feat(security): add trusted proxies and abuse event cleanup

- Add `WARPBOX_TRUSTED_PROXIES` configuration to restrict accepted forwarded client IP headers to specific proxy IPs/CIDRs, securing client IP resolution.
- Integrate `BanService` into the background cleanup job to automatically purge expired abuse and ban evidence events.
- Update documentation with reverse proxy security guidelines and a production systemd deployment guide.

backend/libs/httpserver/server.go

@@ -32,8 +32,13 @@ func New(cfg config.Config, logger *slog.Logger) (*http.Server, error) {
 		uploadService.Close()
 		return nil, err
 	}
-	stopJobs := jobs.StartAll(cfg, logger, uploadService)
-	app := handlers.NewApp(cfg, logger, renderer, uploadService, authService, settingsService)
+	banService, err := services.NewBanService(uploadService.DB())
+	if err != nil {
+		uploadService.Close()
+		return nil, err
+	}
+	stopJobs := jobs.StartAll(cfg, logger, uploadService, banService)
+	app := handlers.NewApp(cfg, logger, renderer, uploadService, authService, settingsService, banService)
 
 	router := http.NewServeMux()
 	app.RegisterRoutes(router)
@@ -45,6 +50,7 @@ func New(cfg config.Config, logger *slog.Logger) (*http.Server, error) {
 		middleware.SecurityHeaders,
 		middleware.Gzip,
 		middleware.Logger(logger),
+		middleware.Bans(logger, banService, cfg.TrustedProxies),
 	)
 
 	server := &http.Server{