feat: Initial commit - Train tracking system

Complete real-time train tracking system for Spanish railways (Renfe/Cercanías):

- Backend API (Node.js/Express) with GTFS-RT polling workers
- Frontend dashboard (React/Vite) with Leaflet maps
- Real-time updates via Socket.io WebSocket
- PostgreSQL/PostGIS database with Flyway migrations
- Redis caching layer
- Docker Compose configuration for development and production
- Gitea CI/CD workflows (lint, auto-tag, release)
- Production deployment with nginx + Let's Encrypt SSL

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

nginx/prod.conf

@@ -0,0 +1,148 @@
+# Configuración nginx para producción con SSL
+#
+# IMPORTANTE: Reemplazar YOUR_DOMAIN.com con tu dominio real
+#
+# Lecciones aprendidas del despliegue:
+# 1. Usar resolver 127.0.0.11 para DNS de Docker (evita errores al iniciar)
+# 2. Usar variables con set $backend para que nginx arranque aunque los upstreams no estén listos
+# 3. http2 debe ir como directiva separada, no en listen (nginx moderno)
+# 4. Socket.io añade /socket.io/ automáticamente, la URL base debe ser https://dominio sin path
+
+# DNS resolver de Docker - CRÍTICO para arranque correcto
+resolver 127.0.0.11 valid=30s;
+
+# Redirección HTTP a HTTPS + endpoint ACME para Let's Encrypt
+server {
+    listen 80;
+    server_name YOUR_DOMAIN.com;
+
+    # Endpoint para verificación de Let's Encrypt
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    # Health check (también útil para load balancers)
+    location /health {
+        access_log off;
+        return 200 "healthy\n";
+        add_header Content-Type text/plain;
+    }
+
+    # Redirección a HTTPS para todo lo demás
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+# Servidor HTTPS principal
+server {
+    listen 443 ssl;
+    http2 on;  # NOTA: En nginx moderno, http2 va como directiva separada
+    server_name YOUR_DOMAIN.com;
+
+    # Certificados SSL de Let's Encrypt
+    ssl_certificate /etc/letsencrypt/live/YOUR_DOMAIN.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/YOUR_DOMAIN.com/privkey.pem;
+
+    # Configuración SSL moderna y segura
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 1d;
+
+    # Logs
+    access_log /var/log/nginx/access.log;
+    error_log /var/log/nginx/error.log;
+
+    # Health check
+    location /health {
+        access_log off;
+        return 200 "healthy\n";
+        add_header Content-Type text/plain;
+    }
+
+    # Socket.io endpoint - CRÍTICO para WebSocket en tiempo real
+    # NOTA: Socket.io añade /socket.io/ automáticamente a la URL base
+    # Por eso VITE_WS_URL debe ser https://dominio sin /ws o /socket.io
+    location /socket.io/ {
+        set $backend_socketio api:3000;
+        proxy_pass http://$backend_socketio;
+        proxy_http_version 1.1;
+
+        # Headers para WebSocket upgrade
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+
+        # Headers estándar
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        # Timeouts largos para conexiones WebSocket persistentes
+        proxy_connect_timeout 7d;
+        proxy_send_timeout 7d;
+        proxy_read_timeout 7d;
+
+        # Deshabilitar buffering para WebSocket
+        proxy_buffering off;
+    }
+
+    # API REST endpoints
+    # NOTA: Cuando se usa variable en proxy_pass, nginx NO hace reemplazo automático de URI
+    # Por eso necesitamos el rewrite explícito
+    location /api/ {
+        set $backend_api api:3000;
+
+        # Reescribir la URL quitando el prefijo /api
+        rewrite ^/api/(.*)$ /$1 break;
+
+        proxy_pass http://$backend_api;
+        proxy_http_version 1.1;
+
+        # Headers
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Connection "";
+
+        # Timeouts
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 60s;
+
+        # Buffering
+        proxy_buffering on;
+        proxy_buffer_size 4k;
+        proxy_buffers 8 4k;
+    }
+
+    # Frontend - SPA React
+    location / {
+        set $backend_frontend frontend:80;
+        proxy_pass http://$backend_frontend;
+        proxy_http_version 1.1;
+
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    # Cache de activos estáticos
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
+        set $backend_frontend frontend:80;
+        proxy_pass http://$backend_frontend;
+        expires 1y;
+        add_header Cache-Control "public, immutable";
+    }
+
+    # Denegar acceso a archivos ocultos
+    location ~ /\. {
+        deny all;
+        access_log off;
+        log_not_found off;
+    }
+}