fix: vpn.add-participant writes to root-owned daemon config via sudo

The nvpn daemon config at /var/lib/archipelago/nostr-vpn/ is owned by
root, but the backend runs as archipelago. Direct write silently failed,
so adding a second phone's npub never reached the daemon — service
restarted with stale config. Now falls back to sudo cp for root-owned
paths, and first-boot sets ownership to archipelago.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

scripts/first-boot-containers.sh

@@ -137,11 +137,13 @@ if command -v nvpn >/dev/null 2>&1; then
 
     # Sync config to daemon HOME so the service finds it
     # (service runs with HOME=/var/lib/archipelago/nostr-vpn)
+    # Owned by archipelago so the backend can update participants without sudo
     DAEMON_CONFIG_DIR="/var/lib/archipelago/nostr-vpn/.config/nvpn"
     mkdir -p "$DAEMON_CONFIG_DIR"
     if [ -f "$NVPN_CONFIG_DIR/config.toml" ]; then
       cp "$NVPN_CONFIG_DIR/config.toml" "$DAEMON_CONFIG_DIR/config.toml"
     fi
+    chown -R archipelago:archipelago /var/lib/archipelago/nostr-vpn
 
     # Ensure env file exists for the service
     mkdir -p /var/lib/archipelago/nostr-vpn