Align with engineering standards (steps 1-5)

- Rename dist/ -> deploy/ with subdirs examples/, scripts/,
  systemd/ per standard repository layout
- Update .gitignore: gitignore all of dist/ (build output only)
- Makefile: all target is now vet->lint->test->build; add vet,
  proto-lint, devserver targets; CGO_ENABLED=0 for builds
  (modernc.org/sqlite is pure-Go, no C toolchain needed);
  CGO_ENABLED=1 retained for tests (race detector)
- Dockerfile: builder -> golang:1.26-alpine, runtime ->
  alpine:3.21; drop libc6 dep; add /srv/mcias/certs and
  /srv/mcias/backups to image
- deploy/systemd/mcias.service: add RestrictSUIDSGID=true
- deploy/systemd/mcias-backup.service: new oneshot backup unit
- deploy/systemd/mcias-backup.timer: daily 02:00 UTC, 5m jitter
- deploy/scripts/install.sh: install backup units and enable
  timer; create certs/ and backups/ subdirs in /srv/mcias
- buf.yaml: add proto linting config for proto-lint target
- internal/db: add Snapshot and SnapshotDir methods (VACUUM INTO)
- cmd/mciasdb: add snapshot subcommand; no master key required

deploy/systemd/mcias-backup.service

@@ -0,0 +1,32 @@
+[Unit]
+Description=MCIAS Database Backup
+Documentation=man:mciasdb(1)
+After=mcias.service
+# Backup runs against the live database using VACUUM INTO, which is safe
+# while mciassrv is running (WAL mode allows concurrent readers).
+
+[Service]
+Type=oneshot
+User=mcias
+Group=mcias
+
+EnvironmentFile=/srv/mcias/env
+
+ExecStart=/usr/local/bin/mciasdb -config /srv/mcias/mcias.toml snapshot
+
+# Filesystem restrictions (read-write to /srv/mcias for the backup output).
+ProtectSystem=strict
+ProtectHome=true
+PrivateTmp=true
+ReadWritePaths=/srv/mcias
+NoNewPrivileges=true
+PrivateDevices=true
+CapabilityBoundingSet=
+RestrictSUIDSGID=true
+RestrictNamespaces=true
+RestrictRealtime=true
+LockPersonality=true
+MemoryDenyWriteExecute=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true

deploy/systemd/mcias-backup.timer

@@ -0,0 +1,15 @@
+[Unit]
+Description=Daily MCIAS Database Backup
+Documentation=man:mciasdb(1)
+
+[Timer]
+# Run daily at 02:00 UTC with up to 5-minute random jitter to avoid
+# thundering-herd on systems with many services.
+OnCalendar=*-*-* 02:00:00 UTC
+RandomizedDelaySec=5min
+# Run immediately on boot if the last scheduled run was missed
+# (e.g. host was offline at 02:00).
+Persistent=true
+
+[Install]
+WantedBy=timers.target

deploy/systemd/mcias.service

@@ -0,0 +1,52 @@
+[Unit]
+Description=MCIAS Authentication Server
+Documentation=man:mciassrv(1)
+After=network.target
+# Require network to be available before starting.
+# Remove if you bind only to loopback.
+
+[Service]
+Type=simple
+User=mcias
+Group=mcias
+
+# Configuration and secrets.
+# /srv/mcias/env must contain MCIAS_MASTER_PASSPHRASE=<passphrase>
+# See deploy/examples/mcias.env.example for the template.
+EnvironmentFile=/srv/mcias/env
+
+ExecStart=/usr/local/bin/mciassrv -config /srv/mcias/mcias.toml
+Restart=on-failure
+RestartSec=5
+
+# File descriptor limit. mciassrv keeps one fd per open connection plus
+# the SQLite WAL files; 65536 is generous headroom for a personal server.
+LimitNOFILE=65536
+
+# Sandboxing. mcias does not need capabilities; it listens on ports > 1024.
+# If you need port 443 or 8443 on a privileged port (< 1024), either:
+#   a) use a reverse proxy (recommended), or
+#   b) grant CAP_NET_BIND_SERVICE with: AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=
+
+# Filesystem restrictions.
+# mciassrv reads and writes /srv/mcias (config, TLS cert/key, database).
+ProtectSystem=strict
+ProtectHome=true
+PrivateTmp=true
+ReadWritePaths=/srv/mcias
+
+# Additional hardening.
+NoNewPrivileges=true
+PrivateDevices=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+RestrictSUIDSGID=true
+RestrictNamespaces=true
+RestrictRealtime=true
+LockPersonality=true
+MemoryDenyWriteExecute=true
+
+[Install]
+WantedBy=multi-user.target