feat(infra): parameterize secrets, add Caddy reverse proxy for domain

All hardcoded passwords/keys replaced with env vars so .env controls
everything in both dev and production:
  - DB_PASSWORD, DB_CONNECTION_STRING, JWT_KEY
  - CORS_ORIGIN_*, ASPNETCORE_ENVIRONMENT
  - All ZarinPal/Kavenegar/Snappfood secrets

New files for tomorrow's domain setup:
  - Caddyfile        → routes all subdomains with auto TLS
  - docker-compose.caddy.yml → adds Caddy service to the stack

.env.example now has clear TODAY (IP) vs TOMORROW (domain) sections.
Fixed hardcoded ZarinPal MerchantId in docker-compose.full.yml.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

docker-compose.yml

@@ -1,18 +1,20 @@
-# Meezi — full stack (Postgres, Redis, API, Dashboard, Marketing Website)
+# Meezi — main stack (Postgres, Redis, API, Dashboard, Website, Finder)
 #
-# Setup:
-#   copy .env.example .env
-#   powershell -File scripts/docker-up-full.ps1
-#   — or — docker compose up -d --build
+# Local dev:
+#   cp .env.example .env
+#   docker compose up -d --build
 #
-# If image pulls fail (Iran / MCR timeout): VPN on, or see docs/DOCKER.md
+# Production (IP-based, no domain yet):
+#   Set ENV_FILE secret in Gitea — CI writes .env and runs docker compose up -d
 #
-# URLs (defaults):
-#   Dashboard  http://localhost:3101/fa/login
-#   Website    http://localhost:3010/fa
-#   Finder     http://localhost:3103/fa
-#   API        http://localhost:5080/swagger
-#   Health     http://localhost:5080/health
+# Production (with domain, add Caddy):
+#   docker compose -f docker-compose.yml -f docker-compose.admin.yml -f docker-compose.caddy.yml up -d
+#
+# URLs (port-based defaults):
+#   Dashboard  http://SERVER:3101/fa/login
+#   Website    http://SERVER:3010/fa
+#   Finder     http://SERVER:3103/fa
+#   API        http://SERVER:5080/swagger
 
 services:
   postgres:
@@ -22,7 +24,7 @@ services:
     environment:
       POSTGRES_DB: meezi
       POSTGRES_USER: meezi
-      POSTGRES_PASSWORD: meezi_local_pass
+      POSTGRES_PASSWORD: "${DB_PASSWORD:-meezi_local_pass}"
     ports:
       - "${POSTGRES_PORT:-5434}:5432"
     volumes:
@@ -63,20 +65,21 @@ services:
       redis:
         condition: service_healthy
     environment:
-      ASPNETCORE_ENVIRONMENT: Development
+      ASPNETCORE_ENVIRONMENT: "${ASPNETCORE_ENVIRONMENT:-Development}"
       ASPNETCORE_URLS: http://+:8080
-      RUN_MIGRATIONS: "true"
-      ConnectionStrings__DefaultConnection: Host=postgres;Port=5432;Database=meezi;Username=meezi;Password=meezi_local_pass
+      RUN_MIGRATIONS: "${RUN_MIGRATIONS:-true}"
+      ConnectionStrings__DefaultConnection: "${DB_CONNECTION_STRING:-Host=postgres;Port=5432;Database=meezi;Username=meezi;Password=meezi_local_pass}"
       ConnectionStrings__Redis: redis:6379
-      App__PublicBaseUrl: ${NEXT_PUBLIC_API_URL:-http://localhost:5080}
-      App__QrPublicBaseUrl: http://localhost:${WEB_PORT:-3101}
-      Cors__Origins__0: http://localhost:${WEB_PORT:-3101}
-      Cors__Origins__1: http://localhost:${WEBSITE_PORT:-3010}
-      Cors__Origins__2: http://localhost:${FINDER_PORT:-3103}
-      Auth__MaxOtpAttemptsPerHour: "100"
-      Kavenegar__ApiKey: ""
-      Billing__DashboardBaseUrl: http://localhost:${WEB_PORT:-3101}
-      Snappfood__WebhookSecret: meezi-dev-snappfood-secret
+      Jwt__Key: "${JWT_KEY:-dev-jwt-key-CHANGE-THIS-IN-PRODUCTION-min32chars}"
+      App__PublicBaseUrl: "${NEXT_PUBLIC_API_URL:-http://localhost:5080}"
+      App__QrPublicBaseUrl: "${APP_QR_BASE_URL:-http://localhost:3101}"
+      Billing__DashboardBaseUrl: "${BILLING_DASHBOARD_URL:-http://localhost:3101}"
+      Cors__Origins__0: "${CORS_ORIGIN_0:-http://localhost:3101}"
+      Cors__Origins__1: "${CORS_ORIGIN_1:-http://localhost:3010}"
+      Cors__Origins__2: "${CORS_ORIGIN_2:-http://localhost:3103}"
+      Auth__MaxOtpAttemptsPerHour: "${OTP_RATE_LIMIT:-100}"
+      Kavenegar__ApiKey: "${KAVENEGAR_API_KEY:-}"
+      Snappfood__WebhookSecret: "${SNAPPFOOD_WEBHOOK_SECRET:-meezi-dev-snappfood-secret}"
       ZarinPal__MerchantId: "${ZARINPAL_MERCHANT_ID:-}"
       ZarinPal__Sandbox: "${ZARINPAL_SANDBOX:-true}"
     ports:
@@ -84,7 +87,6 @@ services:
     volumes:
       - api_uploads:/app/uploads
     healthcheck:
-      # TCP probe only — no apt-get/curl in image (build works offline / without Ubuntu mirrors)
       test: ["CMD-SHELL", "bash -c 'cat </dev/null >/dev/tcp/127.0.0.1/8080' || exit 1"]
       interval: 10s
       timeout: 5s
@@ -124,7 +126,7 @@ services:
       PORT: "3000"
       HOSTNAME: 0.0.0.0
       MEEZI_API_URL: http://api:8080
-      NEXT_PUBLIC_SITE_URL: ${NEXT_PUBLIC_SITE_URL:-http://localhost:3010}
+      NEXT_PUBLIC_SITE_URL: "${NEXT_PUBLIC_SITE_URL:-http://localhost:3010}"
     ports:
       - "${WEBSITE_PORT:-3010}:3000"
 
@@ -143,8 +145,8 @@ services:
     environment:
       PORT: "3000"
       HOSTNAME: 0.0.0.0
-      NEXT_PUBLIC_API_URL: ${NEXT_PUBLIC_API_URL:-http://localhost:5080}
-      NEXT_PUBLIC_SITE_URL: ${NEXT_PUBLIC_FINDER_URL:-http://localhost:3103}
+      NEXT_PUBLIC_API_URL: "${NEXT_PUBLIC_API_URL:-http://localhost:5080}"
+      NEXT_PUBLIC_SITE_URL: "${NEXT_PUBLIC_FINDER_URL:-http://localhost:3103}"
     ports:
       - "${FINDER_PORT:-3103}:3000"