feat(infra): production host bootstrap and bare-metal Stalwart scaffolding

Host provisioning for the single-server production target: SSH + firewall
hardening (nftables allowlist), k3s node registration, bare-metal Stalwart
install with systemd units and TLS cert-sync from the cluster secret, and
Restic encrypted backup/restore (primary + DR) with timer units. Host-specific
secrets live in config.env (gitignored); config.env.example is the template.
Also gitignores MemPalace per-project files.

infrastructure/production/host/restic/dezky-backup.service

@@ -0,0 +1,13 @@
+# Dezky nightly backup (Restic → Storage Box primary + Helsinki DR).
+[Unit]
+Description=Dezky host backup (Restic)
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/opt/dezky-backup/backup.sh
+# Backups are I/O heavy but should never starve mail/k3s
+Nice=10
+IOSchedulingClass=best-effort
+IOSchedulingPriority=6