feat(flatpak): host a signed OSTree repo at flatpak.unom.io for flatpak update

The CI only shipped a single-file .flatpak bundle, which has no remote — users
couldn't `flatpak update`. Keep the bundle (Decky fallback) but also sign the
OSTree repo flatpak-builder already produces and publish it to a shared,
reusable unom-wide remote.

- flatpak.yml: pin --default-branch=stable; import the signing key and
  build-update-repo --gpg-sign; generate unom.flatpakrepo + the app .flatpakref
  + index.html; rsync the repo to unom-1 and bring up a static Caddy container.
  The step no-ops until FLATPAK_GPG_PRIVATE_KEY/DEPLOY_* exist (build stays green).
- packaging/flatpak/server/: compose.production.yml + Caddyfile (static file
  server on :3230, mirrors docker.yml deploy-docs).
- unom-flatpak.gpg: committed public signing key (base64 -> GPGKey= in the descriptors).
- README: hosted repo is now the recommended install; documents the one-time
  infra (edge Caddy vhost, infra port 3230, DNS, the GPG secret).

Edge Caddy vhost + infra port allowlist + the secret are applied out-of-band.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

packaging/flatpak/server/compose.production.yml

@@ -0,0 +1,14 @@
+# Static file server for the punktfunk Flatpak OSTree repo, on unom-1 (the DMZ services VM).
+# Caddy on home-reverse-proxy-1 terminates TLS for flatpak.punktfunk.unom.io and reverse_proxies
+# to 192.168.50.50:3230 (port must be in unom/infra caddy_target_ports). This inner Caddy just
+# serves the bind-mounted ./site tree (repo/ + the .flatpakrepo/.flatpakref + index.html) over
+# plain HTTP. CI rsyncs into ./site and runs `docker compose up -d` (idempotent).
+services:
+  flatpak:
+    image: caddy:2-alpine
+    restart: unless-stopped
+    ports:
+      - "3230:3230"
+    volumes:
+      - ./Caddyfile:/etc/caddy/Caddyfile:ro
+      - ./site:/srv:ro