- Add TLS_MODE env to control TCP TLS behavior:
- terminating (default): Traefik terminates TLS (tls=true + tls.certresolver)
- passthrough: end-to-end TLS passthrough (tls.passthrough=true)
- plaintext: plain TCP for internal/Tailscale (HostSNI(`*`) + priority=1)
- Introduce TRAEFIK_CERT_RESOLVER with default "alidns" for ACME issuance.
(HTTP branch keeps optional tls.certresolver line commented for easy enablement.)
- Fix tag concatenation: use a real newline for NL so that to_json_array()
parses tags line-by-line into a proper JSON array (prevents single-line tag blob).
- Improve TCP router/service tags and comments to make behavior explicit
per mode, and keep HTTP branch consistent (middlewares + priority).
BREAKING CHANGE:
- TCP default changes from implicit plaintext to TLS-terminating via Traefik.
If you relied on plaintext TCP previously, set `TLS_MODE=plaintext` (or
use `TLS_MODE=passthrough` if your backend terminates TLS itself).
Ensure Traefik has a working ACME resolver named in $TRAEFIK_CERT_RESOLVER
(default "alidns") or override accordingly.
