fix: WP CI agent gRPC: use host networking to bypass Docker bridge (#813)

Docker bridge networking inside LXD (and potentially other nested container
environments) breaks gRPC/HTTP2 between containers. The gRPC handshake
times out because HTTP/2 frames are not properly forwarded.

Fix: run the WP agent with network_mode: host + privileged, connecting
to the server via localhost:9000 (port mapped from the server container).

- Add port 9000 mapping to woodpecker server
- Switch agent to network_mode: host with privileged: true
- Connect agent to localhost:9000 instead of woodpecker:9000
- Add WOODPECKER_GRPC_SECURE=false
- Move healthcheck to port 3333 (avoid clash with Forgejo on 3000)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

bin/disinto

@@ -183,6 +183,7 @@ services:
       - apparmor=unconfined
     ports:
       - "8000:8000"
+      - "9000:9000"
     volumes:
       - woodpecker-data:/var/lib/woodpecker
     environment:
@@ -203,18 +204,18 @@ services:
   woodpecker-agent:
     image: woodpeckerci/woodpecker-agent:v3
     restart: unless-stopped
-    security_opt:
+    network_mode: host
-      - apparmor=unconfined
+    privileged: true
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
     environment:
-      WOODPECKER_SERVER: woodpecker:9000
+      WOODPECKER_SERVER: localhost:9000
       WOODPECKER_AGENT_SECRET: ${WOODPECKER_AGENT_SECRET:-}
+      WOODPECKER_GRPC_SECURE: "false"
+      WOODPECKER_HEALTHCHECK_ADDR: ":3333"
       WOODPECKER_MAX_WORKFLOWS: 1
     depends_on:
       - woodpecker
-    networks:
-      - disinto-net
 
   agents:
     build: ./docker/agents