feat(infra): add Cloudflare fallback plan + self-hosted landing pages

Two infrastructure improvements for tech independence:

1. Cloudflare Fallback Documentation (docs/CLOUDFLARE_FALLBACK.md):
   - Plan B: WireGuard + Caddy on Hetzner VPS (€3.79/mo)
   - Complete Caddyfile with all 30+ subdomains
   - Step-by-step failover checklist (~15 min to switch)
   - Plan C: Direct IP with ISP

2. Self-Hosted Landing Pages (eliminates Cloudflare Pages dependency):
   - Nginx container (mana-infra-landings) on port 4400
   - Multi-site config: each subdomain → separate dist/ folder
   - Build script: scripts/mac-mini/build-landings.sh
   - Cloudflare Tunnel ingress rules for 10 landing page domains
   - Storage: /Volumes/ManaData/landings/ on external SSD
   - Domains: it, chats, pics, zitares, presis, clocks,
     manadeck, nutriphi, citycorners, docs

Migration path: Build landings locally, set Cloudflare DNS to
tunnel instead of Pages, then decommission CF Pages projects.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

cloudflared-config.yml

@@ -114,5 +114,27 @@ ingress:
   - hostname: glitchtip.mana.how
     service: http://localhost:8020
 
+  # Self-Hosted Landing Pages (via Nginx on port 4400)
+  - hostname: it.mana.how
+    service: http://localhost:4400
+  - hostname: chats.mana.how
+    service: http://localhost:4400
+  - hostname: pics.mana.how
+    service: http://localhost:4400
+  - hostname: zitares.mana.how
+    service: http://localhost:4400
+  - hostname: presis.mana.how
+    service: http://localhost:4400
+  - hostname: clocks.mana.how
+    service: http://localhost:4400
+  - hostname: manadeck.mana.how
+    service: http://localhost:4400
+  - hostname: nutriphi.mana.how
+    service: http://localhost:4400
+  - hostname: citycorners.mana.how
+    service: http://localhost:4400
+  - hostname: docs.mana.how
+    service: http://localhost:4400
+
   # Catch-all
   - service: http_status:404