perf: optimize Headscale for connectivity and latency

- Remove viktorbarzin.me from split DNS (same IPs as public DNS,
  was adding unnecessary tunnel overhead for every DNS query)
- Narrow reverse DNS split scope from 10.0.0.0/8 → 10.0.20.0/24
  and 10.0.10.0/24 only; 192.168.0.0/16 → 192.168.1.0/24 only
- Add extra_records for key internal services (technitium, k8s-master)
  for instant MagicDNS resolution without tunnel roundtrip
- Replace full Tailscale DERP map (29 regions) with curated set:
  home + 8 European + 5 global fallback DERPs (14 total)
- Add custom derp.yaml to ConfigMap, sourced from Vault

Port 80 DERP dropped — Traefik's global HTTP→HTTPS redirect
prevents non-TLS DERP upgrades on the web entrypoint.

stacks/headscale/main.tf

@@ -16,6 +16,7 @@ module "headscale" {
   nfs_server             = var.nfs_server
   headscale_config       = data.vault_kv_secret_v2.secrets.data["headscale_config"]
   headscale_acl          = data.vault_kv_secret_v2.secrets.data["headscale_acl"]
+  headscale_derp_map     = data.vault_kv_secret_v2.secrets.data["headscale_derp_map"]
   homepage_token         = try(local.homepage_credentials["headscale"]["api_key"], "")
   tier                   = local.tiers.core
   ui_cookie_secret       = data.vault_kv_secret_v2.secrets.data["headscale_ui_cookie_secret"]