Add Caddy reverse proxy with automatic HTTPS

- Add Caddyfile: proxies to explorer:3001, domain set via $DOMAIN env var
- docker-compose: new caddy service (ports 80/443/443-udp), persistent
  caddy_data/caddy_config volumes; remove direct explorer port binding
- .env.example: replace EXPLORER_PORT with DOMAIN

Set DOMAIN=localhost for local dev (HTTP), DOMAIN=your.domain.com for
production (Caddy fetches Let's Encrypt cert automatically)

.env.example

@@ -20,8 +20,9 @@ WALLET_RPC_USER=
 WALLET_RPC_PASS=
 
 # ─── Explorer web ────────────────────────────────────────────────────────────
-# Host port the explorer is published on
-EXPLORER_PORT=3001
+# Public domain served by Caddy (gets a free Let's Encrypt cert automatically).
+# Use 'localhost' for local testing (HTTP only, no cert).
+DOMAIN=explorer.example.com
 # Bootswatch theme: Cerulean, Cosmo, Cyborg, Darkly, Flatly, Slate, Solar, ...
 EXPLORER_THEME=Purple
 

Caddyfile

@@ -0,0 +1,3 @@
+{$DOMAIN} {
+    reverse_proxy explorer:3001
+}

docker-compose.yml

@@ -4,6 +4,10 @@ networks:
   explorer-internal: # isolates MongoDB from the outside world
     name: purple-explorer-internal
 
+volumes:
+  caddy_data:   # TLS certificates — survives container restarts
+  caddy_config:
+
 services:
   mongodb:
     image: mongo:7
@@ -35,6 +39,30 @@ services:
         max-size: "10m"
         max-file: "3"
 
+  caddy:
+    image: caddy:2-alpine
+    container_name: purple-explorer-caddy
+    restart: unless-stopped
+    depends_on:
+      - explorer
+    networks:
+      - explorer-internal
+    ports:
+      - "0.0.0.0:80:80"
+      - "0.0.0.0:443:443"
+      - "0.0.0.0:443:443/udp"   # HTTP/3
+    volumes:
+      - ./Caddyfile:/etc/caddy/Caddyfile:ro
+      - caddy_data:/data
+      - caddy_config:/config
+    environment:
+      DOMAIN: ${DOMAIN}
+    logging:
+      driver: json-file
+      options:
+        max-size: "10m"
+        max-file: "3"
+
   explorer:
     build: .
     image: purple-explorer:local
@@ -45,8 +73,7 @@ services:
     networks:
       - purple           # reach bitcoinpurpled:13495 for RPC
       - explorer-internal
-    ports:
-      - "0.0.0.0:${EXPLORER_PORT:-3001}:3001"
+    # Port 3001 is intentionally not published — Caddy proxies traffic
     env_file: .env
     command: web
     logging: