Add systemd unit, Dockerfile, docker-compose, and fail2ban configs for production deployment

deploy/reverse-proxy.service

@@ -0,0 +1,24 @@
+[Unit]
+Description=Reverse Proxy
+After=network.target
+Wants=network-online.target
+
+[Service]
+Type=notify
+NotifyAccess=all
+ExecStart=/usr/local/bin/reverse-proxy --config /etc/reverse-proxy/config.toml
+Restart=on-failure
+RestartSec=5
+
+# Security hardening
+NoNewPrivileges=yes
+ProtectSystem=strict
+ProtectHome=yes
+PrivateTmp=yes
+ReadWritePaths=/var/lib/reverse-proxy /var/log/reverse-proxy
+
+# ACME challenge cache directory
+StateDirectory=reverse-proxy
+
+[Install]
+WantedBy=multi-user.target