Add complete infrastructure automation and documentation

- infrastructure/setup.sh: Master provisioning script for fresh Ubuntu servers
- infrastructure/docker-compose.yml: Production Docker Compose configuration
- infrastructure/.env.template: Environment variables template
- infrastructure/nginx/: Nginx configuration with security headers
- infrastructure/postfix/: Postfix + OpenDKIM email configuration
- infrastructure/README.md: Complete disaster recovery guide
- scripts/docfast-backup.sh: SQLite backup script with rotation

All services now fully reproducible with documented disaster recovery procedures.

infrastructure/nginx/docfast.dev

@@ -0,0 +1,70 @@
+server {
+    server_name docfast.dev www.docfast.dev;
+
+    # Increase client max body size for file uploads
+    client_max_body_size 10m;
+
+    # Security headers
+    add_header X-Frame-Options DENY;
+    add_header X-Content-Type-Options nosniff;
+    add_header X-XSS-Protection "1; mode=block";
+    add_header Referrer-Policy "strict-origin-when-cross-origin";
+
+    # Proxy to the application
+    location / {
+        proxy_pass http://127.0.0.1:3100;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 60s;
+        proxy_connect_timeout 10s;
+        
+        # WebSocket support (if needed)
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_cache_bypass $http_upgrade;
+    }
+
+    # Health check endpoint (bypass proxy for direct container health check)
+    location /health {
+        access_log off;
+        proxy_pass http://127.0.0.1:3100/health;
+    }
+
+    # Rate limiting for API endpoints
+    location /api/ {
+        limit_req zone=api_limit burst=10 nodelay;
+        proxy_pass http://127.0.0.1:3100;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    # SSL configuration (managed by Certbot)
+    listen 443 ssl http2;
+    ssl_certificate /etc/letsencrypt/live/docfast.dev/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/docfast.dev/privkey.pem;
+    include /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+}
+
+# Rate limiting zone (add to main nginx.conf or here)
+# limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;
+
+# Redirect HTTP to HTTPS
+server {
+    if ($host = docfast.dev) {
+        return 301 https://$host$request_uri;
+    }
+
+    if ($host = www.docfast.dev) {
+        return 301 https://docfast.dev$request_uri;
+    }
+
+    listen 80;
+    server_name docfast.dev www.docfast.dev;
+    return 404;
+}