shelfish: front via vps-relay (don't expose phantom-ship public IP)

Original commit added Caddy directly on phantom-ship and opened
ports 80/443 — that would have exposed the home connection's
public IP via DNS. Reverting that and using the existing relay
pattern instead: vps-relay (Hetzner) terminates public TLS and
reverse-proxies over ZeroTier to phantom-ship's ZT IPv6 on 8081.

phantom-ship now just runs shelfish.service bound to 127.0.0.1:8081;
it accepts connections only from the ZT mesh interface (since
caddy/firewall changes are gone, the only listeners are the
existing trusted-interface ones plus this loopback).

vps-relay gets a third virtualHost alongside navidrome and bbbot.

DNS: shelfish.dannydannydanny.me → 89.167.39.251 (vps-relay public IP),
NOT phantom-ship's home IP.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

nixos/hosts/phantom-ship.nix

@@ -250,18 +250,10 @@ in
     };
   };
 
-  # Caddy reverse proxy in front of the local HTTP services (shelfish, etc).
-  # Auto-Let's-Encrypt; ACME requires the subdomain to A-record to this host.
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
-  services.caddy = {
-    enable = true;
-    email = "powerhouseplayer@gmail.com";
-    virtualHosts."shelfish.dannydannydanny.me".extraConfig = ''
-      reverse_proxy 127.0.0.1:8081
-    '';
-  };
-
   # Shelfish — Goodreads-flavoured book club Mini App.
+  # Public traffic comes through vps-relay's Caddy → ZeroTier → here.
+  # See vps-relay.nix for the public-facing virtualHost. We never expose
+  # this host's IP directly.
   # Code deployed out-of-band via rsync to /home/danny/shelfish/
   # (staying in-tree in ~/python-projects/27_shelfish/ until spun out).
   # Auth: validates Telegram WebApp initData against shipyard's bot token