docs: [#272] Add HTTPS user documentation

- Create docs/user-guide/services/https.md with complete HTTPS setup guide
- Document domain + use_tls_proxy configuration pattern for each service
- Add Let's Encrypt production vs staging documentation
- Add configuration examples for various HTTPS patterns
- Add troubleshooting section for common certificate issues
- Update services README to include HTTPS as an available service
- Update main user guide README with HTTPS service reference
- Update grafana.md with TLS proxy configuration fields
- Regenerate JSON schema to reflect current implementation

Author: josecelano

docs/issues/272-add-https-support-with-caddy.md

@@ -23,8 +23,8 @@ Production deployment at `/opt/torrust/` on Hetzner server (46.224.206.37) serve
 - [x] Support HTTPS for all HTTP services (Tracker API, HTTP Tracker, Grafana)
 - [x] Enable automatic Let's Encrypt certificate management
 - [x] Add HTTPS configuration to environment schema
-- [ ] Implement security scanning for Caddy in CI/CD
-- [ ] Document HTTPS setup in user guide
+- [x] Implement security scanning for Caddy in CI/CD
+- [x] Document HTTPS setup in user guide
 - [ ] Add E2E tests for HTTPS functionality
 
 ## 🏗️ Architecture Requirements
@@ -684,27 +684,24 @@ Add link to HTTPS setup guide.
 
 ### Phase 5: Documentation (4-5 hours)
 
-- [ ] Create `docs/user-guide/https-setup.md` with complete setup guide:
-  - [ ] Prerequisites (domain names, DNS configuration)
-  - [ ] **Configuration patterns**: All services, single service, multiple trackers
-  - [ ] **Selective HTTPS**: How to enable HTTPS for some services but not others
-  - [ ] **Multiple HTTP trackers**: Configuration examples with mixed HTTPS/HTTP
-  - [ ] Environment configuration examples for each pattern
-  - [ ] Let's Encrypt certificate process
-  - [ ] **Let's Encrypt staging environment**: Document `use_staging: true` for testing (avoids rate limits)
-  - [ ] **Rate limits**: Document Let's Encrypt limits (50 certs/week, 5 duplicates/week)
-  - [ ] **Staging certificates warning**: Browser warnings expected (not trusted), only for testing
-  - [ ] Troubleshooting common issues
-  - [ ] Certificate renewal (automatic)
-  - [ ] Domain verification requirements
-- [ ] Update `docs/user-guide/README.md` with HTTPS guide link
-- [ ] Update `docs/user-guide/configuration.md` with HTTPS config examples:
-  - [ ] Example: HTTPS only for API (sensitive token)
-  - [ ] Example: Multiple trackers, selective HTTPS
-  - [ ] Example: VPN deployment without HTTPS
-- [ ] Create example environment files in `envs/` demonstrating patterns
-- [ ] Add troubleshooting section for common certificate issues
-- [ ] Document Let's Encrypt rate limits and best practices
+- [x] Create `docs/user-guide/services/https.md` with complete HTTPS setup guide:
+  - [x] Overview of HTTPS architecture with Caddy
+  - [x] Prerequisites (domain names, DNS configuration, firewall)
+  - [x] **Global HTTPS configuration**: `admin_email` and `use_staging` options
+  - [x] **Per-service TLS configuration**: `domain` and `use_tls_proxy` pattern
+  - [x] Services supporting HTTPS (Tracker HTTP API, HTTP Trackers, Health Check API, Grafana)
+  - [x] Let's Encrypt certificate process (automatic acquisition and renewal)
+  - [x] **Let's Encrypt staging environment**: Document `use_staging: true` for testing (avoids rate limits)
+  - [x] **Rate limits**: Document Let's Encrypt limits (50 certs/week, 5 duplicates/week)
+  - [x] **Staging certificates warning**: Browser warnings expected (not trusted), only for testing
+  - [x] Complete configuration example with all services HTTPS-enabled
+  - [x] Verification commands for checking HTTPS functionality
+  - [x] Troubleshooting section (DNS, firewall, certificates, Caddy logs)
+  - [x] Architecture explanation (Caddy as TLS termination proxy)
+- [x] Update `docs/user-guide/services/README.md` with HTTPS service entry
+- [x] Update `docs/user-guide/README.md` with HTTPS reference in services section
+- [x] Update `docs/user-guide/services/grafana.md` with TLS proxy fields documentation
+- [x] Regenerate JSON schema (`schemas/environment-config.json`)
 
 ### Phase 6: E2E Testing (5-6 hours)
 
@@ -1483,20 +1480,20 @@ The implementation is split into incremental steps, one service type at a time,
 - [x] Remove `domain::tls` module completely (unused after migration)
 - [x] Run full E2E test suite
 - [x] Run all linters
-- [ ] Manual verification with `envs/manual-https-test.json`
+- [x] Manual verification with `envs/manual-https-test.json`
 
