feat(deploy): merge Phase 5a deployment configuration

Complete containerized deployment system with Docker/Podman support.

Key features:
- Multi-stage Dockerfile with Python 3.11-slim base
- Docker Compose configurations for production and development
- Nginx reverse proxy with security headers and rate limiting
- Systemd service units for Docker, Podman, and docker-compose
- Backup/restore scripts with integrity verification
- Podman compatibility (ADR-009)

All tests pass including Podman verification testing.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

.env.example

@@ -1,38 +1,173 @@
-# Gondulf IndieAuth Server Configuration
+# Gondulf IndieAuth Server - Configuration File
 # Copy this file to .env and fill in your values
+# NEVER commit .env to version control!
 
-# REQUIRED - Secret key for cryptographic operations
+# ========================================
+# REQUIRED SETTINGS
+# ========================================
+
+# Secret key for cryptographic operations (JWT signing, session security)
+# MUST be at least 32 characters long
 # Generate with: python -c "import secrets; print(secrets.token_urlsafe(32))"
 GONDULF_SECRET_KEY=
 
-# Database Configuration
-# Default: sqlite:///./data/gondulf.db (relative to working directory)
-# Production example: sqlite:////var/lib/gondulf/gondulf.db
-GONDULF_DATABASE_URL=sqlite:///./data/gondulf.db
+# Base URL of your Gondulf server
+# Development: http://localhost:8000
+# Production: https://auth.example.com (MUST use HTTPS in production)
+GONDULF_BASE_URL=http://localhost:8000
 
-# SMTP Configuration for Email Verification
-# Use port 587 with STARTTLS (most common) or port 465 for implicit TLS
+# ========================================
+# DATABASE CONFIGURATION
+# ========================================
+
+# SQLite database location
+# Container (production): sqlite:////data/gondulf.db (absolute path, 4 slashes)
+# Development (relative): sqlite:///./data/gondulf.db (relative path, 3 slashes)
+# Note: Container uses /data volume mount for persistence
+GONDULF_DATABASE_URL=sqlite:////data/gondulf.db
+
+# ========================================
+# SMTP CONFIGURATION
+# ========================================
+
+# SMTP server for sending verification emails
 GONDULF_SMTP_HOST=localhost
 GONDULF_SMTP_PORT=587
+
+# SMTP authentication (leave empty if not required)
 GONDULF_SMTP_USERNAME=
 GONDULF_SMTP_PASSWORD=
+
+# Sender email address
 GONDULF_SMTP_FROM=noreply@example.com
+
+# Use STARTTLS encryption (recommended: true for port 587)
 GONDULF_SMTP_USE_TLS=true
 
-# Token and Code Expiry (in seconds)
-# GONDULF_TOKEN_EXPIRY: How long access tokens are valid (default: 3600 = 1 hour, min: 300, max: 86400)
-# GONDULF_CODE_EXPIRY: How long authorization/verification codes are valid (default: 600 = 10 minutes)
+# ========================================
+# SMTP PROVIDER EXAMPLES
+# ========================================
+
+# Gmail (requires app-specific password):
+# GONDULF_SMTP_HOST=smtp.gmail.com
+# GONDULF_SMTP_PORT=587
+# GONDULF_SMTP_USERNAME=your-email@gmail.com
+# GONDULF_SMTP_PASSWORD=your-app-specific-password
+# GONDULF_SMTP_FROM=your-email@gmail.com
+# GONDULF_SMTP_USE_TLS=true
+
+# SendGrid:
+# GONDULF_SMTP_HOST=smtp.sendgrid.net
+# GONDULF_SMTP_PORT=587
+# GONDULF_SMTP_USERNAME=apikey
+# GONDULF_SMTP_PASSWORD=your-sendgrid-api-key
+# GONDULF_SMTP_FROM=noreply@yourdomain.com
+# GONDULF_SMTP_USE_TLS=true
+
+# Mailgun:
+# GONDULF_SMTP_HOST=smtp.mailgun.org
+# GONDULF_SMTP_PORT=587
+# GONDULF_SMTP_USERNAME=postmaster@yourdomain.mailgun.org
+# GONDULF_SMTP_PASSWORD=your-mailgun-password
+# GONDULF_SMTP_FROM=noreply@yourdomain.com
+# GONDULF_SMTP_USE_TLS=true
+
+# ========================================
+# TOKEN AND CODE EXPIRY
+# ========================================
+
+# Access token expiry in seconds
+# Default: 3600 (1 hour)
+# Range: 300 to 86400 (5 minutes to 24 hours)
 GONDULF_TOKEN_EXPIRY=3600
+
+# Authorization and verification code expiry in seconds
+# Default: 600 (10 minutes)
+# Per IndieAuth spec, codes should expire quickly
 GONDULF_CODE_EXPIRY=600
 
