Initial commit — production-ready serverdeploy

All-native AlmaLinux 9 hosting stack:
- Caddy + Coraza WAF + OWASP CRS + secure_headers + ratelimit
- MariaDB 12 + PostgreSQL 16 (per-tenant DB users, locked-down GRANTs)
- Node.js 22 + PHP-FPM 8.3 (per-site UID, sandboxed pools)
- Stalwart Mail Server with per-domain DKIM
- CrowdSec + nftables firewall bouncer + GeoIP-aware ban scenario
- MaxMind GeoIP block (offline mmdb or geoipupdate API) with multi-CDN
  trusted_proxies (Cloudflare/Fastly/Akamai/CloudFront/Bunny/Sucuri/StackPath)
- phpMyAdmin + pgAdmin4 (optional, dedicated UIDs, behind allowlist+basic-auth)
- restic backups to Backblaze B2, encrypted
- Per-minute health check with 15-min cooldown alerts
- Single-command tools: newsite, delsite, restoresite, listsite, siteuser,
  adminip, geoblock, waf-whitelist

Author: qfiber

.gitignore

@@ -0,0 +1,26 @@
+# Editor / OS
+*.swp
+*.swo
+*~
+.DS_Store
+.idea/
+.vscode/
+
+# Local backups left by editors / scripts
+*.bak
+*.bak.*
+*.tmp
+*.orig
+
+# Claude Code working state
+.claude/
+
+# Anything that looks like a secret — defence in depth even though
+# /etc/serverdeploy/config lives on the deployed server, not in the repo
+*.password
+*-admin.txt
+*-basic-auth.txt
+*.pem
+*.key
+.env
+.env.*