feat(infra): production host bootstrap and bare-metal Stalwart scaffolding

Host provisioning for the single-server production target: SSH + firewall
hardening (nftables allowlist), k3s node registration, bare-metal Stalwart
install with systemd units and TLS cert-sync from the cluster secret, and
Restic encrypted backup/restore (primary + DR) with timer units. Host-specific
secrets live in config.env (gitignored); config.env.example is the template.
Also gitignores MemPalace per-project files.

infrastructure/production/host/stalwart/stalwart-cert-sync.timer

@@ -0,0 +1,12 @@
+# Run cert-sync shortly after boot and every 12h thereafter. cert-manager
+# renews well before expiry, so twice-daily comfortably picks up new certs.
+[Unit]
+Description=Periodic mail TLS cert sync for Stalwart
+
+[Timer]
+OnBootSec=3min
+OnUnitActiveSec=12h
+Persistent=true
+
+[Install]
+WantedBy=timers.target