v0.41.1: wire the controller dashboard into traefik (felhom.<domain> routing)

EnsureBaseStack now writes a traefik file-provider route
(Host(felhom.<domain>) -> http://felhom-controller:8080) and joins the
controller to traefik-public. Done post-pull (domain known) and idempotently
(write-if-changed + skip-if-connected), so felhom.<domain> reaches the
controller. Completes the v0.41.0 base-infra bring-up.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

controller/internal/infra/infra.go

@@ -161,6 +161,31 @@ networks:
 `, domain, FileBrowserImage, storageSection, domain)
 }
 
+// RenderControllerRoute returns a traefik file-provider dynamic config routing the controller's own
+// dashboard — Host(felhom.<domain>) → http://felhom-controller:8080 on websecure. This can only be
+// produced POST config-pull (the v2 bootstrap.json carries no domain), which is why the controller
+// wires its OWN route at bring-up instead of via a static Docker label at bootstrap time. `tls: {}`
+// inherits the websecure entrypoint's default certResolver (letsencrypt) when ACME is configured, and
+// otherwise falls back to traefik's default self-signed cert.
+func RenderControllerRoute(domain string) string {
+	return fmt.Sprintf(`# Traefik dynamic route for the felhom-controller dashboard — managed by felhom-controller.
+# WARNING: auto-generated at base-infra bring-up. Manual edits are overwritten.
+http:
+  routers:
+    felhom-controller:
+      rule: "Host(`+"`"+`felhom.%s`+"`"+`)"
+      entryPoints:
+        - websecure
+      service: felhom-controller
+      tls: {}
+  services:
+    felhom-controller:
+      loadBalancer:
+        servers:
+          - url: "http://felhom-controller:8080"
+`, domain)
+}
+
 // RenderFileBrowserConfig returns a FileBrowser Quantum config.yaml with one source per registered
 // storage path (each a named sidebar entry). Empty paths → a single default /srv source. Ported
 // verbatim from internal/web/handlers.go.