fix: change domain from dev to lan to avoid browser HSTS preload blocking HTTP

The .dev TLD has been HSTS preloaded in Chrome/Firefox/Safari/Edge since 2019.
Browsers silently redirect http://anything.dev to https://anything.dev before
making any network request. Since Caddy has auto_https off, all browser-based
access to .dev domains fails with a connection error even though DNS, routing,
and HTTP all work correctly (curl works; browsers don't).

- cell_config.json: domain "dev" -> "lan"
- Caddyfile: all http://*.dev blocks -> http://*.lan
- Corefile: dev zone -> lan zone (file /data/lan.zone)
- data/dns/lan.zone: new zone file (dev.zone removed live)
- test_wg_domain_access.py: remove hardcoded DOMAIN_IPS / .dev references;
  read domain from /api/config at runtime so tests work with any configured TLD

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

config/api/caddy/Caddyfile

@@ -3,7 +3,7 @@
 }
 
 # Main cell domain — no service-IP restriction needed
-http://pic0.dev, http://172.20.0.2:80 {
+http://pic0.lan, http://172.20.0.2:80 {
     handle /api/* {
         reverse_proxy cell-api:3000
     }
@@ -22,27 +22,27 @@ http://pic0.dev, http://172.20.0.2:80 {
 }
 
 # Per-service virtual IPs — each gets its own IP so iptables can target them
-http://calendar.dev, http://172.20.0.21:80 {
+http://calendar.lan, http://172.20.0.21:80 {
     reverse_proxy cell-radicale:5232
 }
 
-http://files.dev, http://172.20.0.22:80 {
+http://files.lan, http://172.20.0.22:80 {
     reverse_proxy cell-filegator:8080
 }
 
-http://mail.dev, http://webmail.dev, http://172.20.0.23:80 {
+http://mail.lan, http://webmail.lan, http://172.20.0.23:80 {
     reverse_proxy cell-rainloop:8888
 }
 
-http://webdav.dev, http://172.20.0.24:80 {
+http://webdav.lan, http://172.20.0.24:80 {
     reverse_proxy cell-webdav:80
 }
 
-http://api.dev {
+http://api.lan {
     reverse_proxy cell-api:3000
 }
 
-http://webui.dev {
+http://webui.lan {
     reverse_proxy cell-webui:80
 }