CI/CD: webhook receiver + deploy automatico su push

- deploy.sh: git pull, pip install, migrate, collectstatic, restart gunicorn
- webhook_receiver.py: HTTP server con verifica HMAC-SHA256 Gitea
- olimpic-nastri-webhook.service: systemd unit per il receiver
- Nginx: aggiunto proxy /webhook/deploy → porta 9000
- sudoers: restart gunicorn senza password per deploy automatico

diario.olimpic.click.nginx

@@ -26,6 +26,13 @@ server {
         alias /home/marco/olimpic_nastri/media/;
     }
 
+    location /webhook/deploy {
+        proxy_pass http://127.0.0.1:9000/deploy;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    }
+
     location / {
         proxy_pass http://unix:/run/olimpic_nastri/gunicorn.sock;
         proxy_set_header Host $host;