feat(dev-deploy): expose Grafana + Mailpit UIs via Caddy; seed monitoring config

Deploy wiring for the observability stack (the services and collector
config landed in the previous commit):

- Caddyfile.dev: route /grafana/* to galaxy-grafana:3000 (Caddy
  sub-path mode, Grafana keeps its own login) and /mailpit/* to
  galaxy-mailpit:8025 behind dev basic-auth, so the captured-mail UI
  (every message, relayed or not) and Grafana are reachable through the
  single dev origin.
- dev-deploy.yaml: seed the monitoring config tree to a stable,
  reboot-surviving host path (GALAXY_DEV_MONITORING_DIR) before bringing
  the stack up, and inject the Grafana admin password from a Gitea
  secret (GALAXY_DEV_GRAFANA_ADMIN_PASSWORD; empty falls back to the
  compose default).

.gitea/workflows/dev-deploy.yaml

@@ -261,11 +261,19 @@ jobs:
           # Unset/empty → the compose default (non-routable) keeps the
           # stack capture-only.
           GALAXY_DEV_MAIL_RELAY_MATCH: ${{ vars.GALAXY_DEV_MAIL_RELAY_MATCH }}
+          # Grafana admin password; unset/empty -> compose default 'admin'.
+          GALAXY_DEV_GRAFANA_ADMIN_PASSWORD: ${{ secrets.GALAXY_DEV_GRAFANA_ADMIN_PASSWORD }}
         run: |
           # Resolve in the shell, not in YAML expressions — `env.HOME`
           # is empty at the workflow-evaluation stage.
           export GALAXY_DEV_GAME_STATE_DIR="$HOME/.galaxy-dev/game-state"
           mkdir -p "$GALAXY_DEV_GAME_STATE_DIR"
+          # Seed the monitoring config to a stable, reboot-surviving host
+          # path (compose binds \${GALAXY_DEV_MONITORING_DIR} read-only).
+          export GALAXY_DEV_MONITORING_DIR="$HOME/.galaxy-dev/monitoring"
+          rm -rf "$GALAXY_DEV_MONITORING_DIR"
+          mkdir -p "$GALAXY_DEV_MONITORING_DIR"
+          cp -r monitoring/. "$GALAXY_DEV_MONITORING_DIR/"
           docker compose up -d --wait --remove-orphans
 
       - name: Probe the stack