dev-stack: front pict-rs with nginx CORS sidecar

pict-rs itself doesn't emit Access-Control-* headers; production papers
over that with an nginx vhost (deploy/server-deploy/modules/services/
pict-rs.nix), which the dev compose was claiming to mirror but didn't.
Cross-origin uploads from the webapp dev server got blocked.

Move pict-rs to internal-only (`expose`) and add a pict-rs-nginx sidecar
publishing :6033, reusing the exact CORS block from the prod nix
module. Closes the dev/prod divergence so browser upload behavior
matches between local and deployed.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

docker-compose.dev.yml

@@ -77,9 +77,9 @@ services:
       - ./data/fava:/bean
 
   # Image hosting backend. Mirrors the deploy flake's services.pict-rs
-  # (modules/services/pict-rs.nix → port 6033). Webapp + extensions reach
-  # it on http://localhost:6033 from the host; in-network containers can
-  # use http://pict-rs:6033.
+  # (modules/services/pict-rs.nix → port 6033). The container is now
+  # internal-only; host traffic goes through the pict-rs-nginx sidecar
+  # which adds the CORS layer that production's nginx vhost provides.
   pict-rs:
     image: asonix/pictrs:0.5
     hostname: pict-rs
@@ -87,7 +87,25 @@ services:
     user: "0:0"
     environment:
       PICTRS__SERVER__ADDRESS: 0.0.0.0:6033
-    ports:
-      - 6033:6033
+    expose:
+      - "6033"
     volumes:
       - ./data/pict-rs:/mnt
+
+  # Reverse proxy in front of pict-rs. Production runs pict-rs behind
+  # an nginx vhost (deploy/server-deploy/modules/services/pict-rs.nix)
+  # that adds the CORS headers and OPTIONS preflight handling browsers
+  # need for cross-origin uploads from the webapp dev server. Without
+  # this, POST /image from http://localhost:5173 gets blocked even
+  # though pict-rs itself is healthy. Config mirrors the prod nginx
+  # vhost verbatim.
+  pict-rs-nginx:
+    image: nginx:alpine
+    hostname: pict-rs-nginx
+    restart: on-failure
+    depends_on:
+      - pict-rs
+    ports:
+      - 6033:80
+    volumes:
+      - ./pict-rs-nginx.conf:/etc/nginx/nginx.conf:ro

pict-rs-nginx.conf

@@ -0,0 +1,41 @@
+events {}
+
+http {
+  # Mirrors deploy/server-deploy/modules/services/pict-rs.nix so the dev
+  # stack speaks the same CORS contract as production. Webapps (Vite
+  # dev server on a different origin) need preflight handling and the
+  # Access-Control-* headers on responses.
+
+  server {
+    listen 80;
+    server_name _;
+
+    client_max_body_size 50M;
+
+    location / {
+      proxy_pass http://pict-rs:6033;
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_connect_timeout 30s;
+      proxy_send_timeout 30s;
+      proxy_read_timeout 30s;
+
+      add_header Access-Control-Allow-Origin "*" always;
+      add_header Access-Control-Allow-Methods "GET, POST, DELETE, OPTIONS" always;
+      add_header Access-Control-Allow-Headers "Content-Type, Authorization, X-Requested-With" always;
+      add_header Access-Control-Max-Age 86400 always;
+
+      if ($request_method = 'OPTIONS') {
+        add_header Access-Control-Allow-Origin "*";
+        add_header Access-Control-Allow-Methods "GET, POST, DELETE, OPTIONS";
+        add_header Access-Control-Allow-Headers "Content-Type, Authorization, X-Requested-With";
+        add_header Access-Control-Max-Age 86400;
+        add_header Content-Length 0;
+        add_header Content-Type text/plain;
+        return 204;
+      }
+    }
+  }
+}