chore(deploy): add manifest, systemd units, nginx config, deploy.sh

Wires up the prod deployment per architecture-doc conventions:

- api → nikola.kosherinata.internal, loopback bind 127.0.0.1:42424
  (less-common port, registered with SELinux as http_port_t).
- worker → frootmig.kosherinata.internal, no listening port.
- web (static ui/dist + nginx server_name rob.tn) → nikola, with
  /api/* reverse-proxied to the loopback API.
- db → existing magrathea cluster via mTLS, hostname-baked DATABASE_URL
  rendered into /etc/moments/{api,worker}.env at deploy time.

Cert rotation: step-ca renews host certs every 24h; .path units watch
/etc/pki/tls/misc/<host>.pem and trigger systemctl restart of the
relevant service. Both binaries hold cert state in rustls and read
once at startup, so restart is the right reload semantics.

deploy.sh contract matches the architecture doc: positional env arg,
component list (or `all` / `default`), --dry-run support. Renders
config templates from `pass`, rsyncs over ssh+sudo, runs sysusers /
restorecon / semanage / systemctl / nginx -t idempotently.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

asset/config/api.env.tmpl

@@ -0,0 +1,9 @@
+# /etc/moments/api.env — rendered by deploy.sh, do not edit on the host.
+# {{HOSTNAME}} resolves to the target host's FQDN at deploy time.
+
+JOURNAL_STREAM=1
+RUST_LOG=info,sqlx=warn,tower_http=info
+
+BIND_ADDR=127.0.0.1:42424
+
+DATABASE_URL=postgres://moments_ro@magrathea.kosherinata.internal:5432/moments?sslmode=verify-full&sslrootcert=/etc/pki/ca-trust/source/anchors/root-internal.pem&sslcert=/etc/pki/tls/misc/{{HOSTNAME}}.pem&sslkey=/etc/pki/tls/private/{{HOSTNAME}}.pem

asset/config/worker.env.tmpl

@@ -0,0 +1,27 @@
+# /etc/moments/worker.env — rendered by deploy.sh, do not edit on the host.
+# {{HOSTNAME}} resolves to the target host's FQDN at deploy time.
+# {{GITHUB_TOKEN}} is resolved from `pass`; the rendered file lives in
+# /etc/moments/ chmod 0640 owned by root:moments.
+
+JOURNAL_STREAM=1
+RUST_LOG=info,sqlx=warn
+
+DATABASE_URL=postgres://moments_rw@magrathea.kosherinata.internal:5432/moments?sslmode=verify-full&sslrootcert=/etc/pki/ca-trust/source/anchors/root-internal.pem&sslcert=/etc/pki/tls/misc/{{HOSTNAME}}.pem&sslkey=/etc/pki/tls/private/{{HOSTNAME}}.pem
+
+GITHUB_USER=grenade
+GITHUB_TOKEN={{GITHUB_TOKEN}}
+POLL_INTERVAL_SECS=600
+SEARCH_POLL_INTERVAL_SECS=86400
+
+GITEA_HOST=git.lair.cafe
+GITEA_USER=grenade
+GITEA_POLL_INTERVAL_SECS=600
+
+HG_HOST=hg-edge.mozilla.org
+HG_REPOS=build/puppet,build/tools,build/buildbot-configs
+HG_AUTHOR_TERMS=thijssen,grenade
+HG_POLL_INTERVAL_SECS=86400
+
+BUGZILLA_HOST=bugzilla.mozilla.org
+BUGZILLA_EMAIL=rthijssen@mozilla.com
+BUGZILLA_POLL_INTERVAL_SECS=86400