xray: add VLESS+Reality server config (prepared, not active)

- Reverse-Bridge Portal for emby-sascha (18096), emby-chris (28096), jellyfin (38096)
- Fallback to Caddy on :8443
- Private key placeholder - replace with sops before deploy
- Based on benchmark v2 results: 407 Mbit/s @ 10 streams, 0 retransmits

xray/server.json

@@ -0,0 +1,60 @@
+{
+  "log": {"loglevel": "warning"},
+  "reverse": {
+    "portals": [
+      {"tag": "portal", "domain": "tunnel.internal"}
+    ]
+  },
+  "inbounds": [
+    {
+      "tag": "tunnel-in",
+      "port": 443,
+      "protocol": "vless",
+      "settings": {
+        "clients": [{"id": "a6ac6a8f-f455-42e6-82c0-5e8a415200d0"}],
+        "decryption": "none",
+        "fallbacks": [{"dest": 8443, "xver": 1}]
+      },
+      "streamSettings": {
+        "network": "tcp",
+        "security": "reality",
+        "realitySettings": {
+          "dest": "www.microsoft.com:443",
+          "serverNames": ["www.microsoft.com"],
+          "privateKey": "REPLACE_WITH_SOPS",
+          "shortIds": ["70093a4adb34292f"]
+        }
+      }
+    },
+    {
+      "tag": "emby-sascha-in",
+      "port": 18096,
+      "listen": "127.0.0.1",
+      "protocol": "dokodemo-door",
+      "settings": {"address": "127.0.0.1", "port": 8096, "network": "tcp"}
+    },
+    {
+      "tag": "emby-chris-in",
+      "port": 28096,
+      "listen": "127.0.0.1",
+      "protocol": "dokodemo-door",
+      "settings": {"address": "127.0.0.1", "port": 8096, "network": "tcp"}
+    },
+    {
+      "tag": "jellyfin-in",
+      "port": 38096,
+      "listen": "127.0.0.1",
+      "protocol": "dokodemo-door",
+      "settings": {"address": "127.0.0.1", "port": 9096, "network": "tcp"}
+    }
+  ],
+  "outbounds": [
+    {"tag": "direct", "protocol": "freedom"}
+  ],
+  "routing": {
+    "rules": [
+      {"type": "field", "inboundTag": ["emby-sascha-in", "emby-chris-in", "jellyfin-in"], "outboundTag": "portal"},
+      {"type": "field", "inboundTag": ["tunnel-in"], "outboundTag": "portal"}
+    ]
+  }
+}