docker: BuildKit cache + CGO LTO optimization

Add persistent cache mounts for the Go module cache, Go build cache,
and apt so only changed packages are re-downloaded or recompiled on
subsequent builds.

CGO LTO is injected via `make LIBFIDO2_LDFLAGS=...` rather than ENV
because the Makefile sets CGO_LDFLAGS inline in go-build-finalize,
clobbering any inherited environment variable. Binary stripping is done
with strip --strip-all post-build since the Makefile owns the -ldflags
chain and cannot be extended without losing the -X version constants.

deb/Dockerfile

@@ -31,13 +31,17 @@ RUN apt-get update \
          dtach)  apt-get install -y --no-install-recommends dtach  ;; \
          abduco) apt-get install -y --no-install-recommends abduco ;; \
          reptyr) apt-get install -y --no-install-recommends reptyr ;; \
-         *) echo "Unsupported PTY_TOOL: ${PTY_TOOL}. Supported values are: dtach, abduco, reptyr." >&2; exit 1 ;; \
+         *) echo "Unsupported PTY_TOOL: ${PTY_TOOL}. Supported: dtach, abduco, reptyr." >&2 ; exit 1 ;; \
        esac \
     && chmod +x /protonmail/entrypoint.sh \
     && rm -rf /var/lib/apt/lists/*
 
 HEALTHCHECK --interval=30s --timeout=5s --retries=3 --start-period=120s \
-  CMD /bin/bash -c "true < /dev/tcp/localhost/25 && true < /dev/tcp/localhost/143 && true < /dev/tcp/localhost/1025 && true < /dev/tcp/localhost/1143"
+  CMD /bin/bash -c \
+      "true < /dev/tcp/localhost/25 \
+    && true < /dev/tcp/localhost/143 \
+    && true < /dev/tcp/localhost/1025 \
+    && true < /dev/tcp/localhost/1143"
 
 ENTRYPOINT ["/protonmail/entrypoint.sh"]
 CMD ["run"]