feat: SSL/TLS certificate management with Let's Encrypt (#512)

[Julianemeka]

Closes #512

Changes

infra/ssl/nginx.conf

• TLS 1.2/1.3 only, OCSP stapling
• Security headers: HSTS (preload, 2yr), X-Frame-Options DENY, X-Content-Type-Options nosniff, X-XSS-Protection, Referrer-Policy, CSP
• HTTP→HTTPS redirect + ACME webroot challenge path

infra/ssl/docker-compose.ssl.yml

Docker Compose overlay — stacks on top of any compose file:

docker compose -f docker-compose.dev.yml -f infra/ssl/docker-compose.ssl.yml up

• nginx service: terminates TLS, reverse proxies to api:3000
• certbot service: auto-renews every 12h (skips if >30 days remain)

scripts/ssl-setup.sh

Initial certificate generation. Supports staging flag and multi-domain SAN:

STAGING=1 ./scripts/ssl-setup.sh api.example.com admin@example.com www.example.com

scripts/ssl-renew.sh

Zero-downtime renewal via webroot challenge + nginx -s reload deploy-hook. Use with cron.

scripts/ssl-monitor.sh

Expiry monitoring — exits 1 when cert expires within WARN_DAYS (default 14). Wire into PagerDuty/Slack.

docs/ssl-setup.md

Full setup guide: quick start, multi-domain, auto-renewal, monitoring, environment variables.

Acceptance Criteria

• ✅ Automatic certificate generation (certbot webroot)
• ✅ Renewal before expiration (auto every 12h; certbot skips if > 30 days remain)
• ✅ Multiple domain support (SAN via extra args to ssl-setup.sh)
• ✅ Certificate rotation (zero-downtime via nginx reload)
• ✅ No downtime renewal (webroot challenge, nginx never stopped)
• ✅ Monitoring for expiration (ssl-monitor.sh, configurable threshold)
• ✅ Security headers (HSTS preload, CSP, X-Frame-Options, nosniff)

[drips-wave]

@Julianemeka Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits