config: hoist forge URL out of templates + add nginx deploy snippet

Addresses two review notes on PR #1:

**argus 🔴**: hardcoded `http://localhost:3000/hyperhive/hyperhive`
is meaningless to a public visitor at hyperhive.darkest.space.
Moved to `[extra] forge_url` in config.toml so it's swappable
without touching templates. Both consumer sites now reference
`{{ config.extra.forge_url }}`:

- `templates/base.html` — footer "code on the forge" link
- `templates/index.html` — hero CTA button

Default value points at the operator's current public mirror
(`git.berlin.ccc.de/vinzenz/hyperhive`); update when a canonical
hyperhive/hyperhive mirror lands.

**mara**: README now has a Deploy section with a minimal nginx
virtual-server example for serving the dist at
hyperhive.darkest.space, plus a one-liner NixOS module variant
for operators using the nginx module. Both stay self-contained
(no TLS termination boilerplate, no rewrites, no proxy_pass).

README.md

@@ -36,6 +36,55 @@ static/
 flake.nix            # `nix build` → site dist, `nix develop` → zola shell
 ```
 
+## Deploy
+
+The build output is a plain `public/` directory of static files —
+drop it under any HTTP server's docroot. nginx vhost example for
+serving it at `hyperhive.darkest.space`:
+
+```nginx
+server {
+    listen      80;
+    listen      [::]:80;
+    server_name hyperhive.darkest.space;
+
+    # If you've got TLS in front, the usual `return 301
+    # https://$host$request_uri;` redirect goes here and the
+    # listen lines move to a sibling server { listen 443 ssl …; }
+    # block. Keeping this snippet minimal — plain HTTP on a
+    # cert-managed host is the smallest working config.
+
+    # Point at wherever `nix build .#website && cp -r result/. …`
+    # lands. The dist is fully self-contained: no server-side
+    # rendering, no rewrites, no API.
+    root        /var/www/hyperhive-website;
+    index       index.html;
+
+    location / {
+        try_files $uri $uri/ =404;
+    }
+
+    # 7-day cache on the immutable assets (SVG, CSS, fonts).
+    # `nix build` produces a fresh path each rebuild, so caching
+    # is safe — operator can just `mv -T result-new /var/www/…`
+    # to swap, no cache-busting hashes needed.
+    location ~* \.(svg|css|js|woff2|png|ico)$ {
+        expires     7d;
+        add_header  Cache-Control "public, immutable";
+    }
+}
+```
+
+If you're running NixOS, the equivalent module config is:
+
+```nix
+services.nginx.virtualHosts."hyperhive.darkest.space" = {
+  enableACME = true;
+  forceSSL = true;
+  root = "${pkgs.callPackage ./website {}}";  # or nix build path
+};
+```
+
 ## Theme
 
 Catppuccin Mocha palette + the hyperhive amber from the swarm's

config.toml

@@ -32,3 +32,9 @@ smart_punctuation = true
 # theme intent is reviewable in one place.
 palette = "catppuccin-mocha"
 accent = "amber"
+
+# Public-facing forge URL — surfaced in templates via
+# `{{ config.extra.forge_url }}`. Update this when the canonical
+# public hyperhive mirror lands; the current value is the operator's
+# berlin.ccc.de instance (per the project README at that mirror).
+forge_url = "https://git.berlin.ccc.de/vinzenz/hyperhive"

templates/base.html

@@ -25,7 +25,7 @@
   <footer class="site-footer">
     <pre class="banner-thin">░▒▓█▓▒░  HYPERHIVE  ░▒▓█▓▒░</pre>
     <p class="footer-links">
-      <a href="http://localhost:3000/hyperhive">code on the forge</a>
+      <a href="{{ config.extra.forge_url }}">code on the forge</a>
       <span class="sep">·</span>
       <a href="{{ get_url(path='') }}">home</a>
     </p>

templates/index.html

@@ -24,7 +24,7 @@
       </h1>
       <p class="hero-tagline">{{ config.description }}</p>
       <p class="hero-cta">
-        <a class="cta-primary" href="http://localhost:3000/hyperhive/hyperhive">
+        <a class="cta-primary" href="{{ config.extra.forge_url }}">
           ◆ explore the code →
         </a>
       </p>