Add guided installer for a bare Ubuntu/Debian server

`sudo bash install.sh` takes a clean Ubuntu Server 22.04+ or Debian 12+
host from nothing to a running PIP deployment.

Wizard (whiptail TUI):
  - Hostname (any DNS name or LAN address) and TLS mode:
      letsencrypt   public Let's Encrypt; requires public DNS
      internal      Caddy local-CA self-signed; works anywhere
      http          HTTP only, port 80; first-run/LAN testing only
    The choice writes the Caddyfile at ${DATA_ROOT}/caddy/Caddyfile
    so re-running the installer can switch modes without touching
    the git working tree.
  - Bootstrap admin email and data root (any path; default /srv/pip).
  - Postgres password (auto-generated by default; overridable).
  - Email (Resend), External AI providers (disabled by default for
    client matter), Microsoft Entra OIDC. All skipable.
  - Ollama starter model: llama3.2:3b / llama3.1:8b / qwen2.5:14b /
    skip.

Secrets handling (point 3 from the operator brief):
  - AUTH_SECRET, USER_API_KEYS_ENCRYPTION_SECRET, DOWNLOAD_SIGNING_
    SECRET, and STORAGE_ENCRYPTION_KEY are generated automatically
    via openssl rand -hex 32.
  - In addition to .env.compose (mode 600), a separate
    ${DATA_ROOT}/secrets-backup.txt is written (mode 400) with a
    prominent "COPY THIS OFF THE SERVER" warning explaining what
    each secret protects and the consequences of loss.
  - The final report tells the operator where to find the backup
    and what to do with it.

Web access before public TLS (point 4 from the operator brief):
  - "internal" mode lets the operator reach https://<hostname>/
    immediately with a browser TLS warning, even with no public DNS.
  - "http" mode skips TLS entirely for first-run smoke testing.
  - The Caddyfile is regenerated each run; switching from internal
    to letsencrypt later is a re-run away.

Idempotency:
  - Detects existing .env.compose and offers reuse-or-replace.
  - Detects existing Docker install and skips the apt path.
  - UFW (if active) opens 80/443; SSH untouched.

Companion scripts:
  - update.sh: git pull + rebuild backend/frontend + recreate.
    Backend entrypoint runs pending migrations on boot.
  - bin/backup-now.sh: one-shot pg_dump into ${DATA_ROOT}/backups.

Compose change:
  - caddy/Caddyfile renamed to caddy/Caddyfile.example (reference).
  - Caddy now mounts ${DATA_ROOT}/caddy/Caddyfile (operator-owned).

README updated with the new install path and an explanation of
each wizard step.

Syntax-checked with bash -n; rendered all three Caddyfile variants
to confirm they are valid Caddy syntax.