feat(cloud): harden nginx-proxy + sql foundation; HTTP-01 interim cert plan

Wire up the three foundation stacks (nginx-proxy, sql, portainer) in
cloud/compose.yml and add real configs for the first two.

nginx-proxy
- Base nginx.conf with http + stream contexts, modern TLS profile,
  client_max_body_size baseline for gitea LFS / mlflow artifacts.
- Vhosts under conf.d/: grafana, gitea, keycloak, nodered, mlflow,
  jupyter, portainer (HTTPS upstream), rabbitmq, jenkins. WebSocket
  upgrade headers where needed (grafana live, node-red editor,
  jupyterhub kernels, jenkins agents).
- conf.d/00-default.conf serves /.well-known/acme-challenge/ on :80
  and 301-redirects everything else.
- stream.d/mqtt.conf terminates MQTT-TLS at 8883, proxies to
  rabbitmq:1883 internally.
- All vhosts reference /etc/letsencrypt/live/infra/* — a stable path
  via certbot --cert-name infra, so the wildcard migration changes
  nothing in the vhost files.
- README documents: HTTP-01 SAN interim during Versio period →
  DNS-01 wildcard via certbot-dns-transip after migration; bootstrap
  procedure (self-signed fallback → real cert issuance → reload).

sql
- config/init.d/01-databases.sh provisions gitea/keycloak/mlflow
  databases + roles on first start. Idempotent only via fresh
  data volume — change the script after first run requires
  manual psql or a volume wipe.
- compose env extended with GITEA_DB_PASSWORD, KEYCLOAK_DB_PASSWORD,
  MLFLOW_DB_PASSWORD.

cloud
- include: now wires nginx-proxy + sql + portainer. Other stacks
  stay commented for future rounds.
- .env.example adds KEYCLOAK_DB_PASSWORD and sensible defaults
  (LETSENCRYPT_EMAIL, GRAFANA_ROOT_URL, KEYCLOAK_HOSTNAME,
  GITEA_ROOT_URL, POSTFIX_FROM_DOMAIN all pointing at wbd-rd.nl).
- Operator note inline: bring portainer's standalone instance down
  before deploying via cloud compose; comment its ports: block.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

cloud/.env.example

@@ -4,18 +4,21 @@
 TZ=Europe/Amsterdam
 
 # Domain / TLS
-PRIMARY_DOMAIN=
-LETSENCRYPT_EMAIL=
+PRIMARY_DOMAIN=wbd-rd.nl
+LETSENCRYPT_EMAIL=r.de.ren@brabantsedelta.nl
+# Production CA: https://acme-v02.api.letsencrypt.org/directory
+# Staging CA (testing): https://acme-staging-v02.api.letsencrypt.org/directory
 ACME_CA_URI=https://acme-v02.api.letsencrypt.org/directory
 
 # WireGuard server
 WG_SERVER_PORT=51820
 WG_SERVER_PUBLIC_HOST=
 
-# Keycloak (admin bootstrap)
+# Keycloak (admin bootstrap + DB)
 KEYCLOAK_ADMIN=admin
 KEYCLOAK_ADMIN_PASSWORD=
-KEYCLOAK_HOSTNAME=
+KEYCLOAK_HOSTNAME=keycloak.wbd-rd.nl
+KEYCLOAK_DB_PASSWORD=
 
 # InfluxDB
 INFLUX_ADMIN_USER=admin
@@ -27,7 +30,7 @@ INFLUX_BUCKET=telemetry
 # Grafana
 GRAFANA_ADMIN_USER=admin
 GRAFANA_ADMIN_PASSWORD=
-GRAFANA_ROOT_URL=
+GRAFANA_ROOT_URL=https://grafana.wbd-rd.nl
 
 # SQL (postgres — single point of config)
 SQL_DB=config
@@ -41,10 +44,10 @@ RABBITMQ_VHOST=/
 
 # Postfix
 POSTFIX_RELAYHOST=
-POSTFIX_FROM_DOMAIN=
+POSTFIX_FROM_DOMAIN=wbd-rd.nl
 
 # Gitea (HTTPS-only; uses sql backend)
-GITEA_ROOT_URL=
+GITEA_ROOT_URL=https://gitea.wbd-rd.nl
 GITEA_DB_HOST=sql:5432
 GITEA_DB_NAME=gitea
 GITEA_DB_USER=gitea