Replace single deploy/haproxy.cfg with deploy/haproxy/{haproxy.cfg,challenge.html}.
HAProxy now runs a WebCrypto-based proof-of-work challenge using a stick-table,
URI normalization and a challenge backend. docker-compose mounts the haproxy
directory, and also switches the site DB volume to ./db to be consistent. Update robots.txt.ts to
add a honeypot path for bad bot blocking.
Add WireGuard-related env variables to .env.example (addresses,
keys, endpoint, DNS)
Resolve WIREGUARD_ENDPOINT_HOST to WIREGUARD_ENDPOINT_IP in
cicd/scripts/deploy.sh and write it to .env, failing if unresolved
Un-comment and enable the wireguard service in docker-compose.yml
Remove an obsolete commented workflow snippet
