Fix fly-deploy WARNING by starting nginx before Tailscale (#128)

## Summary
- Start nginx before Tailscale in `start.sh` so port 8080 is bound immediately, eliminating the "app is not listening on the expected address" WARNING during `fly deploy`
- Switch `proxy_pass` to use a variable with `resolver 100.100.100.100 valid=30s` so nginx can start without resolving MagicDNS names at config load time
- DNS results cached 30s per worker — no per-request lookup overhead

## Context
The WARNING was a race condition: Fly checks for listeners right after the machine starts, but `start.sh` ran ~5-10s of Tailscale setup before starting nginx. The health check always passed later, but the warning was noisy.

## Test plan
- [ ] Merge and let the deploy-fly workflow trigger
- [ ] Check runner logs for absence of the WARNING
- [ ] Verify `docs.eblu.me` still serves correctly
- [ ] Verify `/healthz` still passes

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/128

fly/nginx.conf

@@ -32,6 +32,12 @@ http {
     proxy_cache_path /tmp/cache levels=1:2 keys_zone=services:10m
                      max_size=200m inactive=24h;
 
+    # MagicDNS resolver — using a variable in proxy_pass defers upstream DNS
+    # resolution to request time, letting nginx start before Tailscale connects.
+    # Results are cached for 30s per worker to avoid per-request DNS lookups.
+    resolver 100.100.100.100 valid=30s;
+    resolver_timeout 5s;
+
     # --- docs.eblu.me (static site) ---
     server {
         listen 8080;
@@ -40,7 +46,8 @@ http {
         limit_req zone=general burst=20 nodelay;
 
         location / {
-            proxy_pass https://docs.tail8d86e.ts.net;
+            set $upstream_docs https://docs.tail8d86e.ts.net;
+            proxy_pass $upstream_docs$request_uri;
             proxy_ssl_verify off;
             proxy_ssl_server_name on;