feat(portainer): add Portainer-optimized deployment files

- Create docker-compose.portainer.yml
  - No env_file directive (Portainer doesn't support it)
  - Port exposed on 0.0.0.0 (Portainer limitation)
  - Simple depends_on syntax
  - All environment variables explicit

- Create docs/PORTAINER-DEPLOYMENT.md
  - Complete Portainer deployment guide
  - Step-by-step instructions
  - Environment variables reference
  - Troubleshooting section
  - Best practices for security and backups

- Update README.md
  - Add Portainer deployment section
  - Reference Portainer deployment guide

Fixes:
- 'open /data/compose/94/.env: no such file or directory'
- 'ignoring IP-address (127.0.0.1:8200:8200/tcp)' warning

Portainer requires different compose syntax than standard docker-compose.
This provides a deployment path optimized for Portainer's stack parser.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docker-compose.portainer.yml

@@ -0,0 +1,95 @@
+# ==============================================
+# OpenBao Standalone Deployment - Portainer Version
+# ==============================================
+#
+# This file is optimized for Portainer deployment:
+# - No env_file directive (define variables in Portainer's environment editor)
+# - Port exposed on all interfaces (Portainer limitation)
+# - All environment variables explicitly defined
+#
+# Usage in Portainer:
+#   1. Stacks -> Add Stack
+#   2. Name: mosaic-openbao
+#   3. Paste this file content
+#   4. Add environment variables in "Environment variables" section:
+#      - IMAGE_TAG=dev
+#      - OPENBAO_PORT=8200
+#   5. Deploy
+#
+# SECURITY NOTE: Port 8200 will be exposed on 0.0.0.0 (all interfaces)
+# Use firewall rules to restrict access if needed.
+# ==============================================
+
+services:
+  # ======================
+  # OpenBao Secrets Vault
+  # ======================
+  openbao:
+    image: git.mosaicstack.dev/mosaic/stack-openbao:${IMAGE_TAG:-dev}
+    container_name: mosaic-openbao
+    command: server -config=/openbao/config/config.hcl
+    environment:
+      OPENBAO_ADDR: http://0.0.0.0:8200
+    ports:
+      - "${OPENBAO_PORT:-8200}:8200"
+    volumes:
+      - openbao_data:/openbao/data
+      - openbao_logs:/openbao/logs
+      - openbao_init:/openbao/init
+    cap_add:
+      - IPC_LOCK
+    healthcheck:
+      test:
+        - CMD
+        - wget
+        - --spider
+        - --quiet
+        - http://localhost:8200/v1/sys/health?standbyok=true
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      start_period: 30s
+    restart: unless-stopped
+    networks:
+      - mosaic_internal
+
+  # ======================
+  # OpenBao Init Sidecar
+  # ======================
+  # Auto-initializes and unseals OpenBao on first run
+  openbao-init:
+    image: git.mosaicstack.dev/mosaic/stack-openbao:${IMAGE_TAG:-dev}
+    container_name: mosaic-openbao-init
+    command: /openbao/init.sh
+    environment:
+      OPENBAO_ADDR: http://openbao:8200
+    volumes:
+      - openbao_init:/openbao/init
+    depends_on:
+      - openbao
+    restart: "no"
+    networks:
+      - mosaic_internal
+
+# ======================
+# Volumes
+# ======================
+volumes:
+  openbao_data:
+    name: mosaic-openbao-data
+    driver: local
+  openbao_logs:
+    name: mosaic-openbao-logs
+    driver: local
+  openbao_init:
+    name: mosaic-openbao-init
+    driver: local
+
+# ======================
+# Networks
+# ======================
+# Connect to the swarm stack's internal network
+networks:
+  mosaic_internal:
+    external: true
+    name: mosaic_internal