-# Token Cleanup Configuration (Phase 3)
-# GONDULF_TOKEN_CLEANUP_ENABLED: Enable automatic token cleanup (default: false - manual cleanup only in v1.0.0)
-# GONDULF_TOKEN_CLEANUP_INTERVAL: Cleanup interval in seconds (default: 3600 = 1 hour, min: 600)
+# ========================================
+# TOKEN CLEANUP (Phase 3)
+# ========================================
+
+# Automatic token cleanup (not implemented in v1.0.0)
+# Set to false for manual cleanup only
 GONDULF_TOKEN_CLEANUP_ENABLED=false
+
+# Cleanup interval in seconds (if enabled)
+# Default: 3600 (1 hour), minimum: 600 (10 minutes)
 GONDULF_TOKEN_CLEANUP_INTERVAL=3600
 
-# Logging Configuration
-# LOG_LEVEL: DEBUG, INFO, WARNING, ERROR, CRITICAL
-# DEBUG: Enable debug mode (sets LOG_LEVEL to DEBUG if not specified)
+# ========================================
+# SECURITY SETTINGS
+# ========================================
+
+# Redirect HTTP requests to HTTPS
+# Production: true (requires TLS termination at nginx or load balancer)
+# Development: false
+GONDULF_HTTPS_REDIRECT=true
+
+# Trust X-Forwarded-* headers from reverse proxy
+# Enable ONLY if behind trusted nginx/load balancer
+# Production with nginx: true
+# Direct exposure: false
+GONDULF_TRUST_PROXY=false
+
+# Set Secure flag on cookies (HTTPS only)
+# Production with HTTPS: true
+# Development (HTTP): false
+GONDULF_SECURE_COOKIES=true
+
+# ========================================
+# LOGGING
+# ========================================
+
+# Logging level: DEBUG, INFO, WARNING, ERROR, CRITICAL
+# Development: DEBUG
+# Production: INFO or WARNING
 GONDULF_LOG_LEVEL=INFO
+
+# Debug mode (enables detailed logging and disables security features)
+# NEVER enable in production!
+# Development: true
+# Production: false
 GONDULF_DEBUG=false
+
+# ========================================
+# DEVELOPMENT CONFIGURATION EXAMPLE
+# ========================================
+
+# Uncomment and use these settings for local development:
+# GONDULF_SECRET_KEY=dev-secret-key-change-in-production-minimum-32-characters-required
+# GONDULF_BASE_URL=http://localhost:8000
+# GONDULF_DATABASE_URL=sqlite:///./data/gondulf.db
+# GONDULF_SMTP_HOST=mailhog
+# GONDULF_SMTP_PORT=1025
+# GONDULF_SMTP_USE_TLS=false
+# GONDULF_HTTPS_REDIRECT=false
+# GONDULF_TRUST_PROXY=false
+# GONDULF_SECURE_COOKIES=false
+# GONDULF_DEBUG=true
+# GONDULF_LOG_LEVEL=DEBUG
+
+# ========================================
+# PRODUCTION CONFIGURATION EXAMPLE
+# ========================================
+
+# Example production configuration:
+# GONDULF_SECRET_KEY=<generate-with-secrets-module>
+# GONDULF_BASE_URL=https://auth.example.com
+# GONDULF_DATABASE_URL=sqlite:////data/gondulf.db
+# GONDULF_SMTP_HOST=smtp.sendgrid.net
+# GONDULF_SMTP_PORT=587
+# GONDULF_SMTP_USERNAME=apikey
+# GONDULF_SMTP_PASSWORD=<your-api-key>
+# GONDULF_SMTP_FROM=noreply@example.com
+# GONDULF_SMTP_USE_TLS=true
+# GONDULF_TOKEN_EXPIRY=3600
+# GONDULF_CODE_EXPIRY=600
+# GONDULF_HTTPS_REDIRECT=true
+# GONDULF_TRUST_PROXY=true
+# GONDULF_SECURE_COOKIES=true
+# GONDULF_DEBUG=false
+# GONDULF_LOG_LEVEL=INFO