chore(deploy): add manifest, systemd units, nginx config, deploy.sh

Wires up the prod deployment per architecture-doc conventions:

- api → nikola.kosherinata.internal, loopback bind 127.0.0.1:42424
  (less-common port, registered with SELinux as http_port_t).
- worker → frootmig.kosherinata.internal, no listening port.
- web (static ui/dist + nginx server_name rob.tn) → nikola, with
  /api/* reverse-proxied to the loopback API.
- db → existing magrathea cluster via mTLS, hostname-baked DATABASE_URL
  rendered into /etc/moments/{api,worker}.env at deploy time.

Cert rotation: step-ca renews host certs every 24h; .path units watch
/etc/pki/tls/misc/<host>.pem and trigger systemctl restart of the
relevant service. Both binaries hold cert state in rustls and read
once at startup, so restart is the right reload semantics.

deploy.sh contract matches the architecture doc: positional env arg,
component list (or `all` / `default`), --dry-run support. Renders
config templates from `pass`, rsyncs over ssh+sudo, runs sysusers /
restorecon / semanage / systemctl / nginx -t idempotently.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

asset/systemd/moments-api-cert-reload.service

@@ -0,0 +1,6 @@
+[Unit]
+Description=Restart moments-api on host cert change
+
+[Service]
+Type=oneshot
+ExecStart=/bin/systemctl restart moments-api.service

asset/systemd/moments-api-cert.path

@@ -0,0 +1,13 @@
+[Unit]
+Description=Watch host cert for moments-api
+Documentation=https://git.lair.cafe/grenade/architecture
+
+[Path]
+# Hostname is substituted at deploy time. step-ca rotates host certs every
+# 24h; rustls reads them at process start, so the API must restart on
+# rotation. Read-only public timeline — a few seconds of churn is fine.
+PathChanged=/etc/pki/tls/misc/{{HOSTNAME}}.pem
+Unit=moments-api-cert-reload.service
+
+[Install]
+WantedBy=multi-user.target

asset/systemd/moments-api.service

@@ -0,0 +1,34 @@
+[Unit]
+Description=moments read-only HTTP API
+Documentation=https://git.lair.cafe/grenade/moments
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+User=moments
+Group=moments
+EnvironmentFile=/etc/moments/api.env
+ExecStart=/usr/local/bin/moments-api
+Restart=on-failure
+RestartSec=5s
+
+# Hardening
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectHome=true
+PrivateTmp=true
+PrivateDevices=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+LockPersonality=true
+MemoryDenyWriteExecute=true
+SystemCallArchitectures=native
+ReadWritePaths=/var/lib/moments
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+
+[Install]
+WantedBy=multi-user.target

asset/systemd/moments-worker-cert-reload.service

@@ -0,0 +1,6 @@
+[Unit]
+Description=Restart moments-worker on host cert change
+
+[Service]
+Type=oneshot
+ExecStart=/bin/systemctl restart moments-worker.service

asset/systemd/moments-worker-cert.path

@@ -0,0 +1,12 @@
+[Unit]
+Description=Watch host cert for moments-worker
+Documentation=https://git.lair.cafe/grenade/architecture
+
+[Path]
+# Worker holds a sqlx pool with rustls — restart on cert rotation. The
+# poller is idempotent, so dropping mid-poll is safe.
+PathChanged=/etc/pki/tls/misc/{{HOSTNAME}}.pem
+Unit=moments-worker-cert-reload.service
+
+[Install]
+WantedBy=multi-user.target

asset/systemd/moments-worker.service

@@ -0,0 +1,34 @@
+[Unit]
+Description=moments ingestion worker
+Documentation=https://git.lair.cafe/grenade/moments
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+User=moments
+Group=moments
+EnvironmentFile=/etc/moments/worker.env
+ExecStart=/usr/local/bin/moments-worker
+Restart=on-failure
+RestartSec=10s
+
+# Hardening
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectHome=true
+PrivateTmp=true
+PrivateDevices=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+LockPersonality=true
+MemoryDenyWriteExecute=true
+SystemCallArchitectures=native
+ReadWritePaths=/var/lib/moments
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+
+[Install]
+WantedBy=multi-user.target

asset/systemd/moments.sysusers.conf

@@ -0,0 +1,2 @@
+#Type Name     ID GECOS                       Home directory   Shell
+u     moments  -  "moments service account"   /var/lib/moments /usr/sbin/nologin