feat(system): add systemd service and installation script

- Add gitks systemd service unit file with security sandboxing
- Create environment configuration template for gitks service
- Add logrotate configuration for gitks application logs
- Implement installation script with service user creation
- Set up proper directory permissions and file ownership
- Configure automatic service startup and systemd integration

etc/systemd/gitks.service

@@ -0,0 +1,59 @@
+[Unit]
+Description=GitKS - gRPC Git Bare Repository Operations Service
+Documentation=https://github.com/example/gitks
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+User=gitks
+Group=gitks
+
+# Environment
+EnvironmentFile=/etc/gitks/gitks.env
+
+# Runtime directories
+RuntimeDirectory=gitks
+StateDirectory=gitks
+WorkingDirectory=/var/lib/gitks
+
+# Executable (assumes installed to /usr/local/bin/gitks)
+ExecStart=/usr/local/bin/gitks
+
+# Restart policy
+Restart=on-failure
+RestartSec=5s
+
+# Graceful shutdown — send SIGTERM, wait, then SIGKILL
+KillMode=mixed
+KillSignal=SIGTERM
+TimeoutStopSec=30s
+
+# Sandbox hardening
+NoNewPrivileges=yes
+PrivateTmp=yes
+ProtectSystem=strict
+ProtectHome=yes
+ReadWritePaths=/var/lib/gitks /data/repos
+ReadOnlyPaths=/etc/gitks
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+RestrictRealtime=yes
+RestrictNamespaces=yes
+LockPersonality=yes
+MemoryDenyWriteExecute=no
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
+
+# Logging to journald
+StandardOutput=journal
+StandardError=journal
+SyslogIdentifier=gitks
+
+# Limit file descriptors (git may open many files)
+LimitNOFILE=65536
+
+[Install]
+WantedBy=multi-user.target