stage-28: wire LETSENCRYPT_HOST + LETSENCRYPT_EMAIL on the cockpit service

Adds the two env vars nginxproxy/acme-companion looks for to issue +
auto-renew the TLS cert for psyc.neuronetz.ai. LETSENCRYPT_EMAIL is
interpolated from the prod .env (LETSENCRYPT_EMAIL=...) with a sensible
fallback so dev / local deploys don't fail on the variable being unset.
.env.example documents the var.

Requires the proxy stack to (a) have acme-companion alongside
nginx-proxy with shared certs/vhost.d/html volumes and (b) publish :443.
psyc-side change only — no app code touched.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.env.example

@@ -14,6 +14,12 @@ OTX_API_KEY=
 # (raises throttling from ~5 to ~50 requests / 30s)
 NVD_API_KEY=
 
+# --- Production-only: Let's Encrypt email for the acme-companion sidecar ---
+# Used as the contact address for the TLS cert acme-companion issues for
+# psyc.neuronetz.ai. Safe to leave the default in dev (cert isn't issued
+# without a reachable acme-companion + public DNS + :443).
+# LETSENCRYPT_EMAIL=admin@neuronetz.ai
+
 # --- Internal service URLs — overridden in docker compose; defaults for venv CLI ---
 # PSYC_MOCK_CERT_URL=http://127.0.0.1:8770
 # PSYC_INFERENCE_URL=http://127.0.0.1:8771

docker-compose.yml

@@ -20,6 +20,12 @@ services:
     environment:
       VIRTUAL_HOST: psyc.neuronetz.ai
       VIRTUAL_PORT: "8767"
+      # Triggers nginxproxy/acme-companion (which must be running alongside
+      # nginx-proxy on the host) to issue + auto-renew a Let's Encrypt cert
+      # for psyc.neuronetz.ai. LETSENCRYPT_EMAIL comes from .env so per-env
+      # configurable — falls back to the default if unset.
+      LETSENCRYPT_HOST: psyc.neuronetz.ai
+      LETSENCRYPT_EMAIL: ${LETSENCRYPT_EMAIL:-admin@neuronetz.ai}
       PSYC_MOCK_CERT_URL: http://mock-cert:8770
       PSYC_SOAR_URL: http://mock-cert:8770
       PSYC_INFERENCE_URL: http://inference:8771