docs: add production deployment guide to README

Adds a comprehensive 'Production Deployment' section covering:

- One-time server setup (Forgejo secrets, DNS, SSL certbot, nginx config)
- How to trigger a deploy from the Forgejo Actions UI
- What the deploy pipeline does step-by-step
- Architecture diagram showing how nginx, frontend, backend, and postgres
  containers interact on the production server
- Rollback procedure using git tags and docker compose

This documents the deploy.yml workflow and bilhej.nginx.conf added in
the previous commit.

README.md

@@ -165,6 +165,113 @@ bilhej/
 
 ---
 
+## Production Deployment
+
+Deployments are fully automated via Forgejo Actions. The pipeline builds production Docker images and starts them on the server.
+
+### One-time Setup
+
+Before the first deploy, complete these steps on the production server (`srvr.nu`):
+
+1. **Add Forgejo Actions Secrets**
+
+   Go to **Forgejo → Repository Settings → Actions → Secrets** and add:
+
+   | Secret | Description |
+   |--------|-------------|
+   | `POSTGRES_DB` | Database name (e.g., `bilhej`) |
+   | `POSTGRES_USER` | Database user |
+   | `POSTGRES_PASSWORD` | Strong database password |
+   | `JWT_SECRET` | `openssl rand -hex 32` |
+   | `STRIPE_SECRET_KEY` | Stripe secret key |
+   | `STRIPE_WEBHOOK_SECRET` | Stripe webhook signing secret |
+   | `STRIPE_PRICE_ID` | Stripe price ID for single letter |
+   | `SWISH_NUMBER` | Swish phone number for payment instructions |
+
+2. **Point DNS**
+
+   Set `bilhej.se` (and `www.bilhej.se`) A record to the server's public IP.
+
+3. **Obtain SSL Certificate**
+
+   Run certbot in the nginx container:
+
+   ```bash
+   docker exec certbot certbot certonly \
+     --webroot -w /var/www/certbot \
+     -d bilhej.se -d www.bilhej.se
+   ```
+
+4. **Add Nginx Config**
+
+   Copy the Bilhej server block into the nginx container:
+
+   ```bash
+   docker cp docker/bilhej.nginx.conf nginx:/etc/nginx/conf.d/bilhej.conf
+   docker exec nginx nginx -s reload
+   ```
+
+### Deploy
+
+1. Go to **Actions → Deploy to Production** in Forgejo.
+2. Click **Run workflow**.
+3. Enter a version tag (e.g., `v0.1.0`).
+4. Click **Run workflow**.
+
+### What Happens
+
+| Step | Action |
+|------|--------|
+| Tag | Git tag `v0.1.0` is created and pushed |
+| Build | Production backend JAR and frontend bundle are built |
+| Images | Multi-stage Docker images are built locally on the server |
+| Start | `docker compose -f docker-compose.prod.yml up -d` |
+| Verify | Health checks confirm backend API and frontend are responding |
+
+### Architecture on Server
+
+```
+  User
+   │
+   │ https://bilhej.se
+   ▼
+┌─────────────────────────────────────┐
+│  nginx (srvr.nu)                    │
+│  SSL termination (Let's Encrypt)    │
+│  proxy_pass → bilhej-frontend-prod  │
+└─────────────┬───────────────────────┘
+              │ Docker 'web' network
+┌─────────────▼───────────────────────┐
+│  bilhej-frontend-prod (nginx)       │
+│  :80                                │
+│  /api/* → bilhej-backend-prod:8080  │
+└─────────────┬───────────────────────┘
+              │
+┌─────────────▼───────────────────────┐
+│  bilhej-backend-prod (Spring Boot)  │
+│  :8080                              │
+└─────────────┬───────────────────────┘
+              │
+┌─────────────▼───────────────────────┐
+│  bilhej-postgres-prod (PostgreSQL)  │
+│  :5432                              │
+└─────────────────────────────────────┘
+```
+
+### Rollback
+
+To rollback to a previous version:
+
+```bash
+# On srvr.nu
+cd /path/to/bilhej/repo
+git fetch --tags
+git checkout v0.1.0   # or any previous tag
+docker compose -f docker-compose.prod.yml up --build -d
+```
+
+---
+
 ## Development
 
 ### All-in-one (from repo root)