refactor(dns): rename frost.wbd-rd.nl → sta.wbd-rd.nl; drop redundant portainer.wbd-rd.nl

Match the short-functional naming convention used by the other vhosts
(git, auth, dash, flow, ml, hub, ops, mq, ci, mqtt). FROST implements
OGC SensorThings API, so `sta` is the natural fit.

portainer.wbd-rd.nl is dropped from deploy.sh HOSTS — there is no
nginx vhost for it; portainer is already served via ops.wbd-rd.nl.

DNS prereq for first deploy is now: create one new A record for
sta.wbd-rd.nl → cloud public IP. All other short subdomains already
point correctly.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

stacks/nginx-proxy/README.md

@@ -22,15 +22,16 @@ config/
 ├── nginx.conf                    # base — http + stream contexts
 ├── conf.d/
 │   ├── 00-default.conf           # port 80: ACME challenge + HTTPS redirect
-│   ├── grafana.conf              # grafana.wbd-rd.nl
-│   ├── gitea.conf                # gitea.wbd-rd.nl
-│   ├── keycloak.conf             # keycloak.wbd-rd.nl
-│   ├── nodered.conf              # nodered.wbd-rd.nl
-│   ├── mlflow.conf               # mlflow.wbd-rd.nl
-│   ├── jupyter.conf              # jupyter.wbd-rd.nl
-│   ├── portainer.conf            # portainer.wbd-rd.nl (HTTPS upstream)
-│   ├── rabbitmq.conf             # rabbitmq.wbd-rd.nl (mgmt UI)
-│   └── jenkins.conf              # jenkins.wbd-rd.nl
+│   ├── grafana.conf              # dash.wbd-rd.nl
+│   ├── gitea.conf                # git.wbd-rd.nl
+│   ├── keycloak.conf             # auth.wbd-rd.nl
+│   ├── nodered.conf              # flow.wbd-rd.nl
+│   ├── mlflow.conf               # ml.wbd-rd.nl
+│   ├── jupyter.conf              # hub.wbd-rd.nl
+│   ├── portainer.conf            # ops.wbd-rd.nl
+│   ├── rabbitmq.conf             # mq.wbd-rd.nl (mgmt UI)
+│   ├── jenkins.conf              # ci.wbd-rd.nl
+│   └── frost.conf                # sta.wbd-rd.nl (FROST / SensorThings)
 └── stream.d/
     └── mqtt.conf                 # mqtt.wbd-rd.nl:8883 → rabbitmq:1883
 ```
@@ -67,7 +68,9 @@ docker compose run --rm certbot certonly \
   -d git.wbd-rd.nl   -d auth.wbd-rd.nl  -d dash.wbd-rd.nl \
   -d flow.wbd-rd.nl  -d ml.wbd-rd.nl    -d hub.wbd-rd.nl \
   -d ops.wbd-rd.nl   -d mq.wbd-rd.nl    -d ci.wbd-rd.nl \
-  -d mqtt.wbd-rd.nl
+  -d mqtt.wbd-rd.nl  -d sta.wbd-rd.nl
+
+# Easier: from the cloud directory just run ./deploy.sh — it handles steps 1-4.
 
 # 4. Reload nginx to pick up the real cert
 docker compose exec nginx nginx -s reload
@@ -77,7 +80,7 @@ The certbot sidecar then renews every 12h automatically.
 
 ## DNS prereqs (HTTP-01)
 
-Before bootstrap, ensure A records exist in Versio for the 10 new short subdomains (the canonical tool-named ones — `gitea.wbd-rd.nl`, `grafana.wbd-rd.nl`, etc. — stay pointed at the existing Versio stack during the transition):
+Before bootstrap, ensure A records exist in Versio for the 11 short functional subdomains (the canonical tool-named ones — `gitea.wbd-rd.nl`, `grafana.wbd-rd.nl`, etc. — stay pointed at the existing Versio stack during the transition):
 
 ```
 git.wbd-rd.nl    A  <cloud-public-ip>      # gitea (new)
@@ -90,6 +93,7 @@ ops.wbd-rd.nl    A  <cloud-public-ip>      # portainer
 mq.wbd-rd.nl     A  <cloud-public-ip>      # rabbitmq mgmt UI
 ci.wbd-rd.nl     A  <cloud-public-ip>      # jenkins
 mqtt.wbd-rd.nl   A  <cloud-public-ip>      # MQTT-TLS broker
+sta.wbd-rd.nl    A  <cloud-public-ip>      # FROST / SensorThings API
 ```
 
 ## TODO