Automate DKIM sync and add Hetzner resource labels

- Add dkim_sync.yml: generates DKIM keys for all mail_domains, writes
  keys to stack config (group_vars/all/dkim.yml), and publishes
  mail._domainkey TXT records via dns.yml — replaces manual vault editing
- Remove dkim_keys from vault.yml.setup (public keys don't need encryption)
- Add hcloud_labels to config.yml.setup and apply to server + SSH key in
  provision role, enabling project-level tagging of Hetzner resources
- Fix setup.sh next steps: add missing bootstrap step, replace manual DKIM
  instructions with dkim_sync.yml
- Update CLAUDE.md and README.md accordingly

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

inventory/group_vars/all/config.yml.setup

@@ -34,6 +34,12 @@ enable_radicale: true
 # ============================================================
 domain: $domain
 server_name: $server_name
+
+# Labels applied to all Hetzner cloud resources (server, SSH key).
+# DNS resources do not support labels.
+hcloud_labels:
+  managed-by: linderhof
+  stack: $stack_name
 server_ip: $server_ip
 admin_user: $admin_user
 admin_shell: /bin/zsh

inventory/group_vars/all/vault.yml.setup

@@ -54,9 +54,3 @@ restic_password: "$restic_password"
 
 # fail2ban (optional — IPs/CIDRs to whitelist)
 # fail2ban_ignoreip: "your-home-ip/32"
-
-# DKIM public keys — add after first mail deployment:
-#   docker exec mailserver cat /tmp/docker-mailserver/rspamd/dkim/$domain/mail.pub
-# Format: "v=DKIM1; k=rsa; p=<base64 public key>"
-# dkim_keys:
-#   $domain: "v=DKIM1; k=rsa; p=..."