refactor: remove standalone proxies, add Traefik provider with Docker labels

Standalone proxy removal:
- Delete store, API handlers, proxy manager, health monitor, validator, hints
- Delete frontend pages (proxies list, create, edit) and components (ProxyCard, ProxyForm, ProxyFilter, ProxyGroup, ValidationChecklist)
- Remove proxy routes from router, nav items, dashboard references
- Clean up SystemHealthCard to remove proxy section

Traefik provider:
- Add TraefikProvider implementing proxy.Provider via Docker labels
- ContainerLabels() returns traefik.enable, router rule, entrypoints, service port, TLS cert resolver, docker network
- ConfigureRoute() returns router name (labels handle routing at container creation)
- DeleteRoute() is no-op (container removal auto-deregisters)
- Ping() checks Traefik API health (optional)
- Wire ContainerLabels into deployer (executeDeploy + blueGreenDeploy)
- Add Traefik settings: entrypoint, cert_resolver, network, api_url
- Add traefik option to proxy provider selector in settings UI
- Show conditional Traefik config fields
- Add i18n keys (EN + RU)

internal/api/dns.go

@@ -202,12 +202,6 @@ func (s *Server) buildConsumerNameMap() map[string]string {
 		}
 	}
 
-	// Standalone proxy consumers: "standalone:id" -> domain
-	proxies, _ := s.store.ListStandaloneProxies()
-	for _, p := range proxies {
-		names["standalone:"+p.ID] = p.Domain
-	}
-
 	return names
 }
 
@@ -373,13 +367,5 @@ func (s *Server) computeExpectedFQDNs(settings store.Settings) (map[string]strin
 		}
 	}
 
-	// Standalone proxies.
-	proxies, _ := s.store.ListStandaloneProxies()
-	for _, p := range proxies {
-		if p.Domain != "" {
-			expected[p.Domain] = "standalone:" + p.ID
-		}
-	}
-
 	return expected, nil
 }

internal/api/proxy.go

@@ -1,199 +0,0 @@
-package api
-
-import (
-	"context"
-	"log/slog"
-	"net/http"
-	"time"
-
-	"github.com/go-chi/chi/v5"
-
-	"github.com/alexei/docker-watcher/internal/proxy"
-)
-
-// validateProxy runs the validation pipeline without creating a proxy.
-// POST /api/proxies/validate
-func (s *Server) validateProxy(w http.ResponseWriter, r *http.Request) {
-	var req struct {
-		Host string `json:"host"`
-		Port int    `json:"port"`
-	}
-	if !decodeJSON(w, r, &req) {
-		return
-	}
-
-	if req.Host == "" {
-		respondError(w, http.StatusBadRequest, "host is required")
-		return
-	}
-	if req.Port < 1 || req.Port > 65535 {
-		respondError(w, http.StatusBadRequest, "port must be between 1 and 65535")
-		return
-	}
-
-	ctx, cancel := context.WithTimeout(r.Context(), 30*time.Second)
-	defer cancel()
-
-	result := proxy.ValidateDestination(ctx, req.Host, req.Port)
-	respondJSON(w, http.StatusOK, result)
-}
-
-// createProxy creates a new standalone proxy.
-// POST /api/proxies
-func (s *Server) createProxy(w http.ResponseWriter, r *http.Request) {
-	if s.proxyManager == nil {
-		respondError(w, http.StatusServiceUnavailable, "proxy manager not configured")
-		return
-	}
-
-	var req proxy.CreateProxyRequest
-	if !decodeJSON(w, r, &req) {
-		return
-	}
-
-	if req.Domain == "" {
-		respondError(w, http.StatusBadRequest, "domain is required")
-		return
-	}
-	if req.DestinationURL == "" {
-		respondError(w, http.StatusBadRequest, "destination_url is required")
-		return
-	}
-	if req.DestinationPort < 1 || req.DestinationPort > 65535 {
-		respondError(w, http.StatusBadRequest, "destination_port must be between 1 and 65535")
-		return
-	}
-
-	p, err := s.proxyManager.CreateProxy(r.Context(), req)
-	if err != nil {
-		slog.Error("failed to create proxy", "domain", req.Domain, "error", err)
-		respondError(w, http.StatusInternalServerError, "failed to create proxy")
-		return
-	}
-
-	respondJSON(w, http.StatusCreated, p)
-}
-
-// listProxies returns all standalone proxies.
-// GET /api/proxies
-func (s *Server) listProxies(w http.ResponseWriter, r *http.Request) {
-	if s.proxyManager == nil {
-		respondError(w, http.StatusServiceUnavailable, "proxy manager not configured")
-		return
-	}
-
-	proxies, err := s.proxyManager.ListProxies()
-	if err != nil {
-		slog.Error("proxy operation failed", "error", err)
-		respondError(w, http.StatusInternalServerError, "proxy operation failed")
-		return
-	}
-
-	respondJSON(w, http.StatusOK, proxies)
-}
-
-// getProxy returns a single standalone proxy.
-// GET /api/proxies/{id}
-func (s *Server) getProxy(w http.ResponseWriter, r *http.Request) {
-	if s.proxyManager == nil {
-		respondError(w, http.StatusServiceUnavailable, "proxy manager not configured")
-		return
-	}
-
-	id := chi.URLParam(r, "id")
-	p, err := s.proxyManager.GetProxy(id)
-	if err != nil {
-		if proxy.IsNotFound(err) {
-			respondNotFound(w, "proxy")
-			return
-		}
-		slog.Error("proxy operation failed", "error", err)
-		respondError(w, http.StatusInternalServerError, "proxy operation failed")
-		return
-	}
-
-	respondJSON(w, http.StatusOK, p)
-}
-
-// updateProxy updates an existing standalone proxy.
-// PUT /api/proxies/{id}
-func (s *Server) updateProxy(w http.ResponseWriter, r *http.Request) {
-	if s.proxyManager == nil {
-		respondError(w, http.StatusServiceUnavailable, "proxy manager not configured")
-		return
-	}
-
-	id := chi.URLParam(r, "id")
-
-	var req proxy.UpdateProxyRequest
-	if !decodeJSON(w, r, &req) {
-		return
-	}
-
-	if req.Domain == "" {
-		respondError(w, http.StatusBadRequest, "domain is required")
-		return
-	}
-	if req.DestinationURL == "" {
-		respondError(w, http.StatusBadRequest, "destination_url is required")
-		return
-	}
-	if req.DestinationPort < 1 || req.DestinationPort > 65535 {
-		respondError(w, http.StatusBadRequest, "destination_port must be between 1 and 65535")
-		return
-	}
-
-	p, err := s.proxyManager.UpdateProxy(r.Context(), id, req)
-	if err != nil {
-		if proxy.IsNotFound(err) {
-			respondNotFound(w, "proxy")
-			return
-		}
-		slog.Error("proxy operation failed", "error", err)
-		respondError(w, http.StatusInternalServerError, "proxy operation failed")
-		return
-	}
-
-	respondJSON(w, http.StatusOK, p)
-}
-
-// deleteProxy removes a standalone proxy.
-// DELETE /api/proxies/{id}
-func (s *Server) deleteProxy(w http.ResponseWriter, r *http.Request) {
-	if s.proxyManager == nil {
-		respondError(w, http.StatusServiceUnavailable, "proxy manager not configured")
-		return
-	}
-
-	id := chi.URLParam(r, "id")
-
-	if err := s.proxyManager.DeleteProxy(r.Context(), id); err != nil {
-		if proxy.IsNotFound(err) {
-			respondNotFound(w, "proxy")
-			return
-		}
-		slog.Error("proxy operation failed", "error", err)
-		respondError(w, http.StatusInternalServerError, "proxy operation failed")
-		return
-	}
-
-	respondJSON(w, http.StatusOK, map[string]string{"deleted": id})
-}
-
-// listAllProxies returns a merged view of standalone and deploy-managed proxies.
-// GET /api/proxies/all
-func (s *Server) listAllProxies(w http.ResponseWriter, r *http.Request) {
-	if s.proxyManager == nil {
-		respondError(w, http.StatusServiceUnavailable, "proxy manager not configured")
-		return
-	}
-
-	views, err := s.proxyManager.ListAllProxies()
-	if err != nil {
-		slog.Error("proxy operation failed", "error", err)
-		respondError(w, http.StatusInternalServerError, "proxy operation failed")
-		return
-	}
-
-	respondJSON(w, http.StatusOK, views)
-}

internal/api/router.go

@@ -21,7 +21,7 @@ import (
 )
 
 // DNSProviderChangedFunc is called when DNS settings change so the caller can
-// update the provider on the deployer and proxy manager.
+// update the provider on the deployer.
 type DNSProviderChangedFunc func(provider dns.Provider)
 
 // Server holds all dependencies for the API layer.
@@ -37,7 +37,6 @@ type Server struct {
 	localAuth    *auth.LocalAuth
 	oidcProvider *auth.OIDCProvider
 	staleScanner *stale.Scanner
-	proxyManager *proxy.Manager
 
 	dnsProviderMu        sync.RWMutex
 	dnsProvider          dns.Provider
@@ -89,12 +88,6 @@ func (s *Server) SetStaleScanner(scanner *stale.Scanner) {
 	s.staleScanner = scanner
 }
 
