feat(base): add socket-proxied Traefik, Portainer, and Watchtower infrastructure

[partyplatter08-lab]

Summary

• Implements the base infrastructure stack with Traefik, Portainer CE, Watchtower, and docker-socket-proxy.
• Routes Traefik Docker discovery through an internal read-only socket proxy instead of mounting the Docker socket into Traefik.
• Keeps the shared external proxy network for downstream stacks and adds label-scoped Watchtower updates on the 03:00 schedule.
• Adds Watchtower Shoutrrr notification settings for Gotify/ntfy URLs, info-level notification output, and update-session reports.
• Adds base .env.example coverage for TRAEFIK_AUTH, ACME HTTP/DNS challenge selection, Docker API compatibility, and Watchtower notification settings.
• Updates the installer, dependency checks, environment setup, executable script entrypoints, and documentation so the base stack can launch from a clean checkout.
• Documents working local validation paths for the local dashboard override and production HTTPS routers with a temporary local certificate.

Notes

Traefik is pinned to v3.6.1 instead of the older v3.1.6 listed in the issue so Docker provider discovery works with current Docker Engine API minimums while still avoiding a floating latest tag.

Validation

• bash -n passed for the installer and stack scripts.
• git diff --check passed.
• Fresh ./install.sh run from no .env and no config/traefik/acme.json completed successfully, created prerequisites, validated dependencies, and launched the base stack.
• Full dependency check completed with FAIL: 0.
• docker compose config
• All four base containers reached healthy.
• curl -I http://127.0.0.1 redirected to HTTPS.
• Traefik dashboard returned 401 without BasicAuth and 200 with BasicAuth.
• Portainer /api/status returned 200 through Traefik.
• A labeled traefik/whoami:v1.11.0 container on the shared proxy network was discovered and routed through Traefik.
• Docker socket proxy returned 403 for a write API request while allowing the read endpoints Traefik needs.
• Watchtower logs confirm label-scoped mode and the 03:00 schedule.
• Watchtower Shoutrrr logger:// notification smoke ran with report mode, info level, and Docker API compatibility enabled.

Closes #1