dont merge: heinous web proxy forking for Co-op Cloud

[decentral1se]

See https://github.com/snikket-im/snikket-web-proxy/issues/5.

[3-w-c]

Further tweaks: https://github.com/3-w-c/snikket-web-proxy/commit/bcec18a66f5a61aace1d2a646afda5bbf2de9b79

[3-w-c]

And the related changes to snikket-server to make certificate paths configurable: https://github.com/3-w-c/snikket-server

[3-w-c]

Background (as requested in xmpp:general@channels.snikket.org):

1. we use docker swarm - for several reasons, but all summarised by "swarm recommended over docker-compose for production deployments even on a single host" https://github.com/BretFisher/ama/issues/8#issuecomment-367575011
2. docker swarm doesn't support network_mode: host in compose files, so we need to specify host-mode per port https://docs.docker.com/compose/compose-file/compose-file-v3/#network_mode
3. we can't specify host-mode port 80 or 443 because our existing reverse proxy server (traefik) uses them
4. our existing reverse proxy server does letsencrypt ssl automatically already, including supporting DNS validation instead of just HTTP
5. turning off Traefik's SSL generation, and forwarding .well-known to the Snikket proxy container with Traefik, is a somewhat gigantic pain in the ass, and debugging traefik SSL generation (which we 100% need for basically all our other apps) is hard enough already without potential conflicts with something else on the same box also tryna do it. making auto-certificate-generation optional also seems to be the direction of travel for similar projects.

[decentral1se]

Will close off for now. Example of what we're doing has been shown.