Fix fresh-deploy blockers and clean up architecture

- Seed postfix-accounts.cf before mailserver start to satisfy Dovecot's
  requirement for at least one account on first boot
- Add failed_when: false to mail user/alias list tasks (files don't exist
  on first run)
- Add forgejo_runner_version (was undefined); default to 12
- Create /srv/forgejo/data/gitea/conf before deploying app.ini
- Decouple goaccess sync from restic: new enable_goaccess_sync flag with
  its own goaccess_sync_* variables
- Move Docker installation to bootstrap exclusively; rename docker.yml to
  networks.yml (runs docker_network role only)
- Add radicale_password to vault template and setup.sh
- Fix goaccess sync tasks gated on enable_goaccess_sync
- Add upstream bug comment to authorized_key deprecation warning
- Update CLAUDE.md and README.md throughout

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

setup.sh

@@ -91,7 +91,7 @@ echo
 info "configure your server"
 prompt admin_user   "Admin username"        "$USER"
 prompt server_name  "Server hostname"       "$stack_name"
-prompt server_ip    "Server IP (or TBD)"    "0.0.0.0"
+prompt server_ip    "Server IP (leave TBD if provisioning via Hetzner)" "TBD"
 prompt domain       "Domain"                "example.com"
 prompt_secret hcloud_token "Hetzner API token (leave blank to skip)"
 
@@ -113,17 +113,21 @@ info "  rspamd:     rspamd.$domain"
 
 # ── 7. generate secrets ─────────────────────────────────────
 info "generating secrets..."
+export root_password admin_password
 export admin_mail_password notifications_mail_password git_mail_password
-export grafana_admin_password rspamd_web_password goaccess_password rainloop_admin_password
+export grafana_admin_password rspamd_web_password goaccess_password rainloop_admin_password radicale_password
 export tuwunel_registration_token restic_password
 export forgejo_secret_key forgejo_internal_token forgejo_jwt_secret
 
+root_password=$(openssl rand -base64 32)
+admin_password=$(openssl rand -base64 32)
 admin_mail_password=$(openssl rand -base64 32)
 notifications_mail_password=$(openssl rand -base64 32)
 git_mail_password=$(openssl rand -base64 32)
 grafana_admin_password=$(openssl rand -base64 32)
 rspamd_web_password=$(openssl rand -base64 32)
 goaccess_password=$(openssl rand -base64 32)
+radicale_password=$(openssl rand -base64 32)
 rainloop_admin_password=$(openssl rand -base64 32)
 tuwunel_registration_token=$(openssl rand -base64 32)
 restic_password=$(openssl rand -base64 32)
@@ -160,7 +164,7 @@ else
   info "writing stack.env..."
   cat > "$STACK_ENV" <<ENV_EOF
 # Per-stack environment variables — loaded by .envrc
-export DOCKER_HOST="ssh://$admin_user@$server_name"
+export DOCKER_HOST="ssh://$admin_user@$server_name.$domain"
 ENV_EOF
   ok "stack.env created"
 fi
@@ -181,7 +185,7 @@ if [[ -f "$DNS_CONFIG" ]]; then
   warn "dns.yml already exists — skipping (not overwriting)"
 else
   info "writing dns.yml..."
-  envsubst '$domain $server_ip $server_name' \
+  envsubst '$domain $server_name' \
     < "$TEMPLATES/dns.yml.setup" > "$DNS_CONFIG"
   ok "dns.yml created (uncomment DKIM records after first mail deployment)"
 fi