left4me: split derived_from_domain into one reactor per consumer

Each reactor now scopes to a single downstream bundle:
  nginx_vhosts    -> nginx/vhosts
  nftables_input  -> nftables/input

Easier to grep "what writes nginx/vhosts" and harder to accidentally
couple unrelated keys together. Same merged metadata.

bundles/left4me/metadata.py

@@ -71,18 +71,12 @@ defaults = {
 
 @metadata_reactor.provides(
     'nginx/vhosts',
-    'nftables/input',
 )
-def derived_from_domain(metadata):
+def nginx_vhosts(metadata):
-    # letsencrypt/domains is auto-populated from nginx/vhosts.keys() by
+    # letsencrypt/domains and monitoring/services for the vhost are auto-
-    # bundles/nginx/metadata.py. monitoring/services for the vhost is also
+    # populated by bundles/nginx/metadata.py. We just declare check_path:
-    # auto-populated there using the vhost's check_path/check_protocol —
+    # '/health' so the auto-check hits the Flask health endpoint, not '/'.
-    # we just declare check_path: '/health' below to point the auto-check
-    # at the Flask health endpoint instead of '/'.
     domain = metadata.get('left4me/domain')
-    port_start = metadata.get('left4me/port_range_start')
-    port_end = metadata.get('left4me/port_range_end')
-
     return {
         'nginx': {
             'vhosts': {
@@ -95,6 +89,16 @@ def derived_from_domain(metadata):
                 },
             },
         },
+    }
+
+
+@metadata_reactor.provides(
+    'nftables/input',
+)
+def nftables_input(metadata):
+    port_start = metadata.get('left4me/port_range_start')
+    port_end = metadata.get('left4me/port_range_end')
+    return {
         'nftables': {
             'input': {
                 f'udp dport {port_start}-{port_end} accept',