feat(nginx): bake default white-label routing config, closes #1 (#2)

## Summary

- Add `nginx.conf.template` with full routing: admin/CMS surfaces → `cms:5555`, uploads → `cms:5555` (cached), `/api` → `shop:9999` (no cache), `/` → `shop:9999` (cached)
- Update `docker-entrypoint.sh` to render template via `envsubst` at startup; skip if adapter has already mounted its own config
- Update `Dockerfile` to `COPY nginx.conf.template` into image
- Bump CHANGELOG to v0.1.1

## Test plan

- [ ] Build image locally: `docker build -t libreshop/nginx:test libreshop/nginx/`
- [ ] Smoke test white-label default: no env overrides → confirm rendered `/etc/nginx/nginx.conf` contains `cms:5555` and `shop:9999`
- [ ] Smoke test env override: `NGINX_UPSTREAM_SHOP=shop:8080` → confirm substitution
- [ ] Smoke test adapter override: mount custom `nginx.conf` via compose `configs:` → confirm "adapter-provided nginx.conf detected" log line
- [ ] Deploy libreshop/demo with `nginx:v0.1.1` → confirm `/admin` returns 200

Closes #1

Co-authored-by: Michael Czechowski <michael.c@re-cinq.com>
Reviewed-on: #2

nginx.conf.template

@@ -0,0 +1,99 @@
+# nginx.conf.template — libreshop white-label default.
+#
+# The image's docker-entrypoint.sh runs envsubst over this template and
+# writes the result to /etc/nginx/nginx.conf at startup. Adapters that
+# need a wholly different topology can still mount their own config via
+# compose `configs:` (see mp's compose.yml for an example) — the
+# template is then ignored entirely.
+#
+# Substituted at startup:
+#   ${NGINX_UPSTREAM_SHOP}    default shop:9999
+#   ${NGINX_UPSTREAM_CMS}     default cms:5555
+#   ${NGINX_CACHE_LIFETIME}   default 1h
+#
+# All other `$variable` tokens are nginx variables, left literal.
+
+worker_processes 1;
+events { worker_connections 1024; }
+
+http {
+    log_format info '$time_iso8601 info: $request ($msec) $status $remote_addr - $remote_user $body_bytes_sent "$http_referer" "$http_user_agent"';
+    access_log /dev/stdout info;
+    error_log  /dev/stdout error;
+
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout 65;
+    types_hash_max_size 2048;
+
+    # Cache zones live under /cache (the image creates these dirs at
+    # startup). 2g caps each — adapters with heavier traffic can mount
+    # their own config to enlarge.
+    proxy_cache_path /cache/shop    levels=1:2 keys_zone=shop_cache:5m    max_size=2g inactive=30m;
+    proxy_cache_path /cache/uploads levels=1:2 keys_zone=uploads_cache:5m max_size=2g inactive=30m;
+
+    server {
+        listen 80 default_server;
+        server_name _;
+
+        # Trust forwarded headers when fronted by another proxy
+        # (e.g. caddy in the netcup edge network).
+        real_ip_header X-Forwarded-For;
+        set_real_ip_from 0.0.0.0/0;
+
+        location /health { return 200 '{"status":"ok"}'; }
+
+        # CMS admin + management surfaces.
+        location ~ ^/(upload|content-manager|content-type-builder|admin|i18n|email|user-permissions|users-permissions|documentation|plugins) {
+            proxy_pass http://${NGINX_UPSTREAM_CMS};
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+            proxy_cache off;
+            proxy_buffering off;
+        }
+
+        # CMS uploads (images, files).
+        location /uploads {
+            proxy_pass http://${NGINX_UPSTREAM_CMS};
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
+            proxy_cache uploads_cache;
+            proxy_cache_valid 200 ${NGINX_CACHE_LIFETIME};
+            proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
+            add_header X-Cache-Status $upstream_cache_status;
+        }
+
+        # Shop API (Nuxt server routes).
+        location /api {
+            proxy_pass http://${NGINX_UPSTREAM_SHOP};
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
+            proxy_cache off;
+            proxy_buffering off;
+        }
+
+        # Shop frontend (catch-all).
+        location / {
+            proxy_pass http://${NGINX_UPSTREAM_SHOP};
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
+            proxy_cache shop_cache;
+            proxy_cache_valid 200 10m;
+            proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
+            add_header X-Cache-Status $upstream_cache_status;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "Upgrade";
+        }
+    }
+}