systemd: redirect HOME / XDG dirs into project so ProtectHome stays on

ezdxf, matplotlib, and other Python libs try to write into $HOME/.config
and $HOME/.cache. With ProtectHome=true the real /home/busbar is invisible
to the service and pathlib.Path.exists() throws PermissionError.

Fix: set HOME, XDG_CONFIG_HOME, XDG_CACHE_HOME to /opt/busbar-designer/data/*
which is already in ReadWritePaths. Hardening (ProtectHome) stays intact.

install.sh also pre-creates the .config / .cache subdirs.

deploy/busbar-designer.service

@@ -23,6 +23,11 @@ Environment=HOST=0.0.0.0
 Environment=PORT=5000
 Environment=FLASK_DEBUG=0
 Environment=PATH=/opt/busbar-designer/.venv/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+; HOME points inside the project so ezdxf / matplotlib / build123d can write
+; their config + cache while ProtectHome=true still hides the real /home.
+Environment=HOME=/opt/busbar-designer/data
+Environment=XDG_CONFIG_HOME=/opt/busbar-designer/data/.config
+Environment=XDG_CACHE_HOME=/opt/busbar-designer/data/.cache
 ExecStart=/opt/busbar-designer/.venv/bin/gunicorn --bind=0.0.0.0:5000 --workers=2 --threads=2 --timeout=120 app:app
 Restart=on-failure
 RestartSec=5

deploy/install.sh

@@ -88,8 +88,11 @@ sudo -u "$SVC_USER" "$INSTALL_DIR/.venv/bin/pip" install --upgrade pip
 sudo -u "$SVC_USER" "$INSTALL_DIR/.venv/bin/pip" install \
     -r "$INSTALL_DIR/requirements.txt" gunicorn
 
-# ---- data dir (for SQLite) -------------------------------------------------
-sudo -u "$SVC_USER" mkdir -p "$INSTALL_DIR/data"
+# ---- data + XDG dirs (for SQLite, ezdxf config, build123d cache) -----------
+sudo -u "$SVC_USER" mkdir -p \
+    "$INSTALL_DIR/data" \
+    "$INSTALL_DIR/data/.config" \
+    "$INSTALL_DIR/data/.cache"
 
 # ---- systemd unit ----------------------------------------------------------
 log "Installing systemd unit..."