Add dots.ports module: fleet-wide service port registry

[genebean]

Summary

• Adds `shared/nixos/ports.nix` defining the `options.dots.ports` option schema — a fleet-wide registry with `port`, `protocol`, and `openFirewall` per entry. Global ports (ssh, http, https, node-exporter, photon) live here so any host can reference them.
• Adds `hosts/nixos/nixnuc/ports.nix` with all nixnuc-specific ports. `networking.firewall.allowedTCPPorts` and `allowedUDPPorts` are auto-derived via `lib.pipe` filtering on `openFirewall` — adding a service only requires one entry in this file.
• Adds `hosts/nixos/hetznix01/ports.nix` with all hetznix01-specific ports (email stack, MQTT/EMQX, Bitcoin/LND, Matrix federation, and internal services).
• All hardcoded port numbers across both hosts' `default.nix`, service configs, and container files replaced with `config.dots.ports..port` references (using `inherit` where the attribute name is `port`).

Test plan

• `nix flake check` or `nixos-rebuild dry-activate` on nixnuc passes
• `nix flake check` or `nixos-rebuild dry-activate` on hetznix01 passes
• Deploy nixnuc and verify all services start on expected ports
• Deploy hetznix01 and verify all services start on expected ports
• Confirm firewall opens exactly the expected ports on each host (`nft list ruleset`)
• Verify nginx proxies reach their backends

🤖 Generated with Claude Code