(feature) Add staff updater page

Add a Django updater view for checking configured Gitea releases, inspecting
the installed git checkout, fetching tags, pulling the current branch, and
running the configured native systemd update command.

Document the updater environment settings and keep the page staff-only so
readonly status users cannot trigger deployment actions.

README.md

@@ -158,6 +158,7 @@ The UI includes:
 - Django-managed SSH keys
 - `/self-check/` for runtime checks
 - `/logs/` for filtered pobsync service logs
+- `/updater/` for checking Gitea releases, pulling the git checkout, and running the native updater
 
 ## Bandwidth Limits
 
@@ -243,6 +244,21 @@ The updater is a thin wrapper around the installer for normal production deploys
 Python dependencies, runs migrations, collects static files, and restarts the systemd services so new Django code is
 loaded.
 
+The Django control panel also exposes an `/updater/` page for staff users. It can check a Gitea releases endpoint, run
+`git fetch`, run a fast-forward-only pull for the installed branch, and invoke the configured native update command.
+Configure these optional environment variables in `/etc/pobsync/pobsync.env`:
+
+```
+POBSYNC_UPDATE_RELEASES_URL=https://code.example.test/api/v1/repos/owner/pobsync/releases
+POBSYNC_UPDATE_RELEASES_TOKEN=
+POBSYNC_UPDATE_GIT_REMOTE=origin
+POBSYNC_UPDATE_COMMAND=sudo -n scripts/update-systemd
+```
+
+If the web service runs as the `pobsync` user, `POBSYNC_UPDATE_COMMAND` needs a matching sudoers rule or a different
+operator-approved command. Without that, the page still shows update status and command output, but the native update
+action will fail with a permission error instead of silently doing the wrong thing.
+
 Use the full installer again when you intentionally want to change install-time settings, install OS packages, enable
 nginx, or rewrite the environment file: