fix(routing): rename main service app->pds so caddy resolves THIS stack on shared proxy

The caddy sidecar uses on-demand TLS and asks http://app:3000/tls-check before issuing a cert. On a
multi-tenant host every co-located stack aliases its main service 'app' on the shared 'proxy' overlay;
caddy (on proxy+internal) resolves bare 'app' to a FOREIGN stack's endpoint, the tls-check is refused,
no cert is issued, and HTTPS is dead (xrpc/_health=000). Renaming the service to 'pds' gives a unique
swarm DNS name that only this stack publishes, so caddy's reverse_proxy/on_demand_tls always resolve
this PDS. (A network alias would be cleaner but abra drops compose network aliases on deploy; the
service name is always applied.)

cc @trav @notplants

Caddyfile

@@ -1,6 +1,6 @@
 {
 	on_demand_tls {
-		ask http://app:3000/tls-check
+		ask http://pds:3000/tls-check
 	}
 }
 
@@ -8,5 +8,5 @@
 	tls {
 		on_demand
 	}
-	reverse_proxy app:3000
+	reverse_proxy pds:3000
 }

compose.yml

@@ -2,7 +2,7 @@
 version: "3.8"
 
 services:
-  app:
+  pds:
     image: ghcr.io/bluesky-social/pds:0.4.219
     networks:
       - internal