Add proper login to Admin UI, replace Caddy basic_auth

- iron-session for encrypted httpOnly session cookies
- POST /api/auth/login: verifies ADMIN_USERNAME/ADMIN_PASSWORD, sets session, returns API key
- POST /api/auth/logout: destroys session
- middleware.ts: protects all routes, redirects to /login if unauthenticated
- Login page: username + password form (no more browser popup)
- Sidebar: logout calls API route and clears session
- docker-compose.prod.yml: admin-ui reads /opt/rustycms/.env.admin
- deploy.yml: generates .env.admin from Gitea secrets
- Caddy: basic_auth removed from /admin* block

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.gitea/workflows/deploy.yml

@@ -30,7 +30,7 @@ jobs:
           chmod 600 /tmp/deploy_key
           SSH="ssh -o StrictHostKeyChecking=no -i /tmp/deploy_key root@167.86.74.105"
 
-          # .env aus Secrets generieren
+          # API .env aus Secrets generieren
           $SSH "cat > /opt/rustycms/.env" << 'ENVEOF'
           RUSTYCMS_API_KEY=${{ secrets.RUSTYCMS_API_KEY }}
           RUSTYCMS_BASE_URL=${{ secrets.RUSTYCMS_BASE_URL }}
@@ -40,6 +40,14 @@ jobs:
           RUSTYCMS_STORE=${{ secrets.RUSTYCMS_STORE }}
           ENVEOF
 
+          # Admin UI .env aus Secrets generieren
+          $SSH "cat > /opt/rustycms/.env.admin" << 'ENVEOF'
+          RUSTYCMS_API_KEY=${{ secrets.RUSTYCMS_API_KEY }}
+          ADMIN_USERNAME=${{ secrets.ADMIN_USERNAME }}
+          ADMIN_PASSWORD=${{ secrets.ADMIN_PASSWORD }}
+          SESSION_SECRET=${{ secrets.SESSION_SECRET }}
+          ENVEOF
+
           rsync -avz --delete \
             -e "ssh -o StrictHostKeyChecking=no -i /tmp/deploy_key" \
             ./types/ root@167.86.74.105:/opt/rustycms/types/