feat(infra): parameterize secrets, add Caddy reverse proxy for domain

All hardcoded passwords/keys replaced with env vars so .env controls
everything in both dev and production:
  - DB_PASSWORD, DB_CONNECTION_STRING, JWT_KEY
  - CORS_ORIGIN_*, ASPNETCORE_ENVIRONMENT
  - All ZarinPal/Kavenegar/Snappfood secrets

New files for tomorrow's domain setup:
  - Caddyfile        → routes all subdomains with auto TLS
  - docker-compose.caddy.yml → adds Caddy service to the stack

.env.example now has clear TODAY (IP) vs TOMORROW (domain) sections.
Fixed hardcoded ZarinPal MerchantId in docker-compose.full.yml.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

docker-compose.caddy.yml

@@ -0,0 +1,47 @@
+# Caddy reverse proxy overlay — use when you have a domain + DNS pointing at this server.
+#
+# Usage:
+#   docker compose \
+#     -f docker-compose.yml \
+#     -f docker-compose.admin.yml \
+#     -f docker-compose.caddy.yml \
+#     up -d
+#
+# Required in .env:
+#   DOMAIN=meezi.ir
+#   ACME_EMAIL=you@example.com
+#
+# After adding this, update .env URLs from http://IP:PORT to https://subdomain.DOMAIN
+# and re-run CI (Next.js bakes NEXT_PUBLIC_* at build time → rebuild required).
+#
+# Firewall: open 80 + 443, keep 3101/3102/3103/5080/5081 blocked from internet.
+
+services:
+  caddy:
+    image: caddy:2-alpine
+    container_name: meezi-caddy
+    restart: unless-stopped
+    ports:
+      - "80:80"
+      - "443:443"
+      - "443:443/udp"   # HTTP/3
+    volumes:
+      - ./Caddyfile:/etc/caddy/Caddyfile:ro
+      - caddy_data:/data
+      - caddy_config:/config
+    environment:
+      DOMAIN: "${DOMAIN}"
+      ACME_EMAIL: "${ACME_EMAIL}"
+    depends_on:
+      - api
+      - web
+      - website
+      - finder
+      - admin-api
+      - admin-web
+
+volumes:
+  caddy_data:
+    name: meezi-caddy-data
+  caddy_config:
+    name: meezi-caddy-config