deploy: support runtime env files

docs/debian-runtime.md

@@ -94,6 +94,19 @@ systemctl restart metin-server
 journalctl -u metin-auth.service -n 100 --no-pager
 ```
 
+Install or refresh the systemd stack with a host-local env file:
+
+```bash
+python3 deploy/systemd/install_systemd.py \
+  --user mt2.jakubkadlec.dev \
+  --group mt2.jakubkadlec.dev \
+  --runtime-root /home/mt2.jakubkadlec.dev/metin/runtime/server \
+  --env-file /etc/metin/metin.env \
+  --channel 1 \
+  --channel 99 \
+  --restart
+```
+
 Rebuild the login smoke utility:
 
 ```bash
@@ -109,6 +122,8 @@ Current operational stance:
 - password SSH login is disabled
 - `root` login is allowed only by SSH key
 - production helper scripts that touch the DB directly are root-only
-- runtime repo and source repo do not store secrets
+- git-tracked runtime configs are treated as bootstrap defaults, not as the final secret source of truth
 
 Do not store production secrets in markdown, `systemd` templates, or git-tracked shell scripts.
+
+For production overrides, prefer `/etc/metin/metin.env` with `root:root` ownership and mode `0600`.