fix(vpn,reconcile): restore WG peers on boot + filebrowser spec drift

Follow-up to 8b7cb002 (no version bump — same v1.7.0-alpha manifest):

* WireGuard peer persistence. Kernel peer state is ephemeral; the add-peer
  RPC wrote each peer to data_dir/nostr-vpn/peers/*.json but nothing
  re-pushed them on reboot. Result on .198: wg0 came up listening with zero
  peers after last night's reboot. Added vpn::restore_wg_peers() — reads
  the peers dir, waits up to 30s for wg0 to exist, then replays each via
  `archipelago-wg add-peer`. Spawned from main.rs alongside the other
  startup tasks.
* Reconcile + filebrowser drift. scripts/container-specs.sh load_spec_
  filebrowser now declares SPEC_NETWORK="archy-net" (to match what
  first-boot-containers.sh creates) and pins the filebrowser-data volume
  + wget-style healthcheck so the reconciler stops reporting network
  drift. Without this, reconcile would kill the healthy first-boot
  filebrowser container and recreate it on bridge, breaking the archy-net
  DNS name the backend proxies to.

Manifest binary sha/size refreshed:
  6c178a76…3582cc, 40361912 bytes.
Rebuilt ISO at image-recipe/results/archipelago-installer-unbundled-x86_64.iso
(Apr 20 07:10) carries both fixes baked in.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

scripts/container-specs.sh

@@ -453,10 +453,11 @@ load_spec_filebrowser() {
   reset_spec
   SPEC_NAME="filebrowser"
   SPEC_IMAGE="${FILEBROWSER_IMAGE}"
+  SPEC_NETWORK="archy-net"
   SPEC_PORTS="8083:80"
-  SPEC_VOLUMES="/var/lib/archipelago/filebrowser:/srv"
+  SPEC_VOLUMES="/var/lib/archipelago/filebrowser:/srv /var/lib/archipelago/filebrowser-data:/data"
   SPEC_MEMORY="$(mem_limit filebrowser)"
-  SPEC_HEALTH_CMD="curl -sf http://localhost:80/ || exit 1"
+  SPEC_HEALTH_CMD="wget -q --spider http://localhost:80/health || exit 1"
   SPEC_TIER="3"
   SPEC_DATA_DIR="/var/lib/archipelago/filebrowser"
   SPEC_CAPS=""