Fix Kizuna cookie domain runtime env
Fixes the Kizuna homelab role so the API container receives the runtime env var Rails actually reads.\n\nChanges:\n- Render KIZUNA_COOKIE_DOMAIN instead of unused KIZUNA_SESSION_COOKIE_DOMAIN.\n- Rename the role variable to kizuna_cookie_domain and keep it as the parent domain kizuna.fm.\n\nThis should make /auth/csrf set Domain=kizuna.fm on _kizuna_session after redeploying the role.