fix(enroll): tenth audit — nix build PIPESTATUS, nginx HEALTHY, harmonia diag, preflight host dir, sed post-verify

[mdheller]

Summary

• CRITICAL (regression docs: align source-os runtime posture to software operational risk pack #9) — CLOSURE=$(nix build ... | head -1): with set -euo pipefail, a failed build fires set -e before the die with BUILD_LOG path runs. Fixed with set +e / PIPESTATUS[0] / set -e, matching the nixos-rebuild steps pattern.
• HIGH — nginx inactive: no else branch meant HEALTHY stayed 1 and the entire minisig verification block silently skipped. Added else with HEALTHY=0 and diagnostic commands.
• MEDIUM — KATELLO_PG_PASSWORD sed was not post-verified (only FOREMAN_ADMIN_PASSWORD was). Added matching grep -q guard.
• MEDIUM — harmonia inactive warn had no actionable diagnostic. Added journalctl and systemctl start hints.
• LOW — nginx up but harmonia not listening on :8101: curl check had no else, leading to misleading "minisig not yet at..." message. Added explicit else with HEALTHY=0.
• LOW — CURRENT_GEN empty from failed readlink: both divergence branches silently skipped. Added explicit empty-string warn branch.
• LOW — preflight didn't validate hosts/${HOST}/ exists. A bad SOURCEOS_HOST override now fails at step 0 with available-hosts list, not a cryptic Nix eval error in step 2.

Test plan

• bash -n scripts/enroll.sh — syntax clean
• Set SOURCEOS_HOST=bogus → preflight dies with available hosts listed
• Simulate nix build failure → die shows exit code and BUILD_LOG path
• Stop nginx before step 12 → HEALTHY=0, minisig block skipped, clear diagnostic
• Stop harmonia before step 12 → HEALTHY=0, journalctl hint shown
• Corrupt COMPOSE_ENV after sed → KATELLO_PG_PASSWORD guard fires