feat: Cloudflare DNS management with automatic record sync

Add flexible DNS management to Docker Watcher. By default, wildcard DNS
is assumed (current behavior). When disabled, users can configure a
Cloudflare DNS provider with API token and zone selection. DNS A records
are automatically created/updated/deleted in sync with proxy consumers
(deployed instances and standalone proxies).

- Settings: wildcard_dns toggle, dns_provider, cloudflare credentials
- Cloudflare client: Provider interface with EnsureRecord/DeleteRecord/ListRecords
- DNS lifecycle hooks in deployer and proxy manager (best-effort)
- Settings UI: DNS config section with provider picker, zone selector, test button
- DNS Records page at /dns with filtering, sync status, reconciliation
- Records visible in both wildcard and managed modes
- Cleanup on provider change: removes old records when switching modes

internal/deployer/rollback.go

@@ -42,6 +42,18 @@ func (d *Deployer) rollback(ctx context.Context, deployID string, containerID st
 		}
 	}
 
+	// Clean up DNS record if the instance had a subdomain.
+	if instanceID != "" {
+		inst, err := d.store.GetInstanceByID(instanceID)
+		if err == nil && inst.Subdomain != "" {
+			settings, _ := d.store.GetSettings()
+			if settings.Domain != "" {
+				fqdn := inst.Subdomain + "." + settings.Domain
+				d.removeDNS(ctx, fqdn, deployID)
+			}
+		}
+	}
+
 	// Update instance status to failed if it was created.
 	if instanceID != "" {
 		if err := d.store.UpdateInstanceStatus(instanceID, "failed"); err != nil {