[infra] Auto-create Cloudflare DNS records from ingress_factory

## Context

Deploying new services required manually adding hostnames to
cloudflare_proxied_names/cloudflare_non_proxied_names in config.tfvars —
a separate file from the service stack. This was frequently forgotten,
leaving services unreachable externally.

## This change:

- Add `dns_type` parameter to `ingress_factory` and `reverse_proxy/factory`
  modules. Setting `dns_type = "proxied"` or `"non-proxied"` auto-creates
  the Cloudflare DNS record (CNAME to tunnel or A/AAAA to public IP).
- Simplify cloudflared tunnel from 100 per-hostname rules to wildcard
  `*.viktorbarzin.me → Traefik`. Traefik still handles host-based routing.
- Add global Cloudflare provider via terragrunt.hcl (separate
  cloudflare_provider.tf with Vault-sourced API key).
- Migrate 118 hostnames from centralized config.tfvars to per-service
  dns_type. 17 hostnames remain centrally managed (Helm ingresses,
  special cases).
- Update docs, AGENTS.md, CLAUDE.md, dns.md runbook.

```
BEFORE                          AFTER
config.tfvars (manual list)     stacks/<svc>/main.tf
        |                         module "ingress" {
        v                           dns_type = "proxied"
stacks/cloudflared/               }
  for_each = list                     |
  cloudflare_record               auto-creates
  tunnel per-hostname             cloudflare_record + annotation
```

## What is NOT in this change:

- Uptime Kuma monitor migration (still reads from config.tfvars)
- 17 remaining centrally-managed hostnames (Helm, special cases)
- Removal of allow_overwrite (keep until migration confirmed stable)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

stacks/beads-server/main.tf

@@ -228,7 +228,7 @@ resource "kubernetes_deployment" "workbench" {
             for f in /static/chunks/pages/_app-*.js; do
               sed -i 's|http://localhost:9002/graphql|/graphql|g' "$f"
             done
-            echo "Patched GraphQL URL to /graphql"
+            echo "Patched GraphQL URL and store path"
           EOT
           ]
           volume_mount {
@@ -249,6 +249,13 @@ resource "kubernetes_deployment" "workbench" {
         container {
           name  = "workbench"
           image = "dolthub/dolt-workbench:latest"
+          command = ["sh", "-c", <<-EOT
+            # Patch GraphQL server to listen on 0.0.0.0 (IPv4) — Node 18+ defaults to IPv6
+            sed -i 's|app.listen(9002)|app.listen(9002,"0.0.0.0")|g' /app/graphql-server/dist/main.js
+            # Start PM2 (the default entrypoint)
+            exec pm2-runtime /app/process.yml
+          EOT
+          ]
 
           port {
             name           = "http"
@@ -259,9 +266,14 @@ resource "kubernetes_deployment" "workbench" {
             container_port = 9002
           }
 
+          env {
+            name  = "NODE_OPTIONS"
+            value = "--dns-result-order=ipv4first"
+          }
+
           volume_mount {
             name       = "store"
-            mount_path = "/app/store"
+            mount_path = "/app/graphql-server/store"
           }
           volume_mount {
             name       = "static-patched"
@@ -361,6 +373,7 @@ module "tls_secret" {
 
 module "ingress" {
   source          = "../../modules/kubernetes/ingress_factory"
+  dns_type        = "proxied"
   namespace       = kubernetes_namespace.beads.metadata[0].name
   name            = "dolt-workbench"
   tls_secret_name = var.tls_secret_name