Switch from homelab.local to coreworlds.io with split-horizon DNS and LAN-only access controls

- Migrate all ingress hostnames from *.homelab.local to *.coreworlds.io
- Remove broken Traefik certresolver config (cert-manager handles TLS)
- Add internal-only IP allowlist middleware for platform services
- Add IngressRoutes for ArgoCD, Grafana, Longhorn (LAN-only via middleware)
- Seal and add Cloudflare API token for cert-manager DNS-01 challenges
- Update cert-manager ClusterIssuers with real email
- Update k3s TLS SAN to k3s.coreworlds.io
- Rewrite Ubiquiti docs for single-node topology and split-horizon DNS
- Fix seal-secret.sh controller name to match Helm release
- Add UCG DNS setup script using API key auth

apps/api/k8s/base/ingress.yaml

@@ -7,7 +7,7 @@ metadata:
 spec:
   ingressClassName: traefik
   rules:
-    - host: api.homelab.local
+    - host: api.coreworlds.io
       http:
         paths:
           - path: /
@@ -19,5 +19,5 @@ spec:
                   number: 80
   tls:
     - hosts:
-        - api.homelab.local
+        - api.coreworlds.io
       secretName: api-tls

apps/api/k8s/overlays/preview/kustomization.yaml

@@ -19,7 +19,7 @@ patches:
     patch: |
       - op: replace
         path: /spec/rules/0/host
-        value: api-preview.homelab.local
+        value: api-preview.coreworlds.io
       - op: replace
         path: /spec/tls/0/hosts/0
-        value: api-preview.homelab.local
+        value: api-preview.coreworlds.io