 ### Phase 8: Schema Generation (30 minutes)
 
-- [ ] Regenerate JSON schema from Rust DTOs:
+- [x] Regenerate JSON schema from Rust DTOs:
 
   ```bash
   cargo run --bin torrust-tracker-deployer -- create schema > schemas/environment-config.json
   ```
 
-- [ ] Verify schema includes HTTPS configuration section
-- [ ] Verify schema validation rules match Rust DTO constraints
-- [ ] Test schema with example HTTPS-enabled environment file
-- [ ] Commit updated schema file
+- [x] Verify schema includes HTTPS configuration section
+- [x] Verify schema validation rules match Rust DTO constraints
+- [x] Test schema with example HTTPS-enabled environment file
+- [x] Commit updated schema file
 
 ### Phase 9: Create ADR (1 hour)
 

docs/user-guide/README.md

@@ -308,8 +308,13 @@ The Torrust Tracker Deployer supports optional services that can be enabled in y
 
 ### Available Services
 
-- **[Prometheus Monitoring](services/prometheus.md)** - Metrics collection and monitoring (enabled by default)
+- **[HTTPS Support](services/https.md)** - Automatic TLS/SSL with Let's Encrypt (disabled by default)
+  - Automatic certificate management via Caddy reverse proxy
+  - Per-service TLS configuration (API, HTTP trackers, Health Check API, Grafana)
+  - HTTP/2 and HTTP/3 support
+  - Enabled by adding `domain` and `use_tls_proxy: true` to individual services
 
+- **[Prometheus Monitoring](services/prometheus.md)** - Metrics collection and monitoring (enabled by default)
   - Automatic metrics scraping from tracker API
   - Web UI on port 9090
   - Configurable scrape intervals

docs/user-guide/services/README.md

@@ -14,8 +14,14 @@ The services documentation provides comprehensive guides for each optional servi
 
 ## Available Services
 
-- **[Prometheus Monitoring](prometheus.md)** - Metrics collection and monitoring service
+- **[HTTPS Support](https.md)** - Automatic TLS/SSL with Let's Encrypt
+  - Automatic certificate management via Caddy reverse proxy
+  - Per-service TLS configuration (API, HTTP trackers, Health Check API, Grafana)
+  - HTTP/2 and HTTP/3 support
+  - Automatic HTTP to HTTPS redirect
+  - Disabled by default, enabled by adding `domain` and `use_tls_proxy: true` to services
 
+- **[Prometheus Monitoring](prometheus.md)** - Metrics collection and monitoring service
   - Automatic metrics scraping from tracker API endpoints
   - Web UI for querying and visualizing metrics
   - Configurable scrape intervals
@@ -92,8 +98,6 @@ To exclude a service from your deployment, simply remove its configuration secti
 
 As the deployer evolves, additional optional services may be added to this directory:
 
-- Database services (MySQL, PostgreSQL)
-- Reverse proxy services (Nginx, Traefik)
 - Logging aggregation (Loki, Elasticsearch)
 - Alerting services (Alertmanager)
 

docs/user-guide/services/grafana.md

@@ -49,26 +49,43 @@ Add the `grafana` section to your environment configuration file:
 - Default: `admin`
 - **⚠️ SECURITY WARNING**: Always change the default password before deploying to production environments
 
+**grafana.domain** (optional):
+
+- Domain name for HTTPS access via Caddy reverse proxy
+- When present with `use_tls_proxy: true`, Grafana is accessible via HTTPS at this domain
+- Caddy automatically obtains and renews TLS certificates
+
+**grafana.use_tls_proxy** (optional):
+
+- Boolean to enable HTTPS via Caddy reverse proxy
+- Default: `false` (HTTP only)
+- Requires `domain` to be set
+- When enabled, port 3100 is not exposed; access is via HTTPS (port 443)
+
 **Examples**:
 
 ```json
-// Development environment (simple credentials)
+// Development environment (HTTP only)
 {
   "grafana": {
     "admin_user": "admin",
     "admin_password": "devpass123"
   }
 }
 
-// Production environment (strong credentials)
+// Production environment with HTTPS
 {
   "grafana": {
     "admin_user": "grafana-admin",
-    "admin_password": "Str0ng!P@ssw0rd#2024"
+    "admin_password": "Str0ng!P@ssw0rd#2024",
+    "domain": "grafana.example.com",
+    "use_tls_proxy": true
   }
 }
 ```
 
+> **Note**: When using HTTPS, you must also configure the global `https` section with `admin_email`. See the [HTTPS Guide](https.md) for complete documentation.
+
 **Real Example**: See [`envs/manual-test-grafana.json`](../../../envs/manual-test-grafana.json) for a working configuration.
 
