fix(deploy): split ingress to oolon, expose api on nikola interface

The per-site nginx ingress for rob.tn lives on oolon (the host the
external router forwards 443 traffic to), not on nikola. Adjust the
topology so:

- web (static ui + nginx) → oolon.hanzalova.internal
- api binds 0.0.0.0:42424 on nikola.kosherinata.internal so oolon
  can reverse-proxy across the WG mesh
- new firewalld service moments-api opens 42424 in the default zone
  on nikola
- oolon labels port 42424 http_port_t so httpd_t may name_connect
  outbound to it (httpd_can_network_connect was already set)
- nginx ssl_certificate switched to oolon's host cert; upstream
  rewritten to nikola.kosherinata.internal:42424

Plaintext between oolon and nikola for now — the WG mesh provides
the encryption layer and the data is already public. Documented
the deferral so a future move to per-hop mTLS is obvious.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

asset/config/api.env.tmpl

@@ -4,6 +4,6 @@
 JOURNAL_STREAM=1
 RUST_LOG=info,sqlx=warn,tower_http=info
 
-BIND_ADDR=127.0.0.1:42424
+BIND_ADDR=0.0.0.0:42424
 
 DATABASE_URL=postgres://moments_ro@magrathea.kosherinata.internal:5432/moments?sslmode=verify-full&sslrootcert=/etc/pki/ca-trust/source/anchors/root-internal.pem&sslcert=/etc/pki/tls/misc/{{HOSTNAME}}.pem&sslkey=/etc/pki/tls/private/{{HOSTNAME}}.pem

asset/firewalld/moments-api.xml

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+  <short>moments-api</short>
+  <description>moments read-only HTTP API. Reverse-proxied by nginx on oolon (the per-site rob.tn ingress) across the WG mesh; the data is the public timeline already exposed at rob.tn, so no source-IP restriction is currently applied. Add a &lt;source/&gt; element here if defence-in-depth scoping to oolon's WG IP becomes desirable.</description>
+  <port protocol="tcp" port="42424"/>
+</service>

asset/manifest.yml

@@ -5,7 +5,10 @@ environments:
       api:
         hosts: [nikola.kosherinata.internal]
         config:
-          bind: 127.0.0.1:42424
+          # Reachable across the WG mesh from oolon (the per-site nginx
+          # ingress for rob.tn). Firewalld restricts ingress; see
+          # asset/firewalld/moments-api.xml.
+          bind: 0.0.0.0:42424
           db_role: moments_ro
           db_host: magrathea.kosherinata.internal
           db_port: 5432
@@ -29,8 +32,8 @@ environments:
           GITHUB_TOKEN: github.com/grenade/admin-token
           # GITEA_TOKEN, BUGZILLA_API_KEY: optional, omit unless required.
       web:
-        hosts: [nikola.kosherinata.internal]
+        hosts: [oolon.hanzalova.internal]
         config:
           server_name: rob.tn
           root: /var/www/moments
-          api_upstream: http://127.0.0.1:42424
+          api_upstream: http://nikola.kosherinata.internal:42424

asset/nginx/rob.tn.conf

@@ -1,12 +1,14 @@
 # /etc/nginx/conf.d/rob.tn.conf — rob.tn site config for moments.
 #
-# Static frontend out of /var/www/moments; /api/* reverse-proxied to the
-# moments-api binary on loopback. The UI fetches /api/v1/... so the strip
-# matches what Vite's dev proxy does (drop the /api prefix before sending
-# to axum, whose routes are mounted at /v1/*).
+# Lives on oolon (the per-site nginx ingress that terminates rob.tn 443
+# traffic). Static frontend out of /var/www/moments; /api/* reverse-
+# proxied across the WG mesh to the moments-api binary on nikola. The
+# UI fetches /api/v1/... so the strip matches what Vite's dev proxy
+# does (drop the /api prefix before sending to axum, whose routes are
+# mounted at /v1/*).
 
 upstream moments_api {
-    server 127.0.0.1:42424 max_fails=3 fail_timeout=30s;
+    server nikola.kosherinata.internal:42424 max_fails=3 fail_timeout=30s;
     keepalive 8;
 }
 
@@ -15,8 +17,8 @@ server {
     listen [::]:443 ssl http2;
     server_name rob.tn;
 
-    ssl_certificate     /etc/pki/tls/misc/nikola.kosherinata.internal.pem;
-    ssl_certificate_key /etc/pki/tls/private/nikola.kosherinata.internal.pem;
+    ssl_certificate     /etc/pki/tls/misc/oolon.hanzalova.internal.pem;
+    ssl_certificate_key /etc/pki/tls/private/oolon.hanzalova.internal.pem;
 
     # Public forge — visitors are not on the internal mTLS mesh, so no
     # client-cert verification here. The X25519MLKEM768 default falls