Update UniFi Pulumi plan: switch to ubiquiti-community provider (#187)

## Summary
- Switch provider from filipowm/unifi (inactive maintainer, showstopper bug #94 wiping firewall rules) to ubiquiti-community/unifi (actively maintained, API key auth)
- Add UX7 config backup prerequisite before adopting IaC
- Fix safety guard: check default route interface instead of hostname (runs from gilbert, not indri)
- Update 1Password paths to match actual item (`op://blumeops/unifi/credential`)
- Fix ringtail references: not a Raspberry Pi, stays on WiFi (removed from wired topology)
- Update doc steps for already-existing reference files

## Test plan
- [x] Pre-commit hooks pass
- [x] `docs-check-links` pass
- [x] `docs-check-index` pass

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/187

docs/reference/infrastructure/unifi.md

@@ -39,8 +39,7 @@ ISP Modem
             ├── sifaka (Synology NAS)
             └── ~12ft Cat6 ──→ Switch B (on desk)
                                  ├── indri (Mac Mini, primary server)
-                                 ├── ringtail (Raspberry Pi)
-                                 └── (gilbert via USB-C adapter, optional)
+                                 └── gilbert (USB-C adapter)
 ```
 
 All wired devices share the `192.168.1.0/24` subnet. The two daisy-chained UniFi Switch Flex Minis provide enough ports for all devices while using the UX7's single LAN port.
@@ -67,7 +66,7 @@ See [[add-unifi-pulumi-stack]] for the full implementation plan.
 
 ## Authentication
 
-The provider uses an API key created in the UX7 control plane (Settings → Control Plane → API). The key is stored in 1Password (`op://blumeops/unifi - blumeops/api_key`) and injected via mise task environment variables.
+The provider uses an API key created in the UX7 control plane (Settings → Control Plane → API). The key is stored in 1Password (`op://blumeops/unifi/credential`) and injected via mise task environment variables.
 
 ## Related