feat(_update): replace watchtower with custom nightly update script

Removes the watchtower container in favour of a host-side script that
runs daily at 2:00 AM via systemd timer.  Mirrors the _backup pattern:
auto-discovers stacks, pulls images, recreates changed containers,
prunes dangling images, and notifies via n8n → Telegram.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

_update/.env.example

@@ -0,0 +1 @@
+WEBHOOK_URL=https://n8n.example.com/webhook/change_me

_update/stacks-update.service

@@ -0,0 +1,10 @@
+[Unit]
+Description=Docker stacks image update
+After=network-online.target docker.service
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+User=root
+ExecStart=/root/stacks/_update/update.sh
+Environment=HOME=/root

_update/stacks-update.timer

@@ -0,0 +1,9 @@
+[Unit]
+Description=Daily Docker stacks image update at 2:00 AM
+
+[Timer]
+OnCalendar=*-*-* 02:00:00 Europe/Amsterdam
+Persistent=true
+
+[Install]
+WantedBy=timers.target

_update/update.sh

@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+STACKS_DIR="$(dirname "$SCRIPT_DIR")"
+LOG_FILE="$SCRIPT_DIR/update.log"
+
+set -a; source "$SCRIPT_DIR/.env"; set +a
+
+log()    { echo "[$(date '+%Y-%m-%d %H:%M:%S')] $*" | tee -a "$LOG_FILE"; }
+notify() {
+  local color="$1" text="$2"
+  curl -sf -o /dev/null -X POST "$WEBHOOK_URL" \
+    -H 'Content-Type: application/json' \
+    -d "{\"message\":\"$text\",\"color\":\"$color\"}"
+}
+
+: > "$LOG_FILE"
+log "Starting image update check"
+
+updated=(); failed=()
+
+for stack_dir in "$STACKS_DIR"/*/; do
+  stack=$(basename "$stack_dir")
+  [[ "$stack" == _* ]] && continue
+  [[ ! -f "$stack_dir/compose.yml" ]] && continue
+
+  log "Checking $stack"
+  cd "$stack_dir"
+  pull_output=$(docker compose pull 2>&1 | tee -a "$LOG_FILE")
+
+  if echo "$pull_output" | grep -q " Pulled$"; then
+    log "  Updates found — recreating containers"
+    if docker compose up -d 2>&1 | tee -a "$LOG_FILE"; then
+      updated+=("$stack")
+    else
+      log "  FAILED to recreate $stack"
+      failed+=("$stack")
+    fi
+  else
+    log "  Up to date"
+  fi
+done
+
+log "Pruning dangling images"
+docker image prune -f 2>&1 | tee -a "$LOG_FILE"
+
+if [ ${#updated[@]} -eq 0 ] && [ ${#failed[@]} -eq 0 ]; then
+  notify "#36a64f" "✅ **Update check complete** — all images up to date"
+elif [ ${#failed[@]} -gt 0 ]; then
+  notify "#cc0000" "❌ **Update failed**\nUpdated: ${updated[*]:-none}\nFailed: ${failed[*]}"
+else
+  notify "#36a64f" "✅ **Updates applied**\nStacks: ${updated[*]}"
+fi
+
+log "Update check complete"