feat(deploy): merge Phase 5a deployment configuration

Complete containerized deployment system with Docker/Podman support.

Key features:
- Multi-stage Dockerfile with Python 3.11-slim base
- Docker Compose configurations for production and development
- Nginx reverse proxy with security headers and rate limiting
- Systemd service units for Docker, Podman, and docker-compose
- Backup/restore scripts with integrity verification
- Podman compatibility (ADR-009)

All tests pass including Podman verification testing.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

deployment/systemd/gondulf-compose.service

@@ -0,0 +1,68 @@
+# Gondulf IndieAuth Server - systemd Unit for Compose (Podman or Docker)
+#
+# This unit works with both podman-compose and docker-compose
+#
+# Installation (Podman rootless):
+#   1. Copy this file to ~/.config/systemd/user/gondulf.service
+#   2. Edit ExecStart/ExecStop to use podman-compose
+#   3. systemctl --user daemon-reload
+#   4. systemctl --user enable --now gondulf
+#   5. loginctl enable-linger $USER
+#
+# Installation (Docker):
+#   1. Copy this file to /etc/systemd/system/gondulf.service
+#   2. Edit ExecStart/ExecStop to use docker-compose
+#   3. Edit Requires= and After= to include docker.service
+#   4. sudo systemctl daemon-reload
+#   5. sudo systemctl enable --now gondulf
+#
+# Management:
+#   systemctl --user status gondulf  # For rootless
+#   sudo systemctl status gondulf     # For rootful/Docker
+#
+
+[Unit]
+Description=Gondulf IndieAuth Server (Compose)
+Documentation=https://github.com/yourusername/gondulf
+After=network-online.target
+Wants=network-online.target
+# For Docker, add:
+# Requires=docker.service
+# After=docker.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+TimeoutStartSec=300
+TimeoutStopSec=60
+
+# Working directory (adjust to your installation path)
+# Rootless Podman: WorkingDirectory=/home/%u/gondulf
+# Docker: WorkingDirectory=/opt/gondulf
+WorkingDirectory=/home/%u/gondulf
+
+# Start services (choose one based on your container engine)
+
+# For Podman (rootless):
+ExecStart=/usr/bin/podman-compose -f docker-compose.yml -f docker-compose.production.yml up -d
+
+# For Docker (rootful):
+# ExecStart=/usr/bin/docker-compose -f docker-compose.yml -f docker-compose.production.yml up -d
+
+# Stop services (choose one based on your container engine)
+
+# For Podman:
+ExecStop=/usr/bin/podman-compose down
+
+# For Docker:
+# ExecStop=/usr/bin/docker-compose down
+
+Restart=on-failure
+RestartSec=30s
+
+[Install]
+# For rootless Podman:
+WantedBy=default.target
+
+# For Docker:
+# WantedBy=multi-user.target

deployment/systemd/gondulf-docker.service

@@ -0,0 +1,53 @@
+# Gondulf IndieAuth Server - systemd Unit for Docker
+#
+# Installation:
+#   1. Copy this file to /etc/systemd/system/gondulf.service
+#   2. sudo systemctl daemon-reload
+#   3. sudo systemctl enable --now gondulf
+#
+# Management:
+#   sudo systemctl status gondulf
+#   sudo systemctl restart gondulf
+#   sudo systemctl stop gondulf
+#   sudo journalctl -u gondulf -f
+#
+
+[Unit]
+Description=Gondulf IndieAuth Server (Docker)
+Documentation=https://github.com/yourusername/gondulf
+Requires=docker.service
+After=docker.service network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+Restart=always
+RestartSec=10s
+TimeoutStartSec=60s
+TimeoutStopSec=30s
+
+# Working directory (adjust to your installation path)
+WorkingDirectory=/opt/gondulf
+
+# Stop and remove any existing container
+ExecStartPre=-/usr/bin/docker stop gondulf
+ExecStartPre=-/usr/bin/docker rm gondulf
+
+# Start container
+ExecStart=/usr/bin/docker run \
+  --name gondulf \
+  --rm \
+  -p 8000:8000 \
+  -v gondulf_data:/data \
+  --env-file /opt/gondulf/.env \
+  --health-cmd "wget --no-verbose --tries=1 --spider http://localhost:8000/health || exit 1" \
+  --health-interval 30s \
+  --health-timeout 5s \
+  --health-retries 3 \
+  gondulf:latest
+
+# Stop container gracefully
+ExecStop=/usr/bin/docker stop -t 10 gondulf
+
+[Install]
+WantedBy=multi-user.target

deployment/systemd/gondulf-podman.service

@@ -0,0 +1,62 @@
+# Gondulf IndieAuth Server - systemd Unit for Rootless Podman
+#
+# Installation (rootless - recommended):
+#   1. Copy this file to ~/.config/systemd/user/gondulf.service
+#   2. systemctl --user daemon-reload
+#   3. systemctl --user enable --now gondulf
+#   4. loginctl enable-linger $USER  # Allow service to run without login
+#
+# Installation (rootful - not recommended):
+#   1. Copy this file to /etc/systemd/system/gondulf.service
+#   2. sudo systemctl daemon-reload
+#   3. sudo systemctl enable --now gondulf
+#
+# Management:
+#   systemctl --user status gondulf
+#   systemctl --user restart gondulf
+#   systemctl --user stop gondulf
+#   journalctl --user -u gondulf -f
+#
+
+[Unit]
+Description=Gondulf IndieAuth Server (Rootless Podman)
+Documentation=https://github.com/yourusername/gondulf
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+Restart=always
+RestartSec=10s
+TimeoutStartSec=60s
+TimeoutStopSec=30s
+
+# Working directory (adjust to your installation path)
+WorkingDirectory=/home/%u/gondulf
+
+# Stop and remove any existing container
+ExecStartPre=-/usr/bin/podman stop gondulf
+ExecStartPre=-/usr/bin/podman rm gondulf
+
+# Start container
+ExecStart=/usr/bin/podman run \
+  --name gondulf \
+  --rm \
+  -p 8000:8000 \
+  -v gondulf_data:/data:Z \
+  --env-file /home/%u/gondulf/.env \
+  --health-cmd "wget --no-verbose --tries=1 --spider http://localhost:8000/health || exit 1" \
+  --health-interval 30s \
+  --health-timeout 5s \
+  --health-retries 3 \
+  gondulf:latest
+
+# Stop container gracefully
+ExecStop=/usr/bin/podman stop -t 10 gondulf
+
+# Security settings (rootless already provides good isolation)
+NoNewPrivileges=true
+PrivateTmp=true
+
+[Install]
+WantedBy=default.target