feat(network): implement full network stack — AdGuard Home + WireGuard Easy + Cloudflare DDNS + Unbound

[Lucaaaaaaaaaaaaaaaaaaaaa]

Summary

Implements the complete Network Stack per issue #4 requirements.

Services (all with pinned versions, no latest)

Service	Image	Port	Subdomain
Unbound	mvance/unbound:1.21.1	(internal)	—
AdGuard Home	adguard/adguardhome:v0.107.52	53/tcp+udp, 3000	adguard.${DOMAIN}
WireGuard Easy	ghcr.io/wg-easy/wg-easy:14	51820/udp, 51821	vpn.${DOMAIN}
Cloudflare DDNS	ghcr.io/favonia/cloudflare-ddns:1.14.0	(background)	—

Key Features

• Unbound as upstream recursive DNS for AdGuard Home (DNSSEC-validated)
• WireGuard DNS points to AdGuard — VPN clients get ad filtering too
• Cloudflare DDNS with IPv4+IPv6 dual-stack support, cron-based updates
• fix-dns-port.sh script with --check, --apply, --restore for systemd-resolved port 53 conflict
• Traefik reverse proxy with certresolver=letsencrypt + security-headers@file
• Healthchecks on all services
• Startup ordering: Unbound → AdGuard Home → WireGuard Easy
• Split tunneling documentation in README
• No hardcoded secrets — all config via .env
• Complete README with router DNS setup, AdGuard filter lists, WireGuard client setup, Cloudflare DDNS token guide

Verification Checklist

• All images use specific version tags (no latest)
• docker compose config validates successfully
• No hardcoded passwords or secrets
• All services have healthchecks
• depends_on with condition: service_healthy for startup ordering
• fix-dns-port.sh supports --check, --apply, --restore
• README with router DNS config, split tunneling docs
• WireGuard defaults to AdGuard as DNS

Closes #4

Generated/reviewed with: claude-opus-4-6