Replace Nominatim with self-hosted Photon for Dawarich geocoding

- Add Photon OCI container on nixnuc (rtuszik/photon-docker, planet
  index) storing data on the /orico ZFS mirror
- Open port 2322 in nixnuc's main firewall allowlist (LAN + Tailscale)
- Remove services.nominatim, its nginx vhost, and www-data PostgreSQL
  user from nixnuc
- Switch Dawarich on hetznix01 from NOMINATIM_API_HOST to
  PHOTON_API_HOST pointing at nixnuc.atlas-snares.ts.net:2322
- Add zfs-datasets.nix oneshot to declaratively ensure all orico
  datasets exist before services start

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

modules/hosts/nixos/nixnuc/containers/photon.nix

@@ -0,0 +1,28 @@
+{ config, ... }:
+let
+  volume_base = "/orico/photon";
+  http_port = "2322";
+in
+{
+  systemd.services."${config.virtualisation.oci-containers.containers.photon.serviceName}" = {
+    after = [ "zfs-create-orico-datasets.service" ];
+    wants = [ "zfs-create-orico-datasets.service" ];
+  };
+
+  virtualisation.oci-containers.containers = {
+    "photon" = {
+      autoStart = true;
+      image = "docker.io/rtuszik/photon-docker:latest";
+      environment = {
+        REGION = "planet";
+        UPDATE_STRATEGY = "PARALLEL";
+        UPDATE_INTERVAL = "30d";
+      };
+      ports = [ "${http_port}:2322" ];
+      volumes = [
+        "${volume_base}:/photon/data"
+      ];
+    };
+  };
+
+}