feat: one-click cloud deployment — Caddy HTTPS, Ollama, systemd, cloud-init

Add complete production deployment stack so Timmy can be deployed to any
cloud provider (DigitalOcean, AWS, Hetzner, etc.) with a single command.

New files:
- docker-compose.prod.yml: production stack (Caddy auto-HTTPS, Ollama LLM,
  Dashboard, Timmy agent, Watchtower auto-updates)
- deploy/Caddyfile: reverse proxy with security headers and WebSocket support
- deploy/setup.sh: interactive one-click setup script for any Ubuntu/Debian server
- deploy/cloud-init.yaml: paste as User Data when creating a cloud VM
- deploy/timmy.service: systemd unit for auto-start on boot
- deploy/digitalocean/create-droplet.sh: create a DO droplet via doctl CLI

Updated:
- Dockerfile: non-root user, healthcheck, missing deps (GitPython, moviepy, redis)
- Makefile: cloud-deploy, cloud-up/down/logs/status/update/scale targets
- .env.example: DOMAIN setting for HTTPS
- .dockerignore: exclude deploy configs from image

https://claude.ai/code/session_018CduUZoEJzFynBwMsxaP8T

.env.example

@@ -1,9 +1,17 @@
 # Timmy Time — Mission Control
 # Copy this file to .env and uncomment lines you want to override.
 # .env is gitignored and never committed.
+#
+# For cloud deployment, deploy/setup.sh generates this automatically.
+
+# ── Cloud / Production ──────────────────────────────────────────────────────
+# Your domain for automatic HTTPS via Let's Encrypt.
+# Set to your actual domain (e.g., timmy.example.com) for HTTPS.
+# Leave as "localhost" for IP-only HTTP access.
+# DOMAIN=localhost
 
 # Ollama host (default: http://localhost:11434)
-# Override if Ollama is running on another machine or port.
+# In production (docker-compose.prod.yml), this is set to http://ollama:11434 automatically.
 # OLLAMA_URL=http://localhost:11434
 
 # LLM model to use via Ollama (default: llama3.2)