fix: use musl static linking to eliminate glibc version dependency

Build hiy-server targeting aarch64-unknown-linux-musl so the binary
has no glibc dependency at all, making the runtime image irrelevant
to glibc version mismatches. Uses rustls (already in Cargo.toml) so
no OpenSSL vendoring needed. SQLite is bundled by sqlx.

infra/Dockerfile.server

@@ -1,22 +1,25 @@
 # ── Build stage ───────────────────────────────────────────────────────────────
-FROM rust:1.94-slim-bookworm AS builder
-
-WORKDIR /build
+FROM rust:1.84-slim-bookworm AS builder
 
 RUN apt-get update && apt-get install -y \
-    pkg-config libssl-dev \
+    pkg-config \
+    musl-tools \
     && rm -rf /var/lib/apt/lists/*
 
+RUN rustup target add aarch64-unknown-linux-musl
+
+WORKDIR /build
+
 # Cache dependencies separately from source.
 COPY Cargo.toml Cargo.lock* ./
 COPY server/Cargo.toml ./server/
 RUN mkdir -p server/src && echo 'fn main(){}' > server/src/main.rs
-RUN cargo build --release -p hiy-server 2>/dev/null || true
+RUN cargo build --release --target aarch64-unknown-linux-musl -p hiy-server 2>/dev/null || true
 RUN rm -f server/src/main.rs
 
 # Build actual source.
 COPY server/src ./server/src
-RUN touch server/src/main.rs && cargo build --release -p hiy-server
+RUN touch server/src/main.rs && cargo build --release --target aarch64-unknown-linux-musl -p hiy-server
 
 # ── Runtime stage ─────────────────────────────────────────────────────────────
 FROM debian:bookworm-slim
@@ -31,7 +34,7 @@ RUN apt-get update && apt-get install -y \
     docker.io \
     && rm -rf /var/lib/apt/lists/*
 
-COPY --from=builder /build/target/release/hiy-server /usr/local/bin/hiy-server
+COPY --from=builder /build/target/aarch64-unknown-linux-musl/release/hiy-server /usr/local/bin/hiy-server
 
 WORKDIR /app