Switch from homelab.local to coreworlds.io with split-horizon DNS and LAN-only access controls

- Migrate all ingress hostnames from *.homelab.local to *.coreworlds.io
- Remove broken Traefik certresolver config (cert-manager handles TLS)
- Add internal-only IP allowlist middleware for platform services
- Add IngressRoutes for ArgoCD, Grafana, Longhorn (LAN-only via middleware)
- Seal and add Cloudflare API token for cert-manager DNS-01 challenges
- Update cert-manager ClusterIssuers with real email
- Update k3s TLS SAN to k3s.coreworlds.io
- Rewrite Ubiquiti docs for single-node topology and split-horizon DNS
- Fix seal-secret.sh controller name to match Helm release
- Add UCG DNS setup script using API key auth

scripts/seal-secret.sh

@@ -34,7 +34,7 @@ kubectl create secret generic "$SECRET_NAME" \
   | kubeseal \
     --format yaml \
     --controller-namespace kube-system \
-    --controller-name sealed-secrets \
+    --controller-name sealed-secrets-helm \
   > "${SECRET_NAME}-sealed.yaml"
 
 echo "Sealed secret written to ${SECRET_NAME}-sealed.yaml"