feat(flatpak): host a signed OSTree repo at flatpak.unom.io for flatpak update

The CI only shipped a single-file .flatpak bundle, which has no remote — users
couldn't `flatpak update`. Keep the bundle (Decky fallback) but also sign the
OSTree repo flatpak-builder already produces and publish it to a shared,
reusable unom-wide remote.

- flatpak.yml: pin --default-branch=stable; import the signing key and
  build-update-repo --gpg-sign; generate unom.flatpakrepo + the app .flatpakref
  + index.html; rsync the repo to unom-1 and bring up a static Caddy container.
  The step no-ops until FLATPAK_GPG_PRIVATE_KEY/DEPLOY_* exist (build stays green).
- packaging/flatpak/server/: compose.production.yml + Caddyfile (static file
  server on :3230, mirrors docker.yml deploy-docs).
- unom-flatpak.gpg: committed public signing key (base64 -> GPGKey= in the descriptors).
- README: hosted repo is now the recommended install; documents the one-time
  infra (edge Caddy vhost, infra port 3230, DNS, the GPG secret).

Edge Caddy vhost + infra port allowlist + the secret are applied out-of-band.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

packaging/flatpak/server/Caddyfile

@@ -0,0 +1,15 @@
+# Inner Caddy (plain HTTP on :3230); the edge proxy on home-reverse-proxy-1 does TLS.
+:3230 {
+	root * /srv
+	file_server browse
+
+	# OSTree summary/refs change every publish — keep them fresh; objects are immutable.
+	@mutable path /repo/summary* /repo/refs/*
+	header @mutable Cache-Control "public, max-age=30"
+	@objects path /repo/objects/* /repo/deltas/*
+	header @objects Cache-Control "public, max-age=31536000, immutable"
+
+	# Serve the install descriptors as text so browsers show them / flatpak fetches cleanly.
+	@descriptors path *.flatpakref *.flatpakrepo
+	header @descriptors Content-Type "text/plain; charset=utf-8"
+}