feat: initial setup for PVE security scanner VM

Scripts for deploying a hardened internal network security scanner on Proxmox VE:
- PVE-level firewall and VM creation
- System hardening (sysctl, auditd, AIDE)
- nftables firewall with dynamic IP blocking
- SSH hardening with fail2ban
- Security tools (OpenVAS, Nmap, Nuclei, httpx, Nikto, testssl, NetExec)
- Monitoring, logging, and Docker autostart

README.md

@@ -0,0 +1,32 @@
+# PVE Security Scanner
+
+Internal network security scanning VM for Proxmox VE.
+
+## Structure
+
+```
+pve-security-scanner/
+├── pve/                    # Proxmox host-level config
+│   ├── create-vm.sh        # One-click VM creation
+│   └── firewall.sh         # PVE firewall rules
+├── vm/                     # VM internal config
+│   ├── 01-system-harden.sh # OS hardening
+│   ├── 02-firewall.sh      # nftables firewall
+│   ├── 03-ssh-harden.sh    # SSH hardening
+│   ├── 04-install-tools.sh # Security tools
+│   └── 05-monitoring.sh    # Logging and monitoring
+└── README.md
+```
+
+## Deployment
+
+1. On PVE host: run `pve/create-vm.sh` to create the VM
+2. On PVE host: run `pve/firewall.sh` to apply PVE-level firewall
+3. SSH into VM, run scripts in `vm/` directory in order (01 -> 05)
+
+## Network Design
+
+- Scanner VM sits on the management VLAN / main bridge
+- Allowed to reach all internal subnets for scanning
+- Outbound internet restricted (only for vuln DB updates)
+- Inbound restricted to SSH + Web UI from admin IPs only