Switch Fly proxy to upstream keepalive pools (#337)

## Summary

- Replace per-request DNS resolution (variable-based `proxy_pass`) with static `upstream` blocks and `keepalive` connection pools
- Reuses TLS connections through the Tailscale tunnel instead of handshaking per request
- Add `mise run fly-reload` for nginx config reload without full redeploy (re-resolves upstream DNS)

## Trade-off

DNS is resolved at config load, not per-request. If Tailscale Ingress pods get new IPs (restart, reschedule), `mise run fly-reload` is needed. A Grafana alert will be added to detect this.

## Still TODO on this branch

- [ ] Grafana alert for upstream unreachable (triggers fly-reload reminder)
- [ ] Docs pass
- [ ] Deploy from branch and verify latency improvement
- [ ] Changelog fragment

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: #337

mise-tasks/fly-reload

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+#MISE description="Reload Fly.io proxy nginx config (re-resolves upstream DNS)"
+
+set -euo pipefail
+
+export FLY_API_TOKEN
+FLY_API_TOKEN="$(op read 'op://blumeops/fly.io admin/add more/deploy-token')"
+
+# SSH into the Fly machine and send nginx a reload signal.
+# This re-resolves upstream DNS without a full redeploy.
+APP="blumeops-proxy"
+MACHINE_ID=$(fly machines list -a "$APP" --json | python3 -c "import sys,json; print(json.load(sys.stdin)[0]['id'])")
+
+echo "Reloading nginx on machine $MACHINE_ID..."
+fly ssh console -a "$APP" -C "nginx -s reload"
+echo "Done. Upstream DNS re-resolved."