Stratum-over-TLS: encrypt the miner↔stack stratum link (follow-on to stratum auth #208)

[VijitSingh97]

Why

Stratum auth (#152 / #207 / #208) gates miner access to the stack's :3333 with a LAN password — but the stratum link itself is cleartext. Fine on a trusted LAN; the follow-on that both #208 and p2pool-starter-stack/rigforge#113 explicitly call out is to encrypt it with TLS, so the miner↔stack connection is confidential (not just access-controlled) even on a shared/untrusted network.

This issue tracks the stack (Pithead) side: offering/terminating stratum-over-TLS. The worker side is the companion p2pool-starter-stack/rigforge#115.

Scope (stack side)

• Offer TLS on the stratum endpoint (xmrig-proxy :3333 / p2pool stratum), behind a config knob (p2pool.stratum_tls, default off), with a cert (reuse the Caddy tls internal pattern or a dedicated cert).
• Document the worker trust model (internal CA / self-signed / operator-provided cert).
• Composes with RigForge: fetch the stratum access-password at worker setup → default-on stratum auth (Phase 2 of #152) #208: TLS for confidentiality, the password for access control — orthogonal, usable together.

Acceptance criteria

• Stack can serve stratum over TLS behind a config knob (default off), with a documented cert/trust model.
• A RigForge worker with pools[].tls: true connects over the encrypted link.
• Cleartext stratum still works when the knob is off (no regression).

Related

• RigForge: fetch the stratum access-password at worker setup → default-on stratum auth (Phase 2 of #152) #208 / Expose two xmrig-proxy config knobs: stratum access-password (#152) + dev-fee donate-level (#173) #207 / Optional stratum access-password: require miners to authenticate to xmrig-proxy #152 — stratum auth (this adds confidentiality on top of access control).
• Stratum-over-TLS: worker-side wiring for an encrypted miner↔stack link (companion to Pithead #261) rigforge#115 — worker-side TLS companion · Worker setup: fetch the stratum access-password → default-on stratum auth (Pithead #208 · #152 Phase 2) rigforge#113 — default-on auth.

[VijitSingh97]

Deferred from v1.1 → v1.6 (Deploy anywhere), lockstep with the RigForge companion (rigforge#113 / rigforge#115). Rationale: default-on stratum auth + TLS mainly harden untrusted-network / relaxed-binding / remote deployments — exactly v1.6's theme — whereas on a firewalled LAN the stratum_bind/firewall guidance already covers it, and there's no payout-theft vector on the link in the P2Pool model. Auth without TLS is also a half-measure (cleartext password), so the two belong together and aren't worth fronting v1.1. Dropped the wave-3-stratum (v1.1) label accordingly.

[VijitSingh97]

Moved v1.6 → v1.5 (Fleet / worker management), lockstep with the RigForge companions (rigforge#113 / rigforge#115). Clustering the stratum auth/TLS work with the per-worker addressing/token and the RigForge integration-harness work that lands in v1.5, rather than holding it for the v1.6 'Deploy anywhere' bucket.