-// SetProxyManager sets the proxy manager on the server.
-// Called after both the API server and proxy manager are initialized.
-func (s *Server) SetProxyManager(pm *proxy.Manager) {
-	s.proxyManager = pm
-}
-
 // SetBackupEngine sets the backup engine on the server.
 func (s *Server) SetBackupEngine(engine *backup.Engine) {
 	s.backupEngine = engine
@@ -261,19 +254,6 @@ func (s *Server) Router() chi.Router {
 			// Stale container endpoints (read).
 			r.Get("/containers/stale", s.listStaleContainers)
 
-			// Proxy endpoints (read-only for any authenticated user).
-			r.Get("/proxies", s.listProxies)
-			r.Get("/proxies/all", s.listAllProxies)
-			r.Route("/proxies/{id}", func(r chi.Router) {
-				r.Get("/", s.getProxy)
-				// Admin-only proxy mutations.
-				r.Group(func(r chi.Router) {
-					r.Use(auth.AdminOnly)
-					r.Put("/", s.updateProxy)
-					r.Delete("/", s.deleteProxy)
-				})
-			})
-
 			// Admin-only routes: require admin role.
 			r.Group(func(r chi.Router) {
 				r.Use(auth.AdminOnly)
@@ -300,10 +280,6 @@ func (s *Server) Router() chi.Router {
 				// Registry creation.
 				r.Post("/registries", s.createRegistry)
 
-				// Proxy mutation endpoints.
-				r.Post("/proxies/validate", s.validateProxy)
-				r.Post("/proxies", s.createProxy)
-
 				// Stale container cleanup endpoints.
 				// Bulk route must be registered before parameterized route.
 				r.Post("/containers/stale/cleanup", s.bulkCleanupStaleContainers)

internal/api/settings.go

@@ -35,6 +35,10 @@ type settingsRequest struct {
 	CloudflareAPIToken   string  `json:"cloudflare_api_token"`
 	CloudflareZoneID     *string `json:"cloudflare_zone_id,omitempty"`
 	ProxyProvider        *string `json:"proxy_provider,omitempty"`
+	TraefikEntrypoint    *string `json:"traefik_entrypoint,omitempty"`
+	TraefikCertResolver  *string `json:"traefik_cert_resolver,omitempty"`
+	TraefikNetwork       *string `json:"traefik_network,omitempty"`
+	TraefikAPIURL        *string `json:"traefik_api_url,omitempty"`
 	BackupEnabled        *bool   `json:"backup_enabled,omitempty"`
 	BackupIntervalHours  *int    `json:"backup_interval_hours,omitempty"`
 	BackupRetentionCount *int    `json:"backup_retention_count,omitempty"`
@@ -67,6 +71,10 @@ func (s *Server) getSettings(w http.ResponseWriter, r *http.Request) {
 		"has_cloudflare_api_token":  settings.CloudflareAPIToken != "",
 		"cloudflare_zone_id":        settings.CloudflareZoneID,
 		"proxy_provider":            settings.ProxyProvider,
+		"traefik_entrypoint":        settings.TraefikEntrypoint,
+		"traefik_cert_resolver":     settings.TraefikCertResolver,
+		"traefik_network":           settings.TraefikNetwork,
+		"traefik_api_url":           settings.TraefikAPIURL,
 		"backup_enabled":            settings.BackupEnabled,
 		"backup_interval_hours":     settings.BackupIntervalHours,
 		"backup_retention_count":    settings.BackupRetentionCount,
@@ -171,13 +179,27 @@ func (s *Server) updateSettings(w http.ResponseWriter, r *http.Request) {
 	// Proxy provider setting.
 	if req.ProxyProvider != nil {
 		prov := *req.ProxyProvider
-		if prov != "" && prov != "none" && prov != "npm" {
-			respondError(w, http.StatusBadRequest, "proxy_provider must be 'none' or 'npm'")
+		if prov != "" && prov != "none" && prov != "npm" && prov != "traefik" {
+			respondError(w, http.StatusBadRequest, "proxy_provider must be 'none', 'npm', or 'traefik'")
 			return
 		}
 		updated.ProxyProvider = prov
 	}
 
+	// Traefik provider settings.
+	if req.TraefikEntrypoint != nil {
+		updated.TraefikEntrypoint = *req.TraefikEntrypoint
+	}
+	if req.TraefikCertResolver != nil {
+		updated.TraefikCertResolver = *req.TraefikCertResolver
+	}
+	if req.TraefikNetwork != nil {
+		updated.TraefikNetwork = *req.TraefikNetwork
+	}
+	if req.TraefikAPIURL != nil {
+		updated.TraefikAPIURL = *req.TraefikAPIURL
+	}
+
 	// Backup settings.
 	if req.BackupEnabled != nil {
 		updated.BackupEnabled = *req.BackupEnabled