fix(template): strip Jinja2 whitespace so no-env-var listener is byte-identical

Default Jinja2 {% if %}{% endif %} block syntax leaves a trailing newline
even when the conditional doesn't render. Staging verification of PR 2
showed the resulting haproxy.cfg differed from the pre-PR2 version by
exactly 1 blank line — semantically identical but not byte-identical,
which violates the design promise that haproxy-manager-base's default
output stays unchanged for home/standalone deployments.

Use {%- if -%}/{%- endif %} (the whitespace-stripping variants) so the
block contributes zero bytes when coraza_spoe_backend is unset.

Verified locally: without env var = 55 lines, ends cleanly on the
is_blocked_ip rule. With env var = 62 lines, +7 for the SPOE block.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

templates/hap_listener.tpl

@@ -53,11 +53,12 @@ frontend web
     acl is_blocked_ip var(txn.real_ip),map_ip(/etc/haproxy/blocked_ips.map,0) -m int gt 0
     http-request set-path /blocked-ip if is_blocked_ip
     use_backend default-backend if is_blocked_ip
-{% if coraza_spoe_backend %}
+{%- if coraza_spoe_backend %}
+
     # Coraza WAF inspection via SPOE. Runs AFTER rate-limit and IP-block
     # guards (no point asking the WAF about requests we're already dropping)
     # and AFTER the real-client-IP resolution (so Coraza sees the right src).
     # Fail-open: see `option set-on-error continue` in /etc/haproxy/coraza-spoe.cfg.
     filter spoe engine coraza config /etc/haproxy/coraza-spoe.cfg
     http-request send-spoe-group coraza coraza-check
-{% endif %}
+{%- endif %}