chore: initial project scaffold with admin web, backend, desktop client, and deployment setup

Add monorepo structure for NexaVPN WireGuard control plane including:
- .gitignore for node_modules, build artifacts, and environment files
- README with project overview, monorepo layout, and quick start guide
- Admin web UI with React, Vite, TypeScript, and nginx reverse proxy
- API client with type definitions for users, devices, policies, gateways, and audit logs
- Admin pages for dashboard, users, devices, policies, g

docs/deployment.md

@@ -0,0 +1,60 @@
+# Deployment Layout
+
+## Services
+
+- `postgres`
+  - primary relational database
+- `backend`
+  - Go API and migration runner
+- `admin-web`
+  - static React admin UI served by nginx
+- `gateway`
+  - WireGuard plus nftables helper container or host-managed service
+- `reverse-proxy`
+  - TLS termination and routing
+
+## Docker Compose Networks
+
+- `control`
+  - backend, postgres, admin-web, reverse-proxy
+- `gateway`
+  - backend and gateway helper communication
+
+## Volume Layout
+
+- postgres data volume
+- backend local state volume for dev logs if needed
+- gateway config volume for rendered peer sync
+
+## Bootstrap
+
+1. Start PostgreSQL.
+2. Run migrations.
+3. Start the backend.
+4. Seed roles, settings, and the initial admin user.
+5. Start the admin UI and reverse proxy.
+6. Register the first gateway.
+
+## Example Commands
+
+```bash
+cd deploy
+cp .env.example .env
+docker compose up -d postgres
+docker compose up -d backend admin-web reverse-proxy
+```
+
+For SQL bootstrap during early MVP testing:
+
+```bash
+psql "$DATABASE_URL" -f backend/migrations/000001_init.sql
+psql "$DATABASE_URL" -f backend/seed/001_seed.sql
+```
+
+## Production Notes
+
+- Terminate TLS at nginx or another reverse proxy.
+- Restrict backend and database exposure to private networks.
+- Run the gateway with the privileges required for WireGuard and nftables.
+- Replace example secrets before deployment.
+- Use an external secret manager when available.