feat(base): complete base infrastructure with socket proxy

[Problemsolver0070]

Summary

Closes #1 — [BOUNTY $180] Base Stack — 基础设施

Complete base infrastructure with all 4 required services:

• Traefik (v3.1.6) — Reverse proxy with auto HTTPS (Let's Encrypt HTTP + DNS challenge), Dashboard with BasicAuth, 80→443 redirect
• Portainer CE (2.21.3) — Docker management UI via socket proxy, Authentik OAuth integration
• Watchtower (1.7.1) — Auto container updates at 3:00 AM daily, label-scoped, ntfy notifications
• Socket Proxy (tecnativa/docker-socket-proxy:0.2.0) — Secure Docker socket isolation on internal-only network

Key Design Decisions

• No direct docker.sock mount — All Docker API access goes through socket-proxy on an internal socket network
• Traefik uses tcp://socket-proxy:2375 endpoint (updated in config/traefik/traefik.yml)
• Portainer connects via -H tcp://socket-proxy:2375 command flag
• Watchtower uses DOCKER_HOST=tcp://socket-proxy:2375
• Dependency ordering: socket-proxy → Traefik/Portainer/Watchtower (all wait for healthy)

Acceptance Criteria

• docker compose up -d starts all 4 containers (Traefik, Portainer, Watchtower, Socket Proxy)
• All containers have healthchecks
• HTTP port 80 auto-redirects to HTTPS (configured in traefik.yml entryPoints)
• traefik.${DOMAIN} serves Dashboard with BasicAuth protection
• portainer.${DOMAIN} serves Portainer UI
• Other stacks join proxy external network for Traefik discovery
• Docker socket secured via tecnativa/docker-socket-proxy
• README includes DNS configuration, certificate setup, and verification commands
• .env.example with all required variables documented

Files Changed

• stacks/base/docker-compose.yml — Added socket-proxy, updated all services
• stacks/base/.env.example — New: all configurable parameters
• stacks/base/README.md — Complete rewrite with DNS, TLS, security docs
• stacks/base/docker-compose.local.yml — Updated for socket proxy
• config/traefik/traefik.yml — Docker endpoint → socket-proxy

Test Plan

• docker compose config validates
• docker compose up -d starts 4 containers
• docker compose ps shows all healthy
• curl -I http://SERVER_IP returns 301/302 to HTTPS
• curl https://traefik.DOMAIN/api/version returns 200 (with auth)
• curl https://portainer.DOMAIN/api/status returns 200
• Another stack with proxy network and traefik.enable=true is discovered

Generated/reviewed with: claude-opus-4-6
Reviewed/verified with: GPT-5.3 Codex

🤖 Generated with Claude Code

[zhuzhushiwojia]

🦞 CLAIMING BOUNTY #314 - Base Stack $180 USDT

Hi @illbnm!

Claiming this bounty immediately!

Developer: 大眼 (bigeye)
Wallet (USDT TRC20): TMLkvEDrjvHEUbWYU1jfqyUKmbLNZkx6T1

Ready to start work! 🚀