 ### Prometheus Dependency
@@ -117,23 +134,32 @@ To deploy without Grafana visualization, remove the entire `grafana` section fro
 
 After deployment, the Grafana web UI is available at:
 
+**HTTP (default)**:
+
 ```text
 http://<vm-ip>:3100
 ```
 
-Where `<vm-ip>` is the IP address of your deployed VM instance.
+**HTTPS (when TLS enabled)**:
+
+```text
+https://<your-domain>
+```
+
+Where `<vm-ip>` is the IP address of your deployed VM instance and `<your-domain>` is the configured domain (e.g., `grafana.example.com`).
 
 ### Finding Your VM IP
 
-```bash
-# Extract IP from environment state
-cat data/<env-name>/environment.json | grep ip_address
+Use the `show` command to display environment information including the VM IP:
 
-# Or use jq for cleaner output
-INSTANCE_IP=$(cat data/<env-name>/environment.json | jq -r '.Running.context.runtime_outputs.instance_ip')
-echo "Grafana UI: http://$INSTANCE_IP:3100"
+```bash
+torrust-tracker-deployer show <env-name>
 ```
 
+Look for the "Instance IP" field in the output.
+
+> **Note**: JSON output format is planned for future releases to enable scripting.
+
 ### First Login
 
 1. Open `http://<vm-ip>:3100` in your web browser
@@ -151,17 +177,14 @@ echo "Grafana UI: http://$INSTANCE_IP:3100"
 After first login, you need to add Prometheus as a datasource:
 
 1. **Navigate to Configuration**:
-
    - Click the gear icon (⚙️) in the left sidebar
    - Select **Data Sources**
 
 2. **Add New Datasource**:
-
    - Click **Add data source**
    - Select **Prometheus** from the list
 
 3. **Configure Datasource**:
-
    - **Name**: `Prometheus` (or any name you prefer)
    - **URL**: `http://prometheus:9090`
    - **Access**: `Server (default)`
@@ -184,7 +207,6 @@ The Torrust project provides two sample dashboards for visualizing tracker metri
 #### Available Dashboards
 
 1. **stats.json** - Statistics Dashboard
-
    - Displays data from the `/api/v1/stats` tracker endpoint
    - Shows high-level tracker statistics
    - Good for general monitoring
@@ -199,17 +221,14 @@ The Torrust project provides two sample dashboards for visualizing tracker metri
 #### Import Process
 
 1. **Navigate to Dashboards**:
-
    - Click the **+** icon in the left sidebar
    - Select **Import**
 
 2. **Upload Dashboard**:
-
    - Click **Upload JSON file** and select the dashboard file
    - Or paste the JSON content directly into the text area
 
 3. **Configure Import**:
-
    - **Name**: Keep the default or customize
    - **Folder**: Select a folder or leave as default
    - **Prometheus**: Select the datasource you created earlier
@@ -254,16 +273,13 @@ After importing, you can:
 ### Creating Custom Dashboards
 
 1. **New Dashboard**:
-
    - Click **+** icon → **Dashboard**
    - Click **Add visualization**
 
 2. **Select Data Source**:
-
    - Choose your Prometheus datasource
 
 3. **Write Query**:
-
    - Use Prometheus query language (PromQL)
    - Examples:
 
@@ -279,7 +295,6 @@ After importing, you can:
      ```
 
 4. **Customize Visualization**:
-
    - Choose panel type (Graph, Stat, Gauge, Table, etc.)
    - Set thresholds and colors
    - Add units and labels
@@ -501,13 +516,11 @@ services:
 A separate issue is planned to add:
 
 1. **Auto-Provision Prometheus Datasource**:
-
    - Automatically create datasource during deployment
    - Zero-config experience for users
    - No manual setup steps required
 
 2. **Auto-Import Tracker Dashboards**:
-
    - Automatically import `stats.json` and `metrics.json`
    - Dashboards available immediately after deployment
    - Provisioning via `provisioning/dashboards/` directory
@@ -525,6 +538,7 @@ A separate issue is planned to add:
 
 ## Related Documentation
 
+- **[HTTPS Guide](https.md)** - Enable HTTPS with automatic TLS certificates
 - **[Prometheus Service Guide](prometheus.md)** - Metrics collection service
 - **[Manual Verification Guide](../../e2e-testing/manual/grafana-verification.md)** - Detailed verification steps
 - **[Grafana Integration ADR](../../decisions/grafana-integration-pattern.md)** - Design decisions and rationale