Round 4 improvements: automated config, relative paths, simplified deployment

- Automate Traefik email substitution in deploy script
- Auto-generate Authelia admin password (saved to ADMIN_PASSWORD.txt)
- Standardize all volume paths to use relative paths (./service/config)
- Switch Traefik to HTTP challenge by default (DNS challenge optional)
- Update documentation with improved setup instructions
- Enhance troubleshooting guide
- Update AGENT_INSTRUCTIONS with new conventions
- Simplify .env.example with clearer guidance

These changes reduce manual configuration steps and improve deployment reliability.

config-templates/traefik/traefik.yml

@@ -27,12 +27,14 @@ entryPoints:
 certificatesResolvers:
   letsencrypt:
     acme:
-      email: ${ACME_EMAIL}
+      email: ACME_EMAIL_PLACEHOLDER  # Will be replaced by deploy script
       storage: /acme.json
-      # Use HTTP challenge (port 80 must be accessible)
+      # HTTP challenge - Simple setup, port 80 must be accessible
+      # Works for individual domain certificates
       httpChallenge:
         entryPoint: web
-      # Or use DNS challenge (requires API token):
+      # DNS challenge - For wildcard certificates (advanced)
+      # Uncomment and comment out httpChallenge to use:
       # dnsChallenge:
       #   provider: duckdns
       #   resolvers: