chore(deploy): strip infra commentary from asset/ config files

These ship in a public repo; topology narration in nginx, systemd,
firewalld, and env templates is gratuitous. Keep the config terse —
directives speak for themselves.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

asset/systemd/moments-api-cert.path

@@ -1,11 +1,7 @@
 [Unit]
 Description=Watch host cert for moments-api
-Documentation=https://git.lair.cafe/grenade/architecture
 
 [Path]
-# Hostname is substituted at deploy time. step-ca rotates host certs every
-# 24h; rustls reads them at process start, so the API must restart on
-# rotation. Read-only public timeline — a few seconds of churn is fine.
 PathChanged=/etc/pki/tls/misc/{{HOSTNAME}}.pem
 Unit=moments-api-cert-reload.service
 

asset/systemd/moments-api.service

@@ -1,6 +1,5 @@
 [Unit]
 Description=moments read-only HTTP API
-Documentation=https://git.lair.cafe/grenade/moments
 After=network-online.target
 Wants=network-online.target
 
@@ -13,7 +12,6 @@ ExecStart=/usr/local/bin/moments-api
 Restart=on-failure
 RestartSec=5s
 
-# Hardening
 NoNewPrivileges=true
 ProtectSystem=strict
 ProtectHome=true

asset/systemd/moments-worker-cert.path

@@ -1,10 +1,7 @@
 [Unit]
 Description=Watch host cert for moments-worker
-Documentation=https://git.lair.cafe/grenade/architecture
 
 [Path]
-# Worker holds a sqlx pool with rustls — restart on cert rotation. The
-# poller is idempotent, so dropping mid-poll is safe.
 PathChanged=/etc/pki/tls/misc/{{HOSTNAME}}.pem
 Unit=moments-worker-cert-reload.service
 

asset/systemd/moments-worker.service

@@ -1,6 +1,5 @@
 [Unit]
 Description=moments ingestion worker
-Documentation=https://git.lair.cafe/grenade/moments
 After=network-online.target
 Wants=network-online.target
 
@@ -13,7 +12,6 @@ ExecStart=/usr/local/bin/moments-worker
 Restart=on-failure
 RestartSec=10s
 
-# Hardening
 NoNewPrivileges=true
 ProtectSystem=strict
 ProtectHome=true