the pull-source information chip displayed `fork branch` but the two
bits of information were styled differently.

this patch unifies the styles, moves both bits of info into the same
pill, styles them identically, and uses a `:` to separate them
`fork:branch`.

also add classes here and there for leah

This fixes two issues I had when deploying the eeg.cl.cam.ac.uk knot:

1) The permissions on the volumes are currently set at build time, which means that when a fresh volume is mounted it has the wrong permissions. This fixes it to run the chmods on the volumes dynamically at entrypoint time, which lets a fresh volume work with a knotserver.
The error before was:
```
knot-1 | time=2025-05-04T13:58:36.054Z level=ERROR msg="failed to setup db" error="unable to open database file: no such file or directory"
```

2) It's a little odd for the default setup to expose 5555 and insecure http to the Internet, given that the appview will try to connect to the knot over https. This adds a standalone Caddy server as the default and removes port 5555 from being directly explosed. A more advanced user with an existing proxy can easily remove this from the compose file and hook in their own.

The only remaining footgun my users have encountered is that of port 2222 being the default. Almost all the users have forgotten to add the `port 2222` directive in their ssh_config, and the _host_ sshd rejects them. In my local setup, I've swapped the host and knot ports around so that the knot runs on 2222, but a really elegant solution would be for some sort of ssh proxy on the host ssh to redirect the `git` user to the knotserver sshd. I haven't done that yet though!

It's the clients problem now. Also add a tiny exception for svgs since
those get picked up as text/xml otherwise.

i could have sworn chi.URLParam was supposed to do this...

Proxies images against a HMAC signature -- this prevents knot URLs from
directly being hit and possibly spammed. Also caches images in
Cloudflare's global CDN.