fix(deploy): split ingress to oolon, expose api on nikola interface

The per-site nginx ingress for rob.tn lives on oolon (the host the
external router forwards 443 traffic to), not on nikola. Adjust the
topology so:

- web (static ui + nginx) → oolon.hanzalova.internal
- api binds 0.0.0.0:42424 on nikola.kosherinata.internal so oolon
  can reverse-proxy across the WG mesh
- new firewalld service moments-api opens 42424 in the default zone
  on nikola
- oolon labels port 42424 http_port_t so httpd_t may name_connect
  outbound to it (httpd_can_network_connect was already set)
- nginx ssl_certificate switched to oolon's host cert; upstream
  rewritten to nikola.kosherinata.internal:42424

Plaintext between oolon and nikola for now — the WG mesh provides
the encryption layer and the data is already public. Documented
the deferral so a future move to per-hop mTLS is obvious.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

asset/manifest.yml

@@ -5,7 +5,10 @@ environments:
       api:
         hosts: [nikola.kosherinata.internal]
         config:
-          bind: 127.0.0.1:42424
+          # Reachable across the WG mesh from oolon (the per-site nginx
+          # ingress for rob.tn). Firewalld restricts ingress; see
+          # asset/firewalld/moments-api.xml.
+          bind: 0.0.0.0:42424
           db_role: moments_ro
           db_host: magrathea.kosherinata.internal
           db_port: 5432
@@ -29,8 +32,8 @@ environments:
           GITHUB_TOKEN: github.com/grenade/admin-token
           # GITEA_TOKEN, BUGZILLA_API_KEY: optional, omit unless required.
       web:
-        hosts: [nikola.kosherinata.internal]
+        hosts: [oolon.hanzalova.internal]
         config:
           server_name: rob.tn
           root: /var/www/moments
-          api_upstream: http://127.0.0.1:42424
+          api_upstream: http://nikola.kosherinata.internal:42424