fix(deploy): split ingress to oolon, expose api on nikola interface

The per-site nginx ingress for rob.tn lives on oolon (the host the
external router forwards 443 traffic to), not on nikola. Adjust the
topology so:

- web (static ui + nginx) → oolon.hanzalova.internal
- api binds 0.0.0.0:42424 on nikola.kosherinata.internal so oolon
  can reverse-proxy across the WG mesh
- new firewalld service moments-api opens 42424 in the default zone
  on nikola
- oolon labels port 42424 http_port_t so httpd_t may name_connect
  outbound to it (httpd_can_network_connect was already set)
- nginx ssl_certificate switched to oolon's host cert; upstream
  rewritten to nikola.kosherinata.internal:42424

Plaintext between oolon and nikola for now — the WG mesh provides
the encryption layer and the data is already public. Documented
the deferral so a future move to per-hop mTLS is obvious.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

script/deploy.sh

@@ -121,7 +121,7 @@ deploy_api() {
     stage="$(mktemp -d)"
     trap "rm -rf '$stage'" RETURN
 
-    install -d "$stage/etc/moments" "$stage/etc/systemd/system" "$stage/etc/sysusers.d" "$stage/usr/local/bin"
+    install -d "$stage/etc/moments" "$stage/etc/systemd/system" "$stage/etc/sysusers.d" "$stage/etc/firewalld/services" "$stage/usr/local/bin"
 
     # Render env file with hostname substitution.
     sed "s|{{HOSTNAME}}|${fqdn}|g" "${repo_root}/asset/config/api.env.tmpl" \
@@ -133,6 +133,7 @@ deploy_api() {
     install -m 0644 "${repo_root}/asset/systemd/moments-api.service"             "$stage/etc/systemd/system/"
     install -m 0644 "${repo_root}/asset/systemd/moments-api-cert-reload.service" "$stage/etc/systemd/system/"
     install -m 0644 "${repo_root}/asset/systemd/moments.sysusers.conf"           "$stage/etc/sysusers.d/moments.conf"
+    install -m 0644 "${repo_root}/asset/firewalld/moments-api.xml"               "$stage/etc/firewalld/services/moments-api.xml"
     install -m 0755 "${repo_root}/target/release/moments-api"                    "$stage/usr/local/bin/moments-api"
 
     # Permissions on the rendered env: root-owned, moments group readable.
@@ -159,13 +160,21 @@ chmod 0640        /etc/moments/api.env
 # the postgres mTLS connection.
 setfacl -m u:moments:r "/etc/pki/tls/private/${fqdn}.pem" || true
 
-# Label loopback API port. Idempotent — the -m flag turns "already labelled"
+# Label the API port. Idempotent — the -m fallback turns "already labelled"
 # into a no-op.
 if ! semanage port -l | awk '{print $1, $3}' | grep -qE "^http_port_t .*42424"; then
     semanage port -a -t http_port_t -p tcp 42424 || \
     semanage port -m -t http_port_t -p tcp 42424
 fi
 
+# Firewalld: install the named service and enable it in the default zone.
+firewall-cmd --reload
+zone="$(firewall-cmd --get-default-zone)"
+if ! firewall-cmd --zone="$zone" --query-service=moments-api >/dev/null 2>&1; then
+    firewall-cmd --permanent --zone="$zone" --add-service=moments-api
+    firewall-cmd            --zone="$zone" --add-service=moments-api
+fi
+
 restorecon -Rv /usr/local/bin/moments-api /etc/moments /var/lib/moments
 
 systemctl daemon-reload
@@ -173,9 +182,10 @@ systemctl enable --now moments-api-cert.path
 systemctl enable --now moments-api.service
 systemctl restart    moments-api.service
 
-# Health probe.
+# Health probe — hit the bound interface, not loopback, so we exercise the
+# same path nginx will use from oolon.
 for i in 1 2 3 4 5 6 7 8 9 10; do
-    if curl -fsS http://127.0.0.1:42424/v1/healthz >/dev/null; then
+    if curl -fsS "http://${fqdn}:42424/v1/healthz" >/dev/null; then
         echo "moments-api healthy"
         exit 0
     fi
@@ -291,9 +301,16 @@ deploy_web() {
     ssh_run "$host" "sudo bash -s" <<'REMOTE_EOF'
 set -euo pipefail
 
-# Allow nginx to talk upstream to the loopback API socket.
+# Allow nginx to make outbound connections to the moments-api upstream
+# across the WG mesh.
 setsebool -P httpd_can_network_connect on
 
+# Label the upstream port so httpd_t may name_connect to it.
+if ! semanage port -l | awk '{print $1, $3}' | grep -qE "^http_port_t .*42424"; then
+    semanage port -a -t http_port_t -p tcp 42424 || \
+    semanage port -m -t http_port_t -p tcp 42424
+fi
+
 restorecon -Rv /var/www/moments /etc/nginx/conf.d/rob.tn.conf
 
 if ! nginx -t; then