Phase 5: add connectivity service manifests — wireguard-ext, openvpn-client, tor

Each manifest declares container requirements (host network, NET_ADMIN) for
connectivity_manager.py to use when launching exit tunnel containers.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

services/openvpn-client/manifest.json

@@ -0,0 +1,22 @@
+{
+  "id": "openvpn-client",
+  "name": "OpenVPN Exit",
+  "description": "Connect PIC as an OpenVPN client. Selected peers exit through this tunnel.",
+  "version": "1.0.0",
+  "author": "roof",
+  "image": "git.pic.ngo/roof/svc-openvpn-client:latest",
+  "container_name": "cell-openvpn",
+  "network_mode": "host",
+  "cap_add": ["NET_ADMIN"],
+  "devices": ["/dev/net/tun"],
+  "volumes": [
+    { "name": "openvpn-config", "mount": "/etc/openvpn" }
+  ],
+  "env": [],
+  "caddy_route": null,
+  "iptables_rules": [],
+  "config_schema": [
+    { "key": "ovpn_text", "type": "textarea", "label": "OpenVPN config (.ovpn)", "required": true }
+  ],
+  "requires_host_network": true
+}