feat(infra): production host bootstrap and bare-metal Stalwart scaffolding

Host provisioning for the single-server production target: SSH + firewall
hardening (nftables allowlist), k3s node registration, bare-metal Stalwart
install with systemd units and TLS cert-sync from the cluster secret, and
Restic encrypted backup/restore (primary + DR) with timer units. Host-specific
secrets live in config.env (gitignored); config.env.example is the template.
Also gitignores MemPalace per-project files.

infrastructure/production/host/stalwart/stalwart-mail.service

@@ -0,0 +1,39 @@
+# Dezky — Stalwart mail server (bare-metal host service).
+#
+# Secrets (admin password, webhook secret) come from the EnvironmentFile, which
+# install.sh generates from config.env. The binary needs CAP_NET_BIND_SERVICE
+# to bind the privileged mail ports (25/143/...) while running as a non-root user.
+
+[Unit]
+Description=Stalwart Mail Server (Dezky)
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+User=stalwart
+Group=stalwart
+EnvironmentFile=/opt/stalwart/etc/stalwart.env
+ExecStart=/opt/stalwart/bin/stalwart --config /opt/stalwart/etc/config.toml
+# Stalwart reloads its TLS certs / config on SIGHUP — used by cert-sync.
+ExecReload=/bin/kill -HUP $MAINPID
+Restart=on-failure
+RestartSec=5
+LimitNOFILE=65536
+
+# Bind privileged ports without full root
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+
+# Hardening — Stalwart only needs to write under /opt/stalwart
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectHome=true
+PrivateTmp=true
+ReadWritePaths=/opt/stalwart/data /opt/stalwart/logs /opt/stalwart/etc/tls
+ProtectKernelTunables=true
+ProtectControlGroups=true
+RestrictSUIDSGID=true
+
+[Install]
+WantedBy=multi-user.target