Add grpc_addr and [web] section to example configs

Both deploy/examples configs now document the new server.grpc_addr and
[web] settings introduced with the metacrypt-web separation. The Docker
example uses the compose service name (metacrypt:9443) as vault_grpc.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

deploy/examples/metacrypt.toml

@@ -5,10 +5,33 @@
 # Address to listen on. Use "0.0.0.0:8443" to listen on all interfaces.
 listen_addr = ":8443"
 
+# gRPC address for metacrypt-web to connect to. Required if running the
+# standalone web UI server.
+grpc_addr = ":9443"
+
 # TLS certificate and key. Metacrypt always terminates TLS.
 tls_cert = "/srv/metacrypt/certs/server.crt"
 tls_key  = "/srv/metacrypt/certs/server.key"
 
+# Public base URL used in ACME directory responses.
+# external_url = "https://metacrypt.example.com"
+
+[web]
+# Address for the standalone web UI server (metacrypt-web) to listen on.
+listen_addr = ":8080"
+
+# gRPC address of the vault (must match server.grpc_addr above).
+vault_grpc = "127.0.0.1:9443"
+
+# CA certificate used to verify the vault's gRPC TLS certificate.
+# Required if the vault uses a self-signed or private CA cert.
+vault_ca_cert = "/srv/metacrypt/certs/server.crt"
+
+# TLS for the web UI itself. Leave empty to run plain HTTP behind a
+# reverse proxy, or set both to terminate TLS directly.
+# tls_cert = "/srv/metacrypt/certs/web.crt"
+# tls_key  = "/srv/metacrypt/certs/web.key"
+
 [database]
 # SQLite database path. Created automatically on first run.
 # The directory must be writable by the metacrypt user.