Fix fresh-deploy blockers and clean up architecture

- Seed postfix-accounts.cf before mailserver start to satisfy Dovecot's
  requirement for at least one account on first boot
- Add failed_when: false to mail user/alias list tasks (files don't exist
  on first run)
- Add forgejo_runner_version (was undefined); default to 12
- Create /srv/forgejo/data/gitea/conf before deploying app.ini
- Decouple goaccess sync from restic: new enable_goaccess_sync flag with
  its own goaccess_sync_* variables
- Move Docker installation to bootstrap exclusively; rename docker.yml to
  networks.yml (runs docker_network role only)
- Add radicale_password to vault template and setup.sh
- Fix goaccess sync tasks gated on enable_goaccess_sync
- Add upstream bug comment to authorized_key deprecation warning
- Update CLAUDE.md and README.md throughout

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

roles/provision/defaults/main.yml

@@ -1,4 +1,5 @@
 ---
-hcloud_server_type: cx22
+cloud_provider: hetzner
+hcloud_server_type: cx23
 hcloud_image: ubuntu-24.04
 hcloud_location: fsn1

roles/provision/tasks/hetzner.yml

@@ -30,11 +30,18 @@
 
 - name: Update inventory with new IP
   ansible.builtin.lineinfile:
-    path: "{{ inventory_dir }}/hosts.yml"
+    path: "{{ lookup('env', 'LINDERHOF_DIR') }}/hosts.yml"
     regexp: '^\s+ansible_host:'
     line: "      ansible_host: {{ server_ip }}"
   delegate_to: localhost
 
+- name: Update config with new IP
+  ansible.builtin.lineinfile:
+    path: "{{ lookup('env', 'LINDERHOF_DIR') }}/group_vars/all/config.yml"
+    regexp: '^server_ip:'
+    line: "server_ip: {{ server_ip }}"
+  delegate_to: localhost
+
 - name: Print server IP
   ansible.builtin.debug:
     msg: "Server '{{ server_name }}' provisioned at {{ server_ip }}"