Mastodon 4.0.2

New image for Mastodon 4.0.2 based on upstream Dockerfile. Tweaks:
- Debian packages for ruby3.0 and yarnpkg, symlink to binary names
  expected by Mastodon (ruby, yarn)
- NODE_OPTIONS=--openssl-legacy-provider to bypass OpenSSL 3.0 limit on
  weak algorithms

No systemd services for Mastodon.
Update Cargo.lock
Document --network-bridge=br0 in local network setup
Dependencies update: version-compare 0.1, zstd, systemd
Update known_hosts on client when starting a Sower

When starting a Sower container with --ca, sow will wait for the
container to come up, fetch /var/lib/barley/ca.pub from it, and add it
as a certificate authority to ~/.ssh/known_hosts.
Check for br0 when starting a local machine
Add Host=seed-* stanza to ~/.ssh/config
Provision authorized_keys to Seeds from Sower

Instead of baking authorized_keys into the Seed initramfs image, send it
to the Seed along with other certificates when Seeds register with
Sower. The SSH public key to be used as the admin key is specified when
a new field is created, and defaults to ~/.ssh/id_ed25519.pub.
Compress Seed initramfs with zstd

Compressed initramfs cpio size reduced by 7.3% (173M -> 160M), time to
unpack reduced by 44% (1.91s -> 1.07s).
CLI to manage images, certs, Sowers, and fields

This is the second step towards mTLS between Sower and Seeds.

New "sow" CLI tool imports Barley container images, generates and signs
TLS and SSH certificates, starts Sower containers, and manages fields.

A Barley field is a single security domain for Sowers, Seeds, and
containers that all trust the same root CA. Every new Sower container
gets a new passwordless CA key signed by the field's root CA. The CLI
stores keys, certs, and imported images under ~/.barley. TLS certificate
operations rely on GnuTLS certtool.

When a Seed registers with a Sower, in addition to the signed SSH host
key it will also receive a signed TLS certificate and the root CA

Seed image now includes jq to parse JSON responses from Sower, and zstd
to locally decompress tar.zst container images sent by the "sow start"

Makefile housekeeping: it is now Packer script's responsibility to
remove the container chroot after generating a tar.zst image; make clean
target removes tar.zst images and Rust binaries.
Populate /etc/default/locale

minbase doesn't include locales package, but some programs on Debian
expect /etc/default/locale to exist and to set LANG.
Generate TLS keys for Sower and Seeds

This is the first step in enabling mTLS auth between Sower and Seeds.

Barley-specific scripts and services renamed to follow barley-* pattern
for consistency and to avoid name conflicts (ssh-host-key is already
prefixed with the relevant service name and wasn't renamed).

On Sower and Seed:
- install gnutls-bin
- change /var/lib/barley ownership from www-data to barley
- generate private TLS key in /var/lib/barley/machine.key

On Seed:
- generate and submit CSR (cn=seed-*) when registering with Sower
Preserve file ownership in Seed initramfs
CryptPad: clean npm and bower cache
Update CryptPad to 4.3.1

Switching from fork back to upstream: pass-archivepath fixes were merged
in CryptPad 4.3.0.
Update Cargo.lock
Update CryptPad to 4.0
Strip comments from cryptpad.config.js
Disable IPv6 on Seed hosts

Only containers running edge services (e.g. Envoy or Nginx) should have
global IPv6 addresses.

Seed host has privileged access to all containers running on it. Access
to Seed hosts is a sensitive security surface that should not be
unnecessarily exposed to additional attack vectors. A globally routable
IPv6 address is not necessary when Seeds are managed from local network.

IPv6 also adds up to 5s to network initialization:
Wipe file system signatures on created LVM volumes

Even with "-Wy", "-qq" makes lvcreate assume "no" to confirmation
question about wiping file system signatures, forcing "yes" to all
questions is the only way to wipe signatures non-interactively.

Also pass "-q" to mkfs to hide stats about created file systems.