feat: Cloudflare DNS management with automatic record sync

Add flexible DNS management to Docker Watcher. By default, wildcard DNS
is assumed (current behavior). When disabled, users can configure a
Cloudflare DNS provider with API token and zone selection. DNS A records
are automatically created/updated/deleted in sync with proxy consumers
(deployed instances and standalone proxies).

- Settings: wildcard_dns toggle, dns_provider, cloudflare credentials
- Cloudflare client: Provider interface with EnsureRecord/DeleteRecord/ListRecords
- DNS lifecycle hooks in deployer and proxy manager (best-effort)
- Settings UI: DNS config section with provider picker, zone selector, test button
- DNS Records page at /dns with filtering, sync status, reconciliation
- Records visible in both wildcard and managed modes
- Cleanup on provider change: removes old records when switching modes

internal/dns/provider.go

@@ -0,0 +1,34 @@
+package dns
+
+import "context"
+
+// Record represents a DNS record from a provider.
+type Record struct {
+	ID      string `json:"id"`
+	FQDN    string `json:"fqdn"`
+	Type    string `json:"type"`
+	Content string `json:"content"` // IP address for A records
+	TTL     int    `json:"ttl"`
+	Proxied bool   `json:"proxied"`
+}
+
+// Zone represents a DNS zone from a provider.
+type Zone struct {
+	ID   string `json:"id"`
+	Name string `json:"name"`
+}
+
+// Provider is the interface for DNS record management.
+type Provider interface {
+	// EnsureRecord creates an A record if it doesn't exist, or updates it if the IP differs.
+	EnsureRecord(ctx context.Context, fqdn, ip string) (recordID string, err error)
+
+	// DeleteRecord removes an A record by FQDN. No error if it doesn't exist.
+	DeleteRecord(ctx context.Context, fqdn string) error
+
+	// ListRecords returns all A records in the zone.
+	ListRecords(ctx context.Context) ([]Record, error)
+
+	// TestConnection verifies that the provider credentials are valid.
+	TestConnection(ctx context.Context) error
+}