal ─────────────────────────────────────────────────────────
 # Get your merchant ID from: https://panel.zarinpal.com → API → MerchantID
 ZARINPAL_MERCHANT_ID=
-ZARINPAL_SANDBOX=true
+ZARINPAL_SANDBOX=false
 
-# Snappfood webhook HMAC secret (dev default in appsettings)
-# Snappfood__WebhookSecret=meezi-dev-snappfood-secret
+# ── SMS: Kavenegar ────────────────────────────────────────────────────────────
+# Empty = OTP is logged to API console (fine for dev, not for production)
+KAVENEGAR_API_KEY=
 
-# Taraz / سامانه مودیان (optional; stub without cert)
-# Taraz__Username=
-# Taraz__Password=
-# Taraz__CertificatePath=
+# ── Snappfood webhook ─────────────────────────────────────────────────────────
+SNAPPFOOD_WEBHOOK_SECRET=change-me-snappfood-secret
 
-# Kavenegar SMS (empty = OTP logged to API console in dev)
-# Kavenegar__ApiKey=
-
-# CORS (comma-separated origins for production)
-# Cors__Origins__0=https://app.meezi.ir
+# ── Docker image overrides (if direct MCR pull fails) ────────────────────────
+# DOTNET_SDK_IMAGE=171.22.25.73:5002/dotnet/sdk:10.0
+# DOTNET_ASPNET_IMAGE=171.22.25.73:5002/dotnet/aspnet:10.0