docs(docker-compose): add deployment cookbook (6 recipes)

[IrosTheBeggar]

Summary

Adds a Docker Compose cookbook under docs/docker-compose/ — six drop-in recipes plus an index README, and a "Docker Compose recipes" section in the project README linking to each.

Recipe	Description
default/	streaming-only, single linuxserver/mstream container
with-mpd/	server-side audio playback via sidecar MPD over a shared Unix socket. Music dirs mounted at the same path in both containers (the mpd adapter sends absolute file:// URIs with no rewriting). autoBootServerAudio=false deliberately prefers MPD, so no config override is needed
with-transmission/	mStream + Transmission daemon. Completed downloads become library-visible via a shared volume + mStream's RPC-driven path auto-detection. mStream supports three torrent clients (Transmission, qBittorrent, Deluge); the README explains why Transmission is recommended
ssl-nginx/	nginx reverse proxy + acme.sh wildcard cert via Cloudflare DNS-01. Domain parameterized via .env; adapted from a working personal-infra setup
dev/	source bind-mount with node --watch for hot reload. npm ci (not npm install) so the bind-mounted lockfile isn't rewritten
dev-everything/	dev/ + DLNA + Subsonic + rust-server-audio + ALSA /dev/snd passthrough preconfigured. Linux host only

Audit findings (this revision)

Audited every recipe against the codebase config schema and the linuxserver image env contracts. Notable:

• with-transmission RPC whitelist (critical fix). A fresh Transmission only whitelists 127.0.0.1 and guards against DNS rebinding, so it would 403 every RPC call from mStream — which connects across the Docker network (private-range IP, Host header transmission). The recipe now sets WHITELIST=127.0.0.1,10.*.*.*,172.*.*.*,192.168.*.* and HOST_WHITELIST=transmission (env contract confirmed from linuxserver's docs). USER/PASS auth remains the real security boundary.
• with-mpd socket + readiness (documented). New README covers cross-container Unix-socket permission alignment (the most likely runtime failure) and the MPD-readiness startup race. Verified that autoBootServerAudio=false prefers MPD, so the recipe works with no config override.
• Image pinning (noted). Recipes track :latest by linuxserver convention; cookbook README notes pinning a digest/tag for reproducible production.
• Verified OK, no change: musl rust-parser auto-selects on the Alpine linuxserver image; dev-everything correctly pairs a glibc base with the glibc rust-server-audio binary; ssl-nginx parking + renewal logic is sound.

Test plan

Static validation (Docker engine was unavailable for live runs this revision): docker compose config passes for all six recipes; the transmission whitelist values render intact through interpolation.

Verified live in an earlier revision on Docker Desktop:

• default/ → HTTP 200; rust-parser picks the musl variant inside the Alpine image
• dev/ → boots after npm ci + migrations; HTTP 200
• ssl-nginx/ image builds; entrypoint env-guard + sed templating correct
• dev-everything/ image builds (libasound2 + alsa-utils + mpv)

Needs a Linux host with a real audio device / Cloudflare zone — not testable from Docker Desktop on Windows:

• with-mpd/ and dev-everything/ end-to-end (need /dev/snd)
• with-transmission/ end-to-end RPC (validate the whitelist fix against a live daemon)
• ssl-nginx/ real Let's Encrypt issuance against a Cloudflare-managed zone

🤖 Generated with Claude Code