add IPv6 connectivity via Hurricane Electric 6in4 tunnel

- Add public_ipv6 variable and AAAA records for all 34 non-proxied services
- Fix stale DNS records (85.130.108.6 → 176.12.22.76, old IPv6 → HE tunnel)
- Update SPF record with current IPv4/IPv6 addresses
- Add AAAA update support to Technitium DNS updater CLI
- Pin mailserver MetalLB IP to 10.0.20.201 for stable pfSense NAT
- pfSense: HE_IPv6 interface, strict firewall (80,443,25,465,587,993 + ICMPv6),
  socat IPv6→IPv4 proxy, removed dangerous "Allow all DEBUG" rules

stacks/cloudflared/main.tf

@@ -8,6 +8,7 @@ variable "cloudflare_account_id" { type = string }
 variable "cloudflare_zone_id" { type = string }
 variable "cloudflare_tunnel_id" { type = string }
 variable "public_ip" { type = string }
+variable "public_ipv6" { type = string }
 variable "cloudflare_proxied_names" {}
 variable "cloudflare_non_proxied_names" {}
 
@@ -36,6 +37,7 @@ module "cloudflared" {
   cloudflare_zone_id           = var.cloudflare_zone_id
   cloudflare_tunnel_id         = var.cloudflare_tunnel_id
   public_ip                    = var.public_ip
+  public_ipv6                  = var.public_ipv6
   cloudflare_proxied_names     = concat(var.cloudflare_proxied_names, nonsensitive(local.user_domains))
   cloudflare_non_proxied_names = var.cloudflare_non_proxied_names
   cloudflare_tunnel_token      = data.vault_kv_secret_v2.secrets.data["cloudflare_tunnel_token"]