fix(auth): inject admin token via nginx envsubst; use template conf

Nginx injects Authorization header on all /api and /events proxied requests.
Token supplied via KUA_ADMIN_TOKEN env var at container runtime — never in git.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Dockerfile

@@ -7,5 +7,6 @@ RUN npm run build
 
 FROM nginx:alpine
 COPY --from=build /app/dist /usr/share/nginx/html
-COPY nginx.conf /etc/nginx/conf.d/default.conf
+# nginx official image runs envsubst on /etc/nginx/templates/*.template → /etc/nginx/conf.d/
+COPY nginx.conf.template /etc/nginx/templates/default.conf.template
 EXPOSE 80

docker-compose.yml

@@ -3,6 +3,8 @@ services:
     build: .
     container_name: kuamail
     restart: unless-stopped
+    environment:
+      - KUA_MAIL_ADMIN_TOKEN=${KUA_ADMIN_TOKEN}
     networks:
       - production_proxy
       - kua-services

nginx.conf.template

@@ -9,6 +9,7 @@ server {
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Authorization "Bearer ${KUA_MAIL_ADMIN_TOKEN}";
         proxy_buffering off;
         proxy_read_timeout 600s;
         proxy_http_version 1.1;
@@ -21,6 +22,7 @@ server {
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Authorization "Bearer ${KUA_MAIL_ADMIN_TOKEN}";
         proxy_buffering off;
         proxy_read_timeout 600s;
         proxy_http_version 1.1;