feat(bluesky): fix CORS by serving /config same-origin and pinning BAPP_CONFIG_URL

- Add `server.config_upstream_url` default in `roles/web-app-bluesky/config/main.yml`
  to define upstream for /config (defaults to https://ip.bsky.app/config).
- Introduce front-proxy injection `extra_locations.conf.j2` that:
  - proxies `/config` to the upstream,
  - sets SNI and correct Host header,
  - normalizes CORS headers for same-origin consumption.
- Wire the proxy injection only for the Web domain in
  `roles/web-app-bluesky/tasks/main.yml` via `proxy_extra_configuration`.
- Force fresh social-app checkout and patch
  `src/state/geolocation.tsx` to `const BAPP_CONFIG_URL = '/config'`
  in `roles/web-app-bluesky/tasks/02_social_app.yml`; notify `docker compose build` and `up`.
- Tidy and re-group PDS env in `roles/web-app-bluesky/templates/env.j2` (no functional change).
- Add vars in `roles/web-app-bluesky/vars/main.yml`:
  - `BLUESKY_FRONT_PROXY_CONTENT` (renders the extra locations),
  - `BLUESKY_CONFIG_UPSTREAM_URL` (reads `server.config_upstream_url`).

Security/Scope:
- Only affects the Bluesky web frontend (same-origin `/config`); PDS/API and AppView remain unchanged.

Refs:
- Conversation: https://chatgpt.com/share/68b8dd3a-2100-800f-959e-1495f6320aab

roles/web-app-bluesky/vars/main.yml

@@ -43,3 +43,6 @@ BLUESKY_ROTATION_KEY:           "{{ applications | get_app_conf(application_id,
 BLUESKY_ADMIN_EMAIL:            "{{ users.administrator.email }}"
 BLUESKY_ADMIN_PASSWORD:         "{{ users.administrator.password }}"
 
+# Front proxy
+BLUESKY_FRONT_PROXY_CONTENT:    "{{ lookup('template', 'extra_locations.conf.j2') }}"
+BLUESKY_CONFIG_UPSTREAM_URL:    "{{ applications | get_app_conf(application_id, 'server.config_upstream_url') }}"