C1: shower default.nix — fetchurl wheel directly (probe FOD)

Forgejo's PyPI simple index returns absolute file URLs hardcoded to its
public ROOT_URL (forge.eblu.me). The Fly edge blocks /api/packages/* per
PR #2d38418e, so pip-install through the index 403s the wheel download
even when reached from the tailnet. Mirror what we already do for the
sdist: pull the wheel via fetchurl from forge.ops.eblu.me and hand it to
pip as a local path. The forge --extra-index-url is no longer needed.

Also bumps service-versions.yaml current-version to v1.1.0 to satisfy
container-version-check (the kustomization newTag follows once the nix
build pins its FOD hash).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

containers/shower/default.nix

@@ -1,11 +1,15 @@
 # Nix-built shower app container — Adelaide / Heidi / Addie baby shower.
 #
 # The app is published as a wheel to the Forgejo PyPI index at
-# https://forge.eblu.me/api/packages/eblume/pypi/. The wheel + its
-# transitive Python deps are baked in at build time via a fixed-output
-# derivation that runs `pip install --target` against forge PyPI (proxied
-# through pypi.ops.eblu.me for upstream packages). Build runs on the
-# nix-container-builder runner (ringtail, amd64) so the image is native.
+# https://forge.ops.eblu.me/api/packages/eblume/pypi/ (tailnet-only — the
+# public forge.eblu.me /api/packages/* surface is blocked at the Fly edge).
+# We can't point pip at Forgejo's simple index even from the tailnet,
+# because Forgejo's index returns absolute file URLs hardcoded to its
+# public ROOT_URL (forge.eblu.me), which then 403s. So both the wheel and
+# the sdist are pulled by direct `fetchurl` against forge.ops.eblu.me, and
+# the wheel is then handed to `pip install` as a local path; transitive
+# deps come from pypi.ops.eblu.me. Build runs on the nix-container-builder
+# runner (ringtail, amd64) so the image is native.
 #
 # Going through pip-install-target rather than nixpkgs Python packages
 # sidesteps two issues we hit going through `python.pkgs.buildPythonPackage`:
@@ -42,6 +46,16 @@ let
     hash = "sha256-5dp+0u4metOIC6s6/nPlT4cdpFBCV6S3+Z/3RO0sX5U=";
   };
 
+  # Wheel pulled from forge.ops.eblu.me (tailnet) for the same reason the
+  # sdist is: Forgejo's PyPI simple index would return forge.eblu.me URLs
+  # that the Fly edge 403s on /api/packages/*. We hand this path to pip
+  # below so it never touches the forge index at all.
+  showerWheel = pkgs.fetchurl {
+    name = "adelaide_baby_shower_app-${version}-py3-none-any.whl";
+    url = "https://forge.ops.eblu.me/api/packages/eblume/pypi/files/adelaide-baby-shower-app/${version}/adelaide_baby_shower_app-${version}-py3-none-any.whl";
+    hash = "sha256-7orFbycON9dQxEIb6q45Xx2rFlEZ8xXSrC2tnrO5uug=";
+  };
+
   staticAssets = pkgs.runCommand "shower-static-assets-${version}" { } ''
     ${pkgs.gnutar}/bin/tar -xzf ${showerSdist} -C $TMPDIR
     cp -r $TMPDIR/adelaide_baby_shower_app-${version}/static $out
@@ -71,8 +85,7 @@ let
       "$TMPDIR/venv/bin/pip" install \
         --no-cache-dir \
         --index-url=https://pypi.ops.eblu.me/root/pypi/+simple/ \
-        --extra-index-url=https://forge.ops.eblu.me/api/packages/eblume/pypi/simple/ \
-        "adelaide-baby-shower-app==${version}" \
+        ${showerWheel} \
         gunicorn
 
       runHook postBuild

service-versions.yaml

@@ -46,8 +46,8 @@ services:
 
   - name: shower
     type: argocd
-    last-reviewed: 2026-05-10
-    current-version: "1.0.2"
+    last-reviewed: 2026-05-11
+    current-version: "1.1.0"
     upstream-source: https://forge.eblu.me/eblume/adelaide-baby-shower-app
     notes: |
       Django app for Adelaide / Heidi / Addie's baby shower. Wheel