server: drop in-process TLS — HTTP-only behind reverse proxy

Self-hosted deployments already terminate TLS at Caddy/Traefik/nginx;
making the server do TLS too means double cert config, dual ACME
plumbing, and an untested code path. Drop RM_TLS_CERT/RM_TLS_KEY,
remove TLSEnabled() and the ListenAndServeTLS branch.

Replace the cookie's "Secure if TLS-in-process" check with a new
RM_COOKIE_SECURE flag (default true). Local HTTP-only testing sets
RM_COOKIE_SECURE=false; production is always behind a TLS proxy and
the cookie stays Secure.

Default port :8443 → :8080. docker-compose binds 127.0.0.1 only and
populates RM_TRUSTED_PROXY. spec.md §4.1/§10.1 rewritten with a
Caddyfile snippet and a hard "do not expose RM_LISTEN publicly"
warning. enrollResponse keeps cert_pin_sha256 in the shape but the
server can't introspect a cert it doesn't terminate — operator
pastes the proxy's hash into -cert-pin at install time.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

deploy/docker-compose.yml

@@ -1,18 +1,21 @@
 # Reference deployment for the restic-manager control plane.
 # Mirrors spec.md §10.1. Adjust image tag and RM_BASE_URL for your env.
+#
+# The server speaks plain HTTP. Front it with a TLS-terminating
+# reverse proxy (Caddy/Traefik/nginx). RM_TRUSTED_PROXY must contain
+# the proxy's IP/CIDR so X-Forwarded-* headers are honoured.
 services:
   restic-manager:
     image: ghcr.io/dcglab/restic-manager:latest
     restart: unless-stopped
+    # Bind to localhost only — the proxy is what the public reaches.
     ports:
-      - "8443:8443"
+      - "127.0.0.1:8080:8080"
     volumes:
       - ./data:/data
-      - ./certs:/certs:ro
     environment:
       - RM_DATA_DIR=/data
-      - RM_LISTEN=:8443
+      - RM_LISTEN=:8080
       - RM_BASE_URL=https://restic.lab.example
-      - RM_TLS_CERT=/certs/fullchain.pem
-      - RM_TLS_KEY=/certs/privkey.pem
       - RM_SECRET_KEY_FILE=/data/secret.key
+      - RM_TRUSTED_PROXY=172.16.0.0/12