kms-website: activate against vlmcs.viktorbarzin.me, drop ODT-install + deep-legacy GVLKs

The page advertised kms.viktorbarzin.me:1688 as the KMS host, but that name
is the website (Traefik) — internally it resolves to 10.0.20.203 which has no
:1688 listener, so LAN clients failed with "KMS server cannot be reached".
Split the concern: siteHost (kms.viktorbarzin.me) serves the page + /scripts
downloads; kmsHost is now the dedicated A-only vlmcs.viktorbarzin.me endpoint
that resolves to the vlmcsd MetalLB IP (10.0.20.202) on the LAN (Technitium)
and to the public IP over the internet (Cloudflare -> pfSense WAN NAT :1688).

Moderate cleanup:
- remove the Office-install-via-ODT path from kms-bootstrap.ps1 (activation
  only now; manual ODT install docs stay on the page)
- collapse Windows 8.1/8/7/Vista + Server 2012/2008 GVLK tables into a legacy
  note (those keys still activate; just no longer tabled)
- drop the unused kmsHostLan param

Pairs with the infra /scripts Anubis carve-out that makes `iwr | iex` work.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

hugo.toml

@@ -5,8 +5,12 @@ disableKinds = ["taxonomy", "term", "RSS", "sitemap", "404"]
 
 [params]
   description  = "Public KMS host for activating Microsoft Volume License Windows, Office, Project, and Visio. Free, no signup, no tracking."
-  kmsHost      = "kms.viktorbarzin.me"
-  kmsHostLan   = "kms.viktorbarzin.lan"
+  # siteHost serves this website + the /scripts/*.ps1 downloads (Traefik).
+  # kmsHost is the raw KMS endpoint on :1688 (vlmcsd) — a SEPARATE A-only host
+  # so it resolves to the KMS server both on the LAN and over the internet.
+  # They must stay distinct: kms.viktorbarzin.me:1688 hits Traefik (no KMS).
+  siteHost     = "kms.viktorbarzin.me"
+  kmsHost      = "vlmcs.viktorbarzin.me"
   kmsPort      = 1688
   bootstrapURL = "/scripts/kms-bootstrap.ps1"
   setupURL     = "/scripts/setup-kms.